Privacy Policy

1. Who we are

INVVEN is a cloud-based SaaS platform providing invoicing, quoting, and business management tools for small and medium businesses. It is operated by INVVEN Ltd, a New Zealand registered company.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights regarding it. It applies to all users of the INVVEN platform at invven.com.

For privacy enquiries or to exercise your rights, contact: support@invven.com

2. What data we collect

We collect and process the following types of data:

Account information

Your name, email address, and authentication credentials when you sign up. This is managed through our identity provider and kept secure.

Business details

Company name, trading name, address, phone number, GST/tax number, bank account details, logo, and business settings you configure in INVVEN.

Customer data (your customers)

Names, email addresses, phone numbers, physical addresses, and other contact details of your customers that you enter into INVVEN. You are the data controller for your customers' data — INVVEN processes it on your behalf as a data processor.

Transaction data

Invoices, quotes, line items, payment records, job notes, and other business records you create within the platform.

Usage data

Information about how you use the platform — pages visited, features used, session timing, and actions taken. This helps us improve the product and diagnose issues.

Technical data

IP address, browser type, device type, and operating system — collected automatically when you connect to INVVEN.

Payment data

Billing-related data including your subscription plan, payment status, and billing history. We do not store your full card number — payment processing is handled by our payment provider.

3. How we use your data

We use your data to:

• Create and manage your INVVEN account.
• Provide and operate the platform and all its features.
• Send invoices, quotes, payment reminders, and receipts on your behalf to your customers.
• Process your subscription billing and manage payments.
• Send you service-related notifications (e.g. payment confirmations, account alerts).
• Provide customer support and respond to your enquiries.
• Monitor, maintain, and improve the reliability and performance of the platform.
• Detect and prevent fraud, abuse, and security threats.
• Comply with legal obligations, including tax record-keeping requirements.

We do not use your data for advertising and we do not sell your data to third parties.

4. Legal bases for processing

We process personal data on the following legal bases:

• (a) Contract Performance — processing necessary to provide the Service under your subscription agreement.
• (b) Legitimate Interests — processing necessary for platform security, fraud prevention, and service improvement.
• (c) Legal Obligations — processing required to comply with applicable laws including tax and financial record-keeping requirements.
• (d) Consent — where you have provided explicit consent, which may be withdrawn at any time.

5. Who we share your data with

We share data only with trusted third-party service providers who process it on our behalf to deliver the service. Each is bound by a data processing agreement and/or their own privacy policies.

We use trusted third-party service providers for:

• Payment processing
• Cloud hosting and infrastructure
• User authentication
• Email delivery
• Analytics and infrastructure monitoring

These providers process data only as necessary to deliver the service and are contractually required to protect it in accordance with applicable privacy laws.

Where AI-powered features are used (such as help chat and document analysis), data submitted to those features may be processed by AI service providers. We do not use your data to train AI models.

A current list of our subprocessors is available on request by contacting support@invven.com.

We may also disclose your data if required by law, court order, or regulatory authority, or to protect the rights, safety, or property of INVVEN, its users, or others.

6. Where your data is stored

Primary application data is hosted in Sydney, Australia. Some trusted service providers may process limited data in other jurisdictions where necessary to provide the service.

All data is encrypted in transit using TLS and encrypted at rest. Where your data is transferred to, or accessible from, countries outside your own jurisdiction, we rely on data processing agreements and standard contractual clauses as appropriate.

7. Data transfer mechanisms

Where personal data is transferred outside your jurisdiction, we rely on appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for EU data transfers.
• The UK International Data Transfer Addendum for UK data transfers.
• Equivalent mechanisms for other jurisdictions as required by applicable law.

A Data Processing Addendum incorporating these mechanisms is available on request at support@invven.com.

8. Cookies and tracking

INVVEN uses essential cookies required to operate the service, including authentication session cookies. These are strictly necessary — the service cannot function without them.

We also collect usage analytics to understand how the platform is being used and to identify issues. We do not use advertising cookies, cross-site tracking cookies, or sell any tracking data to third parties.

If we introduce non-essential cookies in future, we will update this policy and obtain appropriate consent from affected users before doing so.

9. Data retention

We retain your data for as long as your account is active and for a period afterwards as required by law and our data retention obligations:

• Business financial records — retained for a minimum of 7 years following account closure, in accordance with New Zealand tax record-keeping requirements under the Tax Administration Act 1994 and equivalent obligations in other jurisdictions.
• Account and billing data — retained for as long as required for tax, accounting, and dispute resolution purposes.
• Usage and technical data — generally retained for up to 12 months.

You may request deletion of personal data that is not subject to mandatory retention obligations by contacting support@invven.com.

10. Your rights by jurisdiction

Depending on where you are located, you have specific rights regarding your personal data. To exercise any of the rights described below, contact us at support@invven.com. We will respond within 20 working days (or as required by applicable law).

