Skip to main content
Invoset

Legal

Privacy Policy

This Privacy Policy explains what Invoset collects, why we collect it, how we use it, and the choices you have. We aim for plain language. If anything is unclear, write to us.

Effective
May 7, 2026
Last updated
May 7, 2026

1. Who we are

Invoset is a software service operated by Ravencord Inc. ("we", "us", "our"). When you use invoset.com, our scanner backend, our embeddable widget, or our badge service, this Privacy Policy applies.

For privacy questions, contact privacy@invoset.com.

2. What we collect

We collect three categories of information: account information, scan data, and usage data.

Account information

  • Email address and authentication credentials handled by our identity provider
  • Billing address and payment instrument data, processed by Stripe (we do not store full card numbers)
  • Optional company name, role, and contact preferences

Scan data

  • Domains and URLs you ask us to scan
  • Public HTML, CSS, and accessibility-relevant DOM attributes from those URLs
  • Screenshots of pages where visual analysis is requested
  • WCAG findings and remediation history we generate

Usage data

  • Pages of invoset.com you visit and interactions with our app
  • Browser type, operating system, IP address, and approximate location derived from IP
  • Cookies and similar technologies described in our Cookie Policy

3. How we use information

  • To run scans, generate reports, and deliver the service you signed up for
  • To authenticate you and secure your account
  • To process billing and prevent fraud
  • To improve scanning accuracy, including aggregated analysis of scan patterns
  • To send service notifications, security alerts, and (with consent) product updates
  • To meet legal obligations and respond to lawful requests

4. Legal bases (GDPR)

Where the EU General Data Protection Regulation applies, we rely on the following legal bases:

  • Performance of a contract for delivering the service you purchased
  • Legitimate interests in operating, securing, and improving the service
  • Consent for optional cookies and marketing communications
  • Compliance with legal obligations such as tax and accounting law

5. Sharing

We do not sell personal information. We share data with the following categories of recipients only as needed to operate the service:

  • Cloud infrastructure providers (Vercel, Render, Supabase) under data processing agreements
  • Payment processor (Stripe) for billing
  • Analytics and error monitoring providers configured to minimize personal data
  • Email delivery provider for transactional and authentication messages
  • Professional advisors and authorities when required by law

A current sub-processor list is available on request via privacy@invoset.com.

6. International transfers

Invoset is operated from the European Union with infrastructure in the United States and the European Union. When we transfer personal data internationally, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.

7. Retention

  • Account data: retained for the life of your account plus seven years for tax and audit purposes
  • Scan data and reports: retained for seven years to support evidence-of-effort requests, unless you request earlier deletion
  • Authentication logs: retained for two years
  • Marketing preferences: retained until you opt out

8. Your rights

Depending on your jurisdiction (including the EU/UK GDPR, the California Consumer Privacy Act, the Colorado Privacy Act, and similar US state laws), you may have the right to:

  • Access the personal data we hold about you
  • Request correction or deletion
  • Object to or restrict certain processing
  • Receive a portable copy of your data
  • Withdraw consent at any time, without affecting prior processing
  • Lodge a complaint with your local data protection authority
  • Opt out of the sale or sharing of personal information (we do not sell, but you may still submit a request)

To exercise any of these, write to privacy@invoset.com. We respond within 30 days.

9. Children

Invoset is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

10. Security

We use TLS in transit, encryption at rest for sensitive fields, scoped access controls, and continuous monitoring. No service is perfectly secure, but we work to apply current best practice and disclose material incidents promptly.

11. Changes to this policy

When we make material changes, we will update the "Last updated" date and notify active customers by email. Continued use of the service after a change constitutes acceptance of the updated policy.

12. Contact

Ravencord Inc., attention: Privacy.
Email: privacy@invoset.com