Privacy Policy — Invoiciti

Effective date: October 20, 2025

1. Introduction

Welcome to Invoiciti (“we”, “us”, “our”). Invoiciti provides an online invoicing platform and related services (the “Service”). We are committed to protecting your privacy and handling your personal data in a secure, transparent, and lawful manner. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights available to you.

By using our website (https://invoiciti.com) or the Invoiciti Service, you accept the practices described in this Privacy Policy.

2. Controller and Contact

Data Controller: Invoiciti
Address: Plot 502B Novare Central, Wuse Zone 5, Abuja, Nigeria.
Email: support@invoiciti.com
Phone: +234 707 165 9277

For privacy questions, data access requests, or to lodge a complaint, contact privacy@invoiciti.com.

3. Definitions

  • Personal data: Any information relating to an identifiable person.

  • Service data: Data generated by or within the Service (invoices, payment records, account activity).

  • User: A person or business using the Service.

  • NDPA: Nigeria Data Protection Act 2023.

4. Categories of Data We Collect

We collect the following categories of information:

Account & identity data

  • Name, business name, job title, email address, telephone number, physical address, Tax Identification Number (TIN), government ID where required for verification.

Billing & payment data

  • Billing address, payment method details (card tokenized by payment processor), transaction references, invoices, and refunds. We do not store full card numbers; payment processors store card data.

Service data

  • Invoices, client records, invoice items, invoice reference numbers (IRN), logs of invoice transmission, payment status, and audit logs.

Technical & analytics data

  • IP addresses, device information, browser type/version, operating system, crash logs, usage data, cookies, and analytics.

Communications

  • Support requests, emails, chat transcripts, and other correspondence.

5. How We Use Your Data

We process personal and service data to:

  • Provide, operate, maintain, and improve the Service.

  • Create, sign, transmit and store e-invoices in a format compatible with FIRS/NITDA requirements.

  • Process payments and reconcile transactions.

  • Authenticate and verify accounts and users (including TIN/IRN verification where required).

  • Send transactional communications (invoices, receipts, reminders, security notifications).

  • Provide customer support and respond to inquiries.

  • Detect, prevent and respond to fraud, abuse, and security incidents.

  • Comply with legal and regulatory obligations (including reporting to tax authorities where required).

  • Conduct analytics and usage research to improve our Service.

  • Send marketing communications where you have consented (you may opt out any time).

6. Legal Basis for Processing

Where applicable, we rely on the following legal bases for processing personal data:

  • Performance of a contract: to provide our Service and perform our obligations under user agreements.

  • Legal obligation: to comply with laws and regulatory requirements (e.g., tax and e-invoicing rules).

  • Legitimate interests: to operate, secure, and improve the Service (unless overridden by your rights).

  • Consent: for optional marketing communications or other optional services requiring consent.

7. Sharing and Disclosure

We do not sell personal data. We may share data with:

Service providers and subprocessors — companies that perform services on our behalf (e.g., hosting providers, email delivery, analytics, payment processors such as Paystack, Flutterwave, Stripe). These providers only process data to provide services to us and are contractually required to protect personal data.

Regulatory and legal authorities — when required by law or to comply with lawful requests from government or tax authorities (e.g., FIRS, NITDA) and to support audits, investigations, or legal proceedings.

Business transfers — in the event of a merger, acquisition, reorganization, sale of assets or in connection with corporate financing, data may be transferred; we will notify users where required by law.

Aggregated/Anonymised Data — we may aggregate data for analytics or reporting in a way that does not identify individuals.

8. Cross-border Data Transfers

Our infrastructure and third-party service providers may be located outside Nigeria. When we transfer personal data across borders, we implement appropriate safeguards (e.g., contractual protections, encryption) and comply with applicable laws. Where required by regulation, we will ensure transfers are to jurisdictions with equivalent protections or that other lawful transfer mechanisms are in place.

Where possible and practical, we store and back up service data on servers located in Nigeria to meet regulatory expectations around local storage. If personal data must be transferred outside Nigeria, we will take reasonable steps to secure that data and notify you where required.

9. Data Security

We implement technical and organisational measures to protect personal data, including:

  • Encryption of data in transit (TLS) and where practical at rest.

  • Access controls, authentication, and role-based permissions.

  • Regular security assessments, monitoring, and vulnerability management.

  • Use of secure key management and hardware security modules (HSM) where applicable for cryptographic functions.

  • Staff training and data handling policies.

Despite these measures, no system can be 100% secure. If we discover a data breach that affects your personal data, we will notify affected users and relevant authorities in accordance with NDPA/NITDA requirements (including notification timelines such as 24 hours for reporting major breaches where required).

10. Data Retention

We retain personal and service data as long as necessary to provide the Service, comply with legal obligations, resolve disputes, enforce agreements, and as otherwise permitted by law. Typical retention periods:

  • Account and transactional data: retained during the life of the account and for a period after account closure for legal, tax and audit requirements (e.g., 7 years for financial records, or as required by local law).

  • Support and communications: retained for a period necessary to resolve issues (e.g., 2–5 years).

  • Analytics and logs: retained in aggregated or pseudonymized form as needed.

You can request deletion of your account and data; we will act subject to legal and contractual retention obligations (e.g., tax or legal record requirements).

11. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential site functionality.

  • Authentication and session management.

  • Analytics and performance (Google Analytics or similar).

  • Marketing and advertising (where applicable).

Most browsers allow you to control cookies via settings. Disabling certain cookies may affect your ability to use parts of the Service. Our Cookie Policy (or banner) provides more detail and opt-out instructions.

12. Third-Party Services & Links

Our Service may include links to third-party sites and services (e.g., payment processors, helpdesk, analytics providers). These third parties have their own privacy policies and practices. We are not responsible for their processing of your personal data; please review their privacy policies before providing personal data.

13. Payments & Financial Information

We integrate with third-party payment processors (such as Paystack, Flutterwave and Stripe). Payment card details are processed and stored by these processors and not by Invoiciti. We receive payment tokens and transaction references necessary to reconcile payments. Please review the privacy and security practices of the payment provider you use.

14. User Rights & Choices

Depending on applicable law, you may have rights including:

  • Access: request a copy of personal data we hold about you.

  • Correction: request correction of inaccurate or incomplete data.

  • Deletion: request deletion of personal data subject to legal retention obligations.

  • Portability: request export of your data in a structured format.

  • Restriction or objection: request restriction of certain processing activities or object to processing based on legitimate interests.

  • Withdraw consent: where we process data based on consent, you can withdraw consent at any time.

To exercise your rights, contact privacy@invoiciti.com. We may need to verify your identity before fulfilling your request. We will respond within applicable statutory timeframes.

15. Children’s Privacy

Our Service is not directed to children under 18. We do not knowingly collect personal data from children. If we learn we have unknowingly collected data from a child, we will take steps to delete it.

16. Complaints & Supervisory Authority

If you have a privacy complaint, contact us at privacy@invoiciti.com so we can try to resolve it. You also have the right to lodge a complaint with the Nigerian data protection supervisory authority (e.g., the National Data Protection Commission or other designated body) if you are not satisfied with our response.

17. Changes to this Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. If we make material changes, we will post a prominent notice on our site and update the “Effective date” above. Continued use of the Service after changes constitutes acceptance of the updated policy.

18. Additional Information

Legal & regulatory: We comply with the Nigeria Data Protection Act 2023 (NDPA) and applicable NITDA/FIRS guidance on e-invoicing. For questions about regulatory compliance or data access requests from authorities, contact privacy@invoiciti.com.