New Zealand — Privacy Act 2020

Under the NZ Privacy Act 2020, you have the right to:

• Ask whether we hold personal information about you and request access to it.
• Request correction of any personal information we hold that is inaccurate or outdated.
• Complain to the Privacy Commissioner if you believe we have breached the Privacy Act.

Contact the Office of the Privacy Commissioner: privacy.org.nz

Australia — Privacy Act 1988

Under the Australian Privacy Act 1988 and Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate, incomplete, or outdated information.
• Opt out of receiving direct marketing communications.
• Make a complaint to the Office of the Australian Information Commissioner (OAIC).

Contact the OAIC: oaic.gov.au

United Kingdom — UK GDPR

If you are based in the UK, under the UK GDPR you have the right to:

• Access a copy of your personal data (Subject Access Request).
• Have inaccurate personal data corrected.
• Have your personal data erased in certain circumstances (“right to be forgotten”).
• Restrict or object to certain types of processing.
• Receive your data in a portable format (data portability).
• Lodge a complaint with the Information Commissioner's Office (ICO).

Contact the ICO: ico.org.uk

European Union — GDPR

If you are in the European Economic Area (EEA), our legal basis for processing your data is the performance of the contract between us (providing the service), our legitimate interests in operating and improving the service, and compliance with legal obligations.

Under the GDPR, you have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Erase your data (subject to legal retention obligations).
• Restrict processing.
• Data portability — receive your data in a machine-readable format.
• Object to processing based on legitimate interests.
• Lodge a complaint with your national data protection authority.

Find your national supervisory authority: edpb.europa.eu

United States — CCPA and state privacy laws

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights:

• The right to know what personal information we collect, use, disclose, and sell.
• The right to delete personal information we have collected (subject to exceptions).
• The right to opt out of the sale or sharing of your personal information.
• The right to non-discrimination for exercising your privacy rights.

We do not sell or share your personal information with third parties for monetary consideration or targeted advertising purposes. This applies to all US users, not just California residents.

Users in other US states with applicable privacy laws (including Colorado, Virginia, and Connecticut) may exercise similar rights by contacting support@invven.com.

South Africa — POPIA

If you are in South Africa, the Protection of Personal Information Act (POPIA) applies. Under POPIA, you have the right to:

• Be notified when your personal information is collected.
• Access the personal information we hold about you.
• Request correction or deletion of inaccurate or out-of-date information.
• Object to the processing of your personal information.
• Submit a complaint to the Information Regulator of South Africa.

Contact the Information Regulator: justice.gov.za/inforeg

11. Data subject requests process

To exercise your data rights:

• (a) Submit your request to support@invven.com with sufficient information to verify your identity.
• (b) We will respond within 30 days of receiving a verifiable request.
• (c) Where a request conflicts with legal retention obligations, we will inform you of the specific legal basis for retention.
• (d) Data exports are provided in CSV or PDF format.

12. Do not sell my personal information

INVVEN does not sell your personal information. We do not sell, rent, or trade your personal data to third parties for money or any other consideration. We do not share your personal data with third parties for targeted advertising purposes.

Third-party providers receive your data only to the extent necessary to deliver the specific service they provide to us. They are contractually prohibited from using your data for their own commercial purposes.

13. Security

We take the security of your data seriously and implement reasonable technical and organisational measures to protect it, including:

• TLS encryption for all data in transit.
• Encryption at rest for all stored data.
• Role-based access controls — staff access is limited to what is needed.
• Secure, managed cloud infrastructure from reputable providers.
• Regular security monitoring and error tracking in production.

No system is 100% secure. If you become aware of a security issue involving INVVEN, please notify us immediately at support@invven.com.

14. Data breach notification

In the event of a data breach likely to result in serious harm, we will notify affected users and relevant regulatory authorities without undue delay and within timeframes required by applicable law, including under the New Zealand Privacy Act 2020, Australian Privacy Act 1988, UK GDPR, and EU GDPR.

15. Children's privacy

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you become aware that a minor has provided us with personal data, please contact support@invven.com and we will take steps to delete it.

16. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email to your registered address and/or by displaying a notice within the INVVEN application, with the updated effective date shown at the top of this page.

Continued use of INVVEN after an updated policy takes effect constitutes your acceptance of the changes. If you do not agree, you may cancel your account before the changes take effect.

17. Data Processing Addendum

A Data Processing Addendum is available at invven.com/dpa or by contacting support@invven.com. EU, UK, and other regulated customers requiring a DPA should contact us before or at the time of signup.

Where required by applicable law, our DPA incorporates Standard Contractual Clauses for international data transfers.

18. Contact us

For any privacy-related questions, data requests, or complaints, please contact our Privacy Officer:

We will acknowledge all privacy requests within 5 working days and aim to respond fully within 20 working days, as required under the New Zealand Privacy Act 2020.