What we collect. And what we don't.

1. Who runs this

Generate Invoice (invoice.codurra.com) is operated by WarBerryApps s. r. o., trading as Codurra (codurra.com). Registered office: Daniela Michaelliho 3931/9, 036 01 Martin, Slovakia.

IČO: 54 705 711 · DIČ: 2121769749 · IČ DPH: SK2121769749. Registered at Mestský súd Žilina, oddiel Sro, vložka č. 80091/L. Date of incorporation: 5 July 2022.

For privacy questions or GDPR requests, contact [email protected].

2. What we collect, and why

2.1 Account data

Email address (sign-in, password reset, service notifications), a salted password hash (we never see your plaintext password), your selected plan and billing status, your preferred language, and the account creation and last-login timestamps.

Legal basis: contractual necessity — we can't run an account-bound invoicing service without these.

2.2 Company profile (supplier details)

When you create a supplier profile we store the data you enter: business name, address, IČO / DIČ / IČ DPH (or local equivalents), IBAN / SWIFT, contact email and phone, default invoice language and currency, your invoice number format, and an optional logo file. These appear on the invoices you generate and are never shared with anyone outside your account.

Legal basis: contractual necessity — the supplier block on every invoice is built from this data.

2.3 Clients and item catalog

Clients you save (name, address, tax IDs, contact info, optional per-client invoice numbering) and items in your catalog (name, default unit price, currency, default VAT rate) are stored so you can reuse them on future invoices. They are private to your account.

Legal basis: contractual necessity — they exist so you don't have to retype data on every invoice.

2.4 Invoice data and generated PDFs

For every invoice you generate we store the payload (supplier, purchaser, items, taxes, totals, currency, dates, notes) and the rendered PDF file. This lets you re-download, mark as paid, void or reissue an invoice later. Uploaded logo or attachment files are stored alongside the invoice.

Legal basis: contractual necessity for delivering the service, plus our legitimate interest in providing access to your invoice history.

2.5 License keys (API access)

Each paid plan and the Freelancer plan get a license key used to authenticate API calls and SDK requests. We store the key, its monthly usage counter, and a log of recent issuing IP addresses and request paths for abuse-prevention and rate-limiting purposes.

Legal basis: contractual necessity (to authenticate your API calls) and legitimate interest (abuse prevention).

2.6 Session and security data

When you sign in we issue a signed session token stored on your device. We keep a server-side record of active sessions so you can sign out remotely and so we can revoke a session if a security issue is reported. No third-party tracking cookies are set.

2.7 Server logs

Our servers temporarily log HTTP requests (method, path, status code, response time, anonymised IP, user-agent string) for operational debugging and abuse detection. Logs are rotated and deleted within 30 days. We do not data-mine logs for behavioural profiling or advertising.

3. We don't share or sell your data

Your invoices, company profile, clients and items are visible only to you (and to anyone you explicitly share an invoice link with). We do not sell, rent, or share your data with advertisers, data brokers, or AI training providers. We do not use your invoicing data to train models.

The only exceptions are the sub-processors listed in §4 (each performs one specific function for us under a Data Processing Agreement), and disclosures we are legally required to make (for example a binding order from a Slovak court).

4. Sub-processors

We use a small set of third-party services to operate Generate Invoice. Each handles a single specific function under a Data Processing Agreement and has its own privacy policy:

• Stripe (Stripe Payments Europe, Ltd., Ireland) — processes subscription payments. We never see or store your card details. Stripe holds billing data under PCI-DSS.
• Cloudflare (Cloudflare, Inc., USA) — CDN, DDoS protection and edge TLS. Sees inbound traffic metadata (IP, headers, request paths) for the duration of each request.
• Our own infrastructure (EU) — application servers, the database, stored PDFs and our transactional email service (account activation links, password resets, payment-failed warnings) all run on infrastructure we operate directly inside the European Union. Encrypted snapshots are replicated to a second EU region — see §6.

We do not use Google Analytics, Facebook Pixel, advertising networks or third-party behavioural-tracking pixels. We do not share your data with advertisers.

5. International transfers

One sub-processor above (Cloudflare) is partially US-based. Transfers are protected by the EU–US Data Privacy Framework and Standard Contractual Clauses. Your account data, company profile, clients, items, invoice payloads, generated PDFs and transactional email all stay in the European Union on infrastructure we operate.

6. Where we store your data — and backups

All application data — accounts, company profiles, clients, items, invoices and generated PDFs — is stored in the European Union on infrastructure we operate directly. Database access is restricted to a small number of operators by IP allowlist and SSH key, and is logged.

We take encrypted backups of the database and the file store on a continuous schedule and replicate them to a second, geographically separate region inside the European Union. This means a regional outage or hardware failure in one location cannot lose your data. Backups are retained for 30 days on a rolling window.

Data is encrypted in transit (TLS 1.2+) between your browser, our servers and our sub-processors. Backups and stored PDFs are encrypted at rest. Passwords are stored as salted hashes (we cannot recover the original).

7. How long we keep things

• Sign-in sessions — expire 30 days after sign-in, or immediately when you sign out from the dashboard.
• Invoice drafts — auto-save while you type and are kept for the life of your account, or until you discard them.
• Invoices and generated PDFs — kept for the life of your account, or until you individually delete them, so you can re-download and reissue them later.
• Uploaded logos and attachments — kept until you replace or remove the file, or delete the associated profile or invoice.
• Operational server logs — up to 30 days, then rotated and deleted automatically.
• Billing records — 10 years, as required by the Slovak Accounting Act (Zákon č. 431/2002 Z. z.) §35.
• Account data after closure — we delete your account data — invoices, PDFs, profiles, clients, items, license keys — within 30 days of your deletion request, except the billing records retained for tax purposes (see above).

8. Your rights (GDPR)

You can, at any time:

• Access all data we hold about you — email [email protected] for a copy.
• Correct inaccurate data — most fields you can edit directly in the dashboard, or write to us.
• Delete your account and data — do it yourself in Dashboard → Account → Delete account, or write to us.
• Export a copy of your data in a portable format (JSON for structured data, ZIP for PDFs) — email [email protected].
• Object to processing or ask us to restrict it.
• Complain to the Slovak Data Protection Authority (Úrad na ochranu osobných údajov SR) if you think we mishandled your data.

9. Children

Generate Invoice is a B2B invoicing tool and is not directed at children under 16. If you believe a child has signed up, contact [email protected] and we will delete the account.

10. Cookies

We use a single first-party authentication token (stored in localStorage, not a cookie) to keep you signed in. It is required for the service to function. We do not set advertising, analytics or third-party cookies. Cloudflare may set its own bot-mitigation cookie (__cf_bm) at the edge — required for our DDoS protection and expires within 30 minutes.

11. Changes

When we materially change this policy we'll update the "Last updated" date at the top and — if you have an account — email you a summary of the changes before they take effect.

12. Contact

WarBerryApps s. r. o.
Daniela Michaelliho 3931/9, 036 01 Martin, Slovakia
IČO: 54 705 711 · DIČ: 2121769749 · IČ DPH: SK2121769749
[email protected]