This policy applies to users in:
When staff are on shift, the following events are recorded and sent to the business owner's dashboard:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the app and its features | All app data | Contract performance |
| Cloud sync and backup across devices | Business data, invoices, clients | Contract performance |
| Staff shift tracking and payroll | Staff data, shift records | Legitimate interest / Contract |
| GPS location tracking during shifts | GPS coordinates | Consent (explicit permission required) |
| Push notifications to staff | Device push token | Consent |
| Improving the app and fixing bugs | Anonymised crash data | Legitimate interest |
| Responding to support requests | Contact information | Legitimate interest |
We do not use your data for advertising, we do not sell your data to third parties, and we do not use your data to train AI models.
Your data is stored in two places:
We retain your data for as long as your account is active. If you stop using the app and request deletion, we will delete your cloud data within 30 days. Local device data can be cleared by deleting the app.
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase | Database and cloud sync | Business data, staff records, shift data | supabase.com/privacy |
| Expo (EAS) | App delivery and push notifications | Device push tokens | expo.dev/privacy |
| RevenueCat | Subscription management | Purchase receipts, anonymous user ID | revenuecat.com/privacy |
| Apple App Store | iOS app distribution and payments | Purchase receipts | apple.com/privacy |
| Google Play | Android app distribution and payments | Purchase receipts | policies.google.com/privacy |
| Google Sign In | Optional account authentication | Name, email address, Google user ID | policies.google.com/privacy |
| Apple Sign In | Optional account authentication | Name, email address (or private relay), Apple user ID | apple.com/privacy |
| Stripe | Web subscription payments | Payment details processed by Stripe — we never store card numbers | stripe.com/privacy |
| OpenStreetMap / Nominatim | Address geocoding for geofence zones | Job site addresses only | osmfoundation.org |
We do not share your data with any other third parties. Your financial data, client details and staff payroll information are never shared with external services.
Location tracking is an optional feature available on the Business plan only. It is used to:
GPS data is stored in our Supabase database and is only visible to the business owner. Location history older than 24 hours is not retained in the live dashboard.
If you are a business owner using Invoice Plus, you are responsible as a data controller for the personal data you collect about your staff through the app. This includes:
You must ensure your staff are informed that their data is being collected and processed through Invoice Plus, in accordance with applicable employment and privacy laws in your country.
If you are a staff member using the worker app, your employer (the business owner) controls your data. Please speak to your employer about how they handle your personal information.
Under the Australian Privacy Act, you have the right to:
We comply with the 13 Australian Privacy Principles (APPs). If you have a privacy complaint, contact us first. Unresolved complaints can be lodged with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
For businesses using the staff management features, we note that the collection and use of employee data must comply with applicable provisions of the Fair Work Act 2009 and relevant state workplace laws.
Under UK GDPR, you have the right to:
Our lawful bases for processing are: contract performance, legitimate interests, and consent (for location tracking and push notifications).
Unresolved complaints can be lodged with the Information Commissioner's Office (ICO) at ico.org.uk.
Under GDPR, you have the same rights as listed for UK users above. As a controller established outside the EU processing EU residents' data, we comply with GDPR requirements including:
International data transfers to Supabase (US-based) are covered by Standard Contractual Clauses. Complaints can be lodged with your national Data Protection Authority (DPA).
For California residents under the California Consumer Privacy Act (CCPA) and CPRA:
We do not sell or share personal information for cross-context behavioural advertising. We do not have actual knowledge that we sell or share personal information of consumers under 16 years of age.
To exercise your rights, contact us at jeffstechservice@gmail.com. We will respond within 45 days.
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other US states with comprehensive privacy laws have similar rights and may contact us to exercise them.
Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws (Alberta PIPA, BC PIPA, Quebec Law 25), you have the right to:
We collect personal information only with your knowledge and consent, and only for purposes a reasonable person would consider appropriate. Unresolved complaints can be lodged with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
Quebec residents: Under Law 25 (Act 64), you have additional rights including data portability and the right to be forgotten. Our délégué à la protection des renseignements personnels (Privacy Officer) can be reached at jeffstechservice@gmail.com.
Under the New Zealand Privacy Act 2020 and its 13 Information Privacy Principles (IPPs), you have the right to:
Mandatory data breach reporting applies — we will notify affected individuals and the Privacy Commissioner of any breach that poses a risk of serious harm. Unresolved complaints can be lodged with the Office of the Privacy Commissioner at privacy.org.nz.
Invoice Plus is a business application intended for adults. We do not knowingly collect personal information from anyone under the age of 16 (or 13 in the United States). If you believe a minor has provided us with personal information, please contact us and we will delete it promptly.
In the event of a data breach that is likely to result in serious harm, we will:
Notification will be provided by email to your registered address and/or via an in-app notification.
To exercise any of your privacy rights (access, correction, deletion, portability, objection), please contact us:
We will respond within:
We may ask you to verify your identity before processing your request.
We offer optional biometric authentication (Face ID, fingerprint) for app access. Biometric data is processed entirely by your device's operating system and is never transmitted to our servers or stored by Invoice Plus.
You may optionally sign in using your Google or Apple account. When you do, we receive your name, email address and a unique identifier from that provider. This information is stored in our Supabase database to link your account across devices. We do not receive your Google or Apple passwords. You can disconnect at any time by contacting us.
The Invoice Plus mobile app does not use cookies. Our website at invoiceplusapp.com does not use tracking cookies or analytics beyond what Netlify provides for hosting purposes. We do not serve advertising on our website or in the app.
We may update this policy from time to time. When we make significant changes, we will notify you through the app and update the "Last Updated" date at the top of this page. Continued use of the app after changes are posted constitutes acceptance of the updated policy.
Jeffrey Lyon
ABN 14 642 051 653
VIC, Australia
jeffstechservice@gmail.com
For privacy-specific inquiries, please include "Privacy Request" in your subject line and your country of residence so we can ensure your rights are addressed under the correct framework.