Privacy Policy

Last updated: June 9, 2026

This Privacy Policy explains how we collect, use, share, and protect personal data when you use Invovate and its website, API, and related services. We are committed to handling your data lawfully, fairly, and transparently, in line with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

1. Who We Are / Data Controller

Invovate is a subscription developer API platform for developers and technical teams. Invovate is operated by PolarCurve LLC, Wyoming, USA, which is the data controller responsible for the personal data described in this policy.

You can reach us at any time:

PolarCurve LLC
c/o Registered Agents Inc
30 N Gould St, Ste R
Sheridan, WY 82801
United States
Email: hello@invovate.com

2. Scope of This Policy

This policy applies to personal data we process when you:

• Visit or interact with https://invovate.com and its subpages;
• Create or manage an Invovate account or subscription;
• Use the Invovate API or the web-based invoice generator;
• Contact us for support, or post a comment on the site.

It does not cover third-party websites or services that may link to or from Invovate; those have their own privacy policies. Where we process personal data on behalf of a business customer, see Section 10 (Data Processing for Business Customers).

3. Information We Collect

Depending on how you use Invovate, we may collect the following categories of personal data:

• Account details. Your email address and a securely hashed password when you register, plus subscription tier and API key identifiers.
• Usage and server logs. Records of your requests to our site and API, including the date and time, endpoint used, request status, and your IP address.
• Device and browser information. Browser type, operating system, and similar technical details collected automatically when you access the site.
• Cookies and analytics. Information collected via cookies and analytics tools (see Section 11 and our Cookie Policy). Non-essential cookies are set only after you consent. Our analytics is Google Analytics, loaded via Google Tag Manager and run under Google Consent Mode (off until you consent). When enabled, it processes a randomly assigned client ID, an IP-derived approximate location (city/country level), device and browser details, and page-interaction events. No invoice or API content is ever sent to Google.
• Payment data. Payments for paid plans are processed by Stripe. Invovate does not store full card numbers; we receive limited billing metadata (such as subscription status, last four digits, card brand, and billing country) needed to manage your subscription.
• Invoice content. The business and client details, line items, and amounts you enter to generate invoices. Much of this generation happens client-side in your browser; invoice content is only sent to and stored on our servers when you use features that require it, such as the shareable hosted link or QR code.
• Support and contact messages. The content of any messages you send us, along with the contact details you provide.
• Comments. If you post a comment on the site, we collect the name you provide, the comment text, and associated metadata (such as a hashed IP address) used for spam and abuse prevention.

4. How We Use Your Information

We use the personal data we collect to:

• Provide, operate, and maintain the Invovate website, API, and invoice generator;
• Create and manage your account and subscription, and authenticate your API requests;
• Process payments and send billing and service-related communications;
• Generate, host, and (where you request it) share invoices you create;
• Enforce rate limits, monitor for abuse, and keep the service secure and reliable;
• Respond to your support requests and moderate comments;
• Understand how the service is used and improve our features and performance;
• Comply with our legal, tax, and accounting obligations.

We never sell your personal data, and we do not use your invoice content for advertising or to train machine-learning models.

5. Legal Bases for Processing (GDPR Art. 6)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

• Consent (Art. 6(1)(a)) — for analytics and marketing cookies and for posting comments. You can withdraw consent at any time.
• Performance of a contract (Art. 6(1)(b)) — to provide the API and subscription you have signed up for, including account management, invoice generation, and billing.
• Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent abuse and fraud, and improve our product, balanced against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)) — to meet tax and accounting requirements and to respond to lawful requests from authorities.

6. How We Share Information / Sub-Processors

We share only the minimum data each third party needs for its stated purpose. Each maintains its own privacy policy. The role each plays differs, and we describe it accurately below.

