Pricing API docs
Log in Get started

Privacy Policy

Last updated: July 2026

This Privacy Policy explains how Talivio Technology OÜ ("Talivio", "we") processes personal data in connection with the Invonio e-invoicing service. We are the data controller. For privacy questions, contact [email protected].

1. Data we collect

2. How we use it

3. Legal bases (GDPR)

4. Sharing & processors

We use trusted processors, located in the EU, to run the service:

Stripe, our payment provider, acts as an independent (separate) controller for your subscription payment, under its own privacy terms — not as our processor. We do not sign a controller-processor agreement with Stripe for the payment flow, and we do not store your card details ourselves.

Once an invoice leaves our systems — to your customer's email server, to their Peppol access point, or to a governmental invoicing platform — those recipients and platforms process it under their own responsibility. They are independent parties, not our processors.

For personal data contained in the invoices themselves (your customers' and suppliers' details), you are the controller and we act as your processor — see our Data Processing Agreement.

We do not sell personal data.

5. Retention

We keep your account, business and invoice data for as long as your account exists. When you close your account, your personal data is deleted or anonymized within 90 days, unless a longer statutory retention period applies. Invoices are subject to statutory retention periods under member state tax law — roughly 5 to 10 years depending on the country (for example PL 5, ES 6, NL/EE 7, DE 8 [for invoices, under BEG IV 2025], FR/IT 10 years), running from the end of the financial year. As the issuer or recipient of the invoice, that retention obligation is yours, and Invonio archives your invoice documents for as long as your account exists to help you meet it. Deleting your account permanently deletes all of your data — including archived invoice documents — from our systems, so you must export your archive first if a retention period is still running. Server logs are kept only for a limited period needed for security and troubleshooting.

6. Your rights

Under the GDPR you may access, rectify, erase, restrict or port your data, and object to processing. You can export a full copy of your data or delete your account at any time from the Settings page in the app, or by emailing [email protected].

You also have the right to lodge a complaint with a supervisory authority. For Talivio, the competent authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee); you may also contact the data protection authority of your own EU member state.

7. Security

We apply technical and organizational measures appropriate to the risk, including encryption in transit, access controls, and tamper-evident archiving (checksums) for invoice documents.

8. International transfers

Talivio Technology OÜ is based in Estonia (EU); our processors are contracted under standard data protection terms. Where a processor is located outside the EU/EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

9. Cookies

We only use strictly necessary cookies: to keep you signed in and to protect forms against cross-site request forgery. We do not use analytics, advertising, or third-party tracking cookies, and no cookie banner is shown because none is legally required for this.

10. Changes

We may update this policy; material changes will be reflected by the "last updated" date above.

This document is a general template and does not constitute legal advice. Have it reviewed by counsel before relying on it.