Privacy Policy

Introduction

This Privacy Policy describes how InvoiceFlow ("we," "our," or "us") collects, uses, and protects your information when you use our self-hosted invoicing and proposal management application. Since InvoiceFlow is designed as a self-hosted solution, you maintain full control over your data and its storage.

Data Collection and Storage

Self-Hosted Nature

InvoiceFlow is a self-hosted application, which means:

• All your data is stored locally on your own servers or hosting infrastructure
• We do not have access to your business data, customer information, or financial records
• You are the data controller and responsible for your data's security and compliance
• No data is transmitted to our servers or third-party services (unless you explicitly configure integrations)

Information We Don't Collect

Because InvoiceFlow is self-hosted, we do not collect:

• Personal information about you or your customers
• Business data, proposals, invoices, or financial information
• Usage analytics or telemetry data
• Login credentials or authentication tokens
• Any data stored in your local SQLite database

Data You Control

Your InvoiceFlow installation stores the following data locally:

• User Account Information: Username, email, encrypted passwords
• Customer Data: Company names, contact information, billing addresses
• Business Data: Services, proposals, invoices, payment records
• Application Settings: Preferences, configurations, and customizations

Data Security

Security Measures

InvoiceFlow implements several security measures to protect your data:

• Password Security: All passwords are hashed using bcrypt with 12 salt rounds
• Authentication: JWT tokens with HTTP-only cookies for secure session management
• Input Validation: All user inputs are validated and sanitized
• SQL Injection Protection: Parameterized queries prevent database attacks
• Data Isolation: Users can only access their own data

Your Responsibilities

As the operator of your InvoiceFlow installation, you are responsible for:

• Securing your server and hosting environment
• Implementing appropriate backup procedures
• Keeping the application updated with security patches
• Managing user access and permissions
• Complying with applicable data protection regulations

Third-Party Services

External Integrations

InvoiceFlow may support optional integrations with third-party services. If you choose to enable these integrations:

• You are responsible for reviewing the privacy policies of those services
• Data sharing is entirely under your control and configuration
• We recommend implementing appropriate data protection measures
• You can disable integrations at any time

Cookies and Local Storage

InvoiceFlow uses cookies and local storage for:

• Authentication: Secure JWT tokens stored in HTTP-only cookies
• User Preferences: Application settings and customizations
• Session Management: Maintaining your login state

All cookies are essential for the application's functionality and are not used for tracking or analytics.

Data Rights and Control

Your Rights

Since you control your InvoiceFlow installation, you have complete rights over your data:

• Access: Full access to all data in your database
• Modification: Ability to update or correct any information
• Deletion: Complete control over data retention and deletion
• Portability: Export data in standard formats (SQL, CSV, JSON)
• Backup: Create backups and copies of your data

Data Retention

You control how long data is retained in your InvoiceFlow installation. Consider implementing appropriate data retention policies based on:

• Business requirements and accounting practices
• Legal and regulatory compliance obligations
• Customer preferences and consent
• Storage capacity and performance considerations

Compliance and Regulations

GDPR Compliance

If you operate in the European Union or process EU residents' data:

• You are the data controller for your customer data
• Ensure you have appropriate legal basis for processing
• Implement privacy by design principles
• Provide privacy notices to your customers
• Honor data subject rights (access, rectification, erasure, etc.)

Other Regulations

Depending on your location and business, you may need to comply with:

• CCPA (California Consumer Privacy Act)
• PIPEDA (Personal Information Protection and Electronic Documents Act - Canada)
• Industry-specific regulations (HIPAA, PCI DSS, etc.)
• Local data protection laws

Open Source Considerations

InvoiceFlow is open source software, which means:

• The source code is publicly available for review
• You can audit the code for security and privacy practices
• You can modify the software to meet your specific requirements
• Community contributions help improve security and functionality

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in:

• Application features and functionality
• Legal and regulatory requirements
• Industry best practices
• Community feedback and recommendations

Updated policies will be included in new releases and documented in our changelog.

Contact Information

For questions about this Privacy Policy or InvoiceFlow's privacy practices:

• Review our FAQ section
• Check our blog for updates and insights
• Open an issue on our GitHub repository
• Contact the development team through official channels

Disclaimer

This Privacy Policy applies to the InvoiceFlow application itself. As a self-hosted solution, you are responsible for:

• Implementing appropriate privacy practices for your business
• Complying with applicable laws and regulations
• Protecting customer data and maintaining security
• Creating your own privacy policies for customer-facing activities