Privacy Policy
Last updated: 2026-02-18
Introduction
This Privacy Policy explains how NextGenWebs SL (“Invoxa”, “we”, “us”) collects, uses, and protects your personal data when you use our invoice processing platform at invoxa.com. We are committed to complying with the General Data Protection Regulation (GDPR) and applicable Spanish data protection law.
Data Controller and Processor
NextGenWebs SL
CIF: ESB97380067
Plz. Gerardo Salvador 1
46988 Paterna, Valencia, Spain
Email: privacy@invoxa.com
Invoxa acts as Data Controller for account and usage data (e.g. your name, email address, and login activity). For invoice data and documents uploaded by your organisation, your company is the Data Controller and Invoxa acts as the Data Processor, processing this data solely on your company’s behalf and in accordance with your instructions.
A Data Processing Agreement (DPA) is available upon request for customers who require one. Contact us at privacy@invoxa.com.
Data We Collect
We collect the following categories of personal data:
- Account data: name, email address, profile photo, and authentication identifiers (Google OAuth or other supported providers).
- Company data: company name, VAT number, billing address, and payment information.
- Invoice data: uploaded documents (PDF, PNG, JPEG), extracted text (supplier names, addresses, amounts, line items), and processing metadata.
- Usage data: IP address, browser type, pages visited, and feature interactions.
- Email ingestion data: sender email address and email attachments forwarded to your dedicated Invoxa address.
Legal Basis for Processing
We process your personal data under the following legal bases (GDPR Art. 6):
- Art. 6(1)(b) — Contract: processing necessary to provide the Invoxa service, including OCR extraction, invoice management, and ERP synchronisation.
- Art. 6(1)(f) — Legitimate interest: analytics and service improvements, fraud prevention, and security monitoring.
- Art. 6(1)(a) — Consent: optional cookies and marketing communications (where applicable).
- Art. 6(1)(c) — Legal obligation: compliance with tax, accounting, and regulatory requirements.
Purposes of Processing
- Providing and maintaining the Invoxa platform
- Processing invoices via OCR and AI extraction
- Authenticating users and managing team access
- Processing payments and managing billing
- Sending transactional emails (welcome, invitations, digests, failure notifications)
- Improving service quality and resolving issues
Sub-processors
We use trusted third-party service providers to operate the platform, including providers for file storage, AI-powered document processing, email delivery, email ingestion, payment processing, and authentication. All providers are selected with data protection in mind. A detailed list of current sub-processors is available upon request at privacy@invoxa.com.
International Data Transfers
Your data is stored within the European Union. Some auxiliary services (such as payment processing and email delivery) may involve processing outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions, in accordance with GDPR Art. 46.
Data Retention
We retain your data as follows:
- Account data: retained for the duration of your account. Deleted within 30 days of account deletion.
- Invoice data and documents: retained until you delete them or close your account.
- Billing records: retained for 7 years to comply with Spanish tax obligations.
- Usage logs: retained for up to 12 months.
Your Rights
As an individual representative using the Platform, you have the following rights under the GDPR regarding your personal data (such as your name, email address, and usage data):
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data (“right to be forgotten”)
- Portability — receive your data in a machine-readable format
- Restriction — request restricted processing of your data
- Objection — object to processing based on legitimate interest
- Withdraw consent — withdraw consent at any time for consent-based processing
To exercise any of these rights, contact us at privacy@invoxa.com. We will respond within 30 days.
For company-level data (invoices, documents, and extracted data), these can be managed directly through the Platform by authorised team members. Your company, as Data Controller of this data, is responsible for handling data subject requests relating to information contained in uploaded documents.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.
Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest (AES-256 for S3 storage)
- Role-based access control (RBAC) for team members
- Presigned URLs with expiration for document access
- Regular security reviews and monitoring
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. We encourage you to review this policy periodically.
Contact Us
For questions about this Privacy Policy or your personal data, contact us at:
NextGenWebs SL
Plz. Gerardo Salvador 1
46988 Paterna, Valencia, Spain
Email: privacy@invoxa.com