Invly Privacy Policy

Effective date: 2026-05-28 Version: 1.0 Data controller: Rev Tech MB (registration code 307780627), registered office Vilnius, V. Nagevičiaus g. 3, LT-08237, email info@invly.lt.

The Lithuanian-language version of this policy is authoritative for data subjects residing in Lithuania; this English version is provided as a reference translation.


1. Scope

This privacy policy explains how Rev Tech MB ("we", "Invly") processes personal data when you use the invoice management platform at www.invly.lt and related services. The policy implements Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the Lithuanian Law on the Legal Protection of Personal Data.

2. What we collect

2.1. Account data

  • Email (required — used for login and communications)
  • Password (stored as a hash via Supabase Auth — we cannot see it)

2.2. Business profile data (optionally provided)

  • Company name, registration code, VAT code
  • Address
  • IBAN and bank name
  • Phone number
  • Logo (if uploaded)

2.3. Operational data (created while using the platform)

  • Invoices, line items, dates, amounts, statuses
  • Client and product catalog entries — note: when these include your clients' personal data, see section 8 on your obligations as a data controller
  • Expense records and uploaded documents
  • Recurring-invoice and template configurations

2.4. Payment data

Subscription payments are processed by Stripe Payments Europe, Ltd. We do not store your card number or CVV — only a Stripe customer identifier, subscription status, and period-end date. See Stripe's privacy notice: https://stripe.com/privacy.

2.5. Technical data

  • IP address, browser type, language (in server logs at Supabase and Vercel)
  • Login timestamps
  • Audit-log records of in-app actions (invoice created, client deleted, etc.)

2.6. AI feature data

When you use AI invoice generation or receipt OCR, the relevant text or image is transmitted to Anthropic, PBC (USA). We do not pass account identifiers — only the content of your request. Anthropic commits not to train models on API data (see https://www.anthropic.com/legal/dpa).

3. Purposes and legal basis

PurposeGDPR Article 6 basisRetention
Account creation and service delivery(b) performance of contractAccount lifetime + 36 months after closure
Payment processing, invoice issuance(b) contract; (c) legal obligation (Lithuanian VAT and accounting law)10 years — Lithuanian Accounting Act
Customer support, response to queries(f) legitimate interest24 months after last correspondence
Security, fraud prevention(f) legitimate interestLogs — 12 months
AI feature operation(b) contractRequest transmitted to Anthropic in real time; we retain no AI-prompt history
Product improvement (aggregated stats)(f) legitimate interestAggregated without identifiers

4. Recipients and sub-processors

As of 2026-05-28:

Sub-processorPurposeLocationTransfer mechanism
SupabaseDatabase, auth, edge functionsEU (Frankfurt)No transfer (EU-only)
VercelFrontend hosting, edge CDNUS + global edgeGDPR Art. 46 Standard Contractual Clauses (SCC)
StripeSubscription paymentsIreland (EU) for EU customersEU-only for EU data subjects
ResendTransactional emailUSGDPR Art. 46 SCC
AnthropicAI featuresUSGDPR Art. 46 SCC

We will notify you at least 30 days before adding a new sub-processor, in-app or by email. If you do not consent, you may terminate the service.

We do not sell or share your personal data with third parties for marketing.

5. International transfers

Where data is transferred to sub-processors in the United States (Vercel, Resend, Anthropic), transfers are governed by Standard Contractual Clauses approved by the European Commission, together with supplementary technical measures (TLS in transit, encryption at rest where applicable).

6. Your rights (GDPR Articles 15-22)

You have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16) — most fields are editable in your account settings
  • Erase your data ("right to be forgotten", Art. 17) — note that accounting records are retained for 10 years per Lithuanian law
  • Restrict processing (Art. 18)
  • Data portability (Art. 20) — exportable via CSV and PDF
  • Object to processing where based on legitimate interest (Art. 21)
  • Withdraw consent at any time where consent is the basis
  • Lodge a complaint with the supervisory authority — the State Data Protection Inspectorate of the Republic of Lithuania (L. Sapiegos g. 17, LT-10312 Vilnius, ada@ada.lt, https://vdai.lrv.lt)

To exercise these rights, contact info@invly.lt or info@invly.lt. We respond within 30 days of receipt (extensible by 60 days for complex requests).

7. Security

  • TLS 1.2+ for all traffic
  • Postgres with Row-Level Security: users see only their own data
  • Passwords stored as bcrypt hashes (Supabase Auth)
  • Production access is restricted and logged
  • Regular backups (managed by Supabase)

Security incidents are reported to the supervisory authority within 72 hours of discovery (GDPR Art. 33) and directly to affected data subjects where the incident poses a high risk to their rights (Art. 34).

8. Your obligations as a data controller

When you upload your clients' personal data (e.g. their email or company code on an invoice), you are the data controller for that data and Invly is the processor. A separate Data Processing Agreement (DPA) is available on request at info@invly.lt.

9. Cookies

We use only strictly necessary cookies for session management. See cookie-policy-en.md.

10. Children

Invly is not directed at persons under 16 and we do not knowingly collect their data. If you become aware that a minor has provided data, please notify info@invly.lt.

11. Changes to this policy

Material changes will be posted to https://www.invly.lt/privacy and, when necessary, emailed to users at least 30 days before they take effect.

VersionDateChanges
1.02026-05-28Initial version

12. Contact

  • Controller: Rev Tech MB
  • Address: Vilnius, V. Nagevičiaus g. 3, LT-08237
  • Email: info@invly.lt
  • Data Protection contact: info@invly.lt

In case of conflict in interpretation, the Lithuanian version of this policy prevails for data subjects resident in the Republic of Lithuania.