Privacy Policy
Last updated: July 2026
This Privacy Policy explains how Talivio Technology OÜ ("Talivio", "we") processes personal data in connection with the Invonio e-invoicing service. We are the data controller. For privacy questions, contact [email protected].
1. Data we collect
- Account data: name, email address, hashed password, chosen interface language.
- Business data: the seller profile you enter (company name, address, VAT ID, tax number, IBAN) — this appears as the sender on every invoice you issue.
- Invoice data: the invoices you create or receive, including buyer details, line items and amounts, and the generated ZUGFeRD/Factur-X/XRechnung documents.
- Billing data: your subscription status is processed by our payment provider, Stripe; we do not store your card details ourselves.
- Technical data: log and security information needed to operate the service, such as IP addresses, browser type and timestamps in server logs.
2. How we use it
- To generate, validate, deliver, receive and archive your electronic invoices.
- To operate your subscription and billing.
- To secure, maintain and improve the service.
- To send service-related communications, including invoices you choose to send to your customers by email.
3. Legal bases (GDPR)
- Art. 6(1)(b) — performance of our contract with you: providing your account and the invoicing, delivery, inbox and archiving features, and communicating with you about the service.
- Art. 6(1)(c) — our own legal obligations: bookkeeping and tax records relating to your subscription payments.
- Art. 6(1)(f) — our legitimate interests: securing the service, preventing abuse, and maintaining server logs for these purposes.
4. Sharing & processors
We use trusted processors, located in the EU, to run the service:
- our hosting provider, to run the application and store data;
- our email provider, to deliver account and invoice emails you send;
- where the Peppol delivery channel is available on your account and you use it, our contracted Peppol access point provider, to hand invoices over to the Peppol network.
Stripe, our payment provider, acts as an independent (separate) controller for your subscription payment, under its own privacy terms — not as our processor. We do not sign a controller-processor agreement with Stripe for the payment flow, and we do not store your card details ourselves.
Once an invoice leaves our systems — to your customer's email server, to their Peppol access point, or to a governmental invoicing platform — those recipients and platforms process it under their own responsibility. They are independent parties, not our processors.
For personal data contained in the invoices themselves (your customers' and suppliers' details), you are the controller and we act as your processor — see our Data Processing Agreement.
We do not sell personal data.
5. Retention
We keep your account, business and invoice data for as long as your account exists. When you close your account, your personal data is deleted or anonymized within 90 days, unless a longer statutory retention period applies. Invoices are subject to statutory retention periods under member state tax law — roughly 5 to 10 years depending on the country (for example PL 5, ES 6, NL/EE 7, DE 8 [for invoices, under BEG IV 2025], FR/IT 10 years), running from the end of the financial year. As the issuer or recipient of the invoice, that retention obligation is yours, and Invonio archives your invoice documents for as long as your account exists to help you meet it. Deleting your account permanently deletes all of your data — including archived invoice documents — from our systems, so you must export your archive first if a retention period is still running. Server logs are kept only for a limited period needed for security and troubleshooting.
6. Your rights
Under the GDPR you may access, rectify, erase, restrict or port your data, and object to processing. You can export a full copy of your data or delete your account at any time from the Settings page in the app, or by emailing [email protected].
You also have the right to lodge a complaint with a supervisory authority. For Talivio, the competent authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee); you may also contact the data protection authority of your own EU member state.
7. Security
We apply technical and organizational measures appropriate to the risk, including encryption in transit, access controls, and tamper-evident archiving (checksums) for invoice documents.
8. International transfers
Talivio Technology OÜ is based in Estonia (EU); our processors are contracted under standard data protection terms. Where a processor is located outside the EU/EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
9. Cookies
We only use strictly necessary cookies: to keep you signed in and to protect forms against cross-site request forgery. We do not use analytics, advertising, or third-party tracking cookies, and no cookie banner is shown because none is legally required for this.
10. Changes
We may update this policy; material changes will be reflected by the "last updated" date above.
This document is a general template and does not constitute legal advice. Have it reviewed by counsel before relying on it.