Invly Privacy Policy
Effective date: 2026-05-28 Version: 1.0 Data controller: Rev Tech MB (registration code 307780627), registered office Vilnius, V. Nagevičiaus g. 3, LT-08237, email info@invly.lt.
The Lithuanian-language version of this policy is authoritative for data subjects residing in Lithuania; this English version is provided as a reference translation.
1. Scope
This privacy policy explains how Rev Tech MB ("we", "Invly") processes personal data when you use the invoice management platform at www.invly.lt and related services. The policy implements Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the Lithuanian Law on the Legal Protection of Personal Data.
2. What we collect
2.1. Account data
- Email (required — used for login and communications)
- Password (stored as a hash via Supabase Auth — we cannot see it)
2.2. Business profile data (optionally provided)
- Company name, registration code, VAT code
- Address
- IBAN and bank name
- Phone number
- Logo (if uploaded)
2.3. Operational data (created while using the platform)
- Invoices, line items, dates, amounts, statuses
- Client and product catalog entries — note: when these include your clients' personal data, see section 8 on your obligations as a data controller
- Expense records and uploaded documents
- Recurring-invoice and template configurations
2.4. Payment data
Subscription payments are processed by Stripe Payments Europe, Ltd. We do not store your card number or CVV — only a Stripe customer identifier, subscription status, and period-end date. See Stripe's privacy notice: https://stripe.com/privacy.
2.5. Technical data
- IP address, browser type, language (in server logs at Supabase and Vercel)
- Login timestamps
- Audit-log records of in-app actions (invoice created, client deleted, etc.)
2.6. AI feature data
When you use AI invoice generation or receipt OCR, the relevant text or image is transmitted to Anthropic, PBC (USA). We do not pass account identifiers — only the content of your request. Anthropic commits not to train models on API data (see https://www.anthropic.com/legal/dpa).
3. Purposes and legal basis
| Purpose | GDPR Article 6 basis | Retention |
|---|---|---|
| Account creation and service delivery | (b) performance of contract | Account lifetime + 36 months after closure |
| Payment processing, invoice issuance | (b) contract; (c) legal obligation (Lithuanian VAT and accounting law) | 10 years — Lithuanian Accounting Act |
| Customer support, response to queries | (f) legitimate interest | 24 months after last correspondence |
| Security, fraud prevention | (f) legitimate interest | Logs — 12 months |
| AI feature operation | (b) contract | Request transmitted to Anthropic in real time; we retain no AI-prompt history |
| Product improvement (aggregated stats) | (f) legitimate interest | Aggregated without identifiers |
4. Recipients and sub-processors
As of 2026-05-28:
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase | Database, auth, edge functions | EU (Frankfurt) | No transfer (EU-only) |
| Vercel | Frontend hosting, edge CDN | US + global edge | GDPR Art. 46 Standard Contractual Clauses (SCC) |
| Stripe | Subscription payments | Ireland (EU) for EU customers | EU-only for EU data subjects |
| Resend | Transactional email | US | GDPR Art. 46 SCC |
| Anthropic | AI features | US | GDPR Art. 46 SCC |
We will notify you at least 30 days before adding a new sub-processor, in-app or by email. If you do not consent, you may terminate the service.
We do not sell or share your personal data with third parties for marketing.
5. International transfers
Where data is transferred to sub-processors in the United States (Vercel, Resend, Anthropic), transfers are governed by Standard Contractual Clauses approved by the European Commission, together with supplementary technical measures (TLS in transit, encryption at rest where applicable).
6. Your rights (GDPR Articles 15-22)
You have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16) — most fields are editable in your account settings
- Erase your data ("right to be forgotten", Art. 17) — note that accounting records are retained for 10 years per Lithuanian law
- Restrict processing (Art. 18)
- Data portability (Art. 20) — exportable via CSV and PDF
- Object to processing where based on legitimate interest (Art. 21)
- Withdraw consent at any time where consent is the basis
- Lodge a complaint with the supervisory authority — the State Data Protection Inspectorate of the Republic of Lithuania (
L. Sapiegos g. 17, LT-10312 Vilnius, ada@ada.lt, https://vdai.lrv.lt)
To exercise these rights, contact info@invly.lt or info@invly.lt. We respond within 30 days of receipt (extensible by 60 days for complex requests).
7. Security
- TLS 1.2+ for all traffic
- Postgres with Row-Level Security: users see only their own data
- Passwords stored as bcrypt hashes (Supabase Auth)
- Production access is restricted and logged
- Regular backups (managed by Supabase)
Security incidents are reported to the supervisory authority within 72 hours of discovery (GDPR Art. 33) and directly to affected data subjects where the incident poses a high risk to their rights (Art. 34).
8. Your obligations as a data controller
When you upload your clients' personal data (e.g. their email or company code on an invoice), you are the data controller for that data and Invly is the processor. A separate Data Processing Agreement (DPA) is available on request at info@invly.lt.
9. Cookies
We use only strictly necessary cookies for session management. See cookie-policy-en.md.
10. Children
Invly is not directed at persons under 16 and we do not knowingly collect their data. If you become aware that a minor has provided data, please notify info@invly.lt.
11. Changes to this policy
Material changes will be posted to https://www.invly.lt/privacy and, when necessary, emailed to users at least 30 days before they take effect.
| Version | Date | Changes |
|---|---|---|
| 1.0 | 2026-05-28 | Initial version |
12. Contact
- Controller: Rev Tech MB
- Address: Vilnius, V. Nagevičiaus g. 3, LT-08237
- Email: info@invly.lt
- Data Protection contact: info@invly.lt
In case of conflict in interpretation, the Lithuanian version of this policy prevails for data subjects resident in the Republic of Lithuania.