Service providers / processors (process data on our instructions)

These providers process personal data on our behalf and on our instructions, under data-processing terms:

• Cloudflare, Inc. — hosting, edge compute, KV storage (including encrypted storage for shareable hosted-link invoices), and Turnstile bot-protection. Processes request traffic and any invoice you choose to share via link. Cloudflare Privacy Policy
• Resend (Plus Five Five, Inc.) — transactional email delivery (such as verification and account notifications). Receives your email address and message contents; never invoice data. Resend Privacy Policy

Independent controllers (determine their own processing for their own cookies/services)

These providers act as independent controllers for the data they collect through their own cookies and services, under their own privacy policies:

• Google (Google LLC) — Analytics (aggregated usage analytics such as page views, approximate location, and device type; no invoice content is sent) and AdSense / DoubleClick (advertising on free pages, using advertising cookies set after consent). Google Privacy Policy
• Stripe, Inc. — payment processing for paid plans. Stripe receives billing details when you subscribe and determines its own processing of that data; we never store full card numbers. Stripe Privacy Policy

We may also disclose personal data where required by law, to enforce our terms, or to protect the rights, safety, and security of Invovate, our users, or the public.

7. International Data Transfers

PolarCurve LLC is based in the United States, and our service providers may process data in the US and other countries. As a result, your personal data may be transferred to and processed outside your home country, including outside the European Economic Area (EEA) and the United Kingdom.

Where we transfer personal data from the EEA or UK to a country that has not received an adequacy decision, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with additional technical and organisational measures.

8. Data Retention

We keep personal data only for as long as necessary for the purposes described in this policy, and to meet our legal obligations:

• Account data is retained until you delete your account, after which it is removed (see Section 9).
• Support and contact messages are retained for approximately 24 months so we can handle follow-ups and maintain a support history.
• Comments are retained until you delete them or they are removed in moderation.
• Billing and tax records are retained for approximately 7 years to meet our legal, tax, and accounting obligations.
• Server-log IP addresses and browser user-agents: we anonymise these after approximately 90 days, retaining only aggregate, non-identifying information thereafter.
• Shareable hosted-link invoices and their stored snapshots expire and are permanently deleted 7 days after creation (sooner if you revoke the link).
• Backups are kept on a rolling basis and are overwritten within approximately 30 days.

9. Your Privacy Rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate or incomplete data;
• Erase your data ("right to be forgotten");
• Restrict processing in certain circumstances;
• Data portability — receive your data in a structured, machine-readable format;
• Object to processing based on legitimate interests or for direct marketing;
• Withdraw consent at any time, without affecting processing carried out before withdrawal.

You can delete your account and revoke shareable links directly from your dashboard. To exercise any other right, email us at hello@invovate.com and we will respond within the timeframe required by law.

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection supervisory authority.

10. Data Processing for Business Customers

When you use Invovate to process personal data about your own customers or contacts (for example, the client details you enter into invoices), you are the controller of that data and Invovate acts as your processor, processing it on your behalf and on your instructions.

A Data Processing Agreement (DPA) is available on request — email hello@invovate.com and we will provide a DPA before processing personal data on your behalf.

11. Cookies & Tracking

We use a limited set of cookies and similar technologies. Essential cookies are necessary for the site to function; non-essential cookies (such as analytics and advertising cookies) are set only after you give consent. For full details and your choices, see our Cookie Policy.

12. Children's Privacy

Invovate is not directed to children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at hello@invovate.com and we will promptly delete it.

13. Security

We implement appropriate technical and organisational measures to protect your personal data, including HTTPS everywhere, passwords hashed with a strong key-derivation function, token-based authentication, per-IP and per-account rate limiting, and access controls on our infrastructure. Shareable invoices stored on Cloudflare are kept encrypted at rest and are reachable only via unguessable, signed links. No method of transmission or storage is completely secure, but we work to protect your data and to respond promptly to any incident.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If changes are material, we will take reasonable steps to notify registered users, such as by email. Your continued use of Invovate after changes take effect constitutes acceptance of the revised policy.

15. Contact Us

Questions about this Privacy Policy or how we handle your data? Contact the data controller:

PolarCurve LLC
c/o Registered Agents Inc
30 N Gould St, Ste R
Sheridan, WY 82801
United States
Email: hello@invovate.com