Invoice DIY
LoginSign up
Legal

Privacy Policy

This Privacy Policy explains how Invoice DIY (“we”, “us”, “our”) collects, uses, discloses, and safeguards personal information when you use our service. We are committed to compliance with the Personal Data Protection Act 2010 of Malaysia (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR) and other equivalent frameworks.

Last updated: 21 May 2026Effective immediatelyGoverned by the laws of Malaysia
Table of contents
  1. 01Introduction
  2. 02Who we are
  3. 03Information we collect
  4. 04How we use your information
  5. 05Legal basis for processing
  6. 06Sharing & sub-processors
  7. 07International data transfers
  8. 08Data retention
  9. 09Your rights
  10. 10Cookies & tracking
  11. 11Security
  12. 12Children's privacy
  13. 13Changes to this policy
  14. 14Contact us
01

Introduction#

Invoice DIY is a web-based service that lets businesses generate, save, and send invoices, quotations, and receipts. We take privacy seriously — both yours and that of the customers you invoice through our service. This Policy describes what we collect, why, who we share it with, how long we keep it, and the rights you have.

By creating an account or otherwise using the Service, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Service.

02

Who we are#

The Service at invoice-diy.com is operated by Invoice DIY, based in Malaysia. For all privacy enquiries:

Under PDPA terminology, we act as the data user (controller) in respect of personal data you provide about yourself, and as a data processor in respect of personal data you upload about your own customers.

03

Information we collect#

We collect only the information necessary to run the Service and comply with our legal obligations.

3.1 Information you provide directly

  • Account credentials — email address and password (passwords are hashed using bcrypt; we never see or store them in plain text).
  • Profile and business details — company name, business address, phone number, tax identification number, registration number, default footer notes, logo, and signature.
  • Document content — invoice numbers, line items, descriptions, prices, currencies, taxes, dates, status, payment records, and any free-form notes you add.
  • Customer records — the names, addresses, phone numbers, email addresses, and tax IDs of the customers you save for repeat invoicing.
  • Support correspondence — emails and messages you send us about the Service.

3.2 Information collected automatically

  • Device and technical data — IP address, browser type and version, operating system, time zone, and device identifiers.
  • Usage data — pages viewed, features used, session duration, request timestamps, and referring URLs.
  • Diagnostic data — error logs and crash reports generated when something goes wrong.

3.3 Payment information

Subscription payments are processed by Stripe, Inc. We never receive or store your full card number. Stripe provides us with a payment token, the last four digits, card brand, expiry month/year, and billing country — which we use solely for invoice generation, tax compliance, and dispute resolution.

3.4 Information about your customers

When you save customer records or generate invoices, you provide us with personal information about third parties. By doing so, you confirm that you have the legal right to share that information and that you have notified those individuals in accordance with PDPA section 7 (Notice and Choice Principle) and any equivalent law that applies to them.

04

How we use your information#

We use the personal data described above for these purposes:

  • To provide the Service — authenticate your account, generate and store documents, sync data across your devices.
  • To process payments — bill your subscription, prevent fraud, comply with tax obligations.
  • To communicate — send transactional emails (signup verification, password reset, payment receipts), reply to your support requests, and notify you of material service changes.
  • To improve the Service — analyse aggregated usage to fix bugs, prioritise features, and improve performance. Where feasible we work with anonymised or pseudonymised data.
  • To comply with law — retain records for tax purposes, respond to lawful requests from authorities, enforce our Terms, and protect against abuse.
  • For marketing (only with consent) — if you opt in, we may send product updates and tips. You can opt out at any time via the unsubscribe link.
06

Sharing & sub-processors#

We do not sell your personal data. We share it only with the categories of recipients listed below, and only as necessary to operate the Service.

Sub-processorPurposeRegion
Supabase Inc.Database, authentication, file storageUnited States / Singapore
Vercel Inc.Web hosting and edge content deliveryGlobal edge
Stripe Inc.Payment processing (paid plans)United States / Singapore
Resend Inc.Transactional email deliveryUnited States
Google LLCOAuth sign-in (only if you choose to use it)Global
Cloudflare Inc.DNS, network protectionGlobal edge

Each sub-processor is bound by a data processing agreement and appropriate confidentiality and security obligations.

6.1 Legal disclosures

We may disclose personal data to comply with court orders, subpoenas, or legal process; to enforce our Terms; to protect the safety of our users or the public; or in connection with a corporate transaction (merger, acquisition, asset sale) where the successor entity is bound by terms no less protective than this Policy.

6.2 Public assets bucket

Logos and signatures you upload to your profile are stored in a public storage bucket so that they can be embedded in PDFs you deliver to your customers. File paths use random identifiers and are not enumerable; nonetheless, treat any image you upload as publicly retrievable by anyone who has the direct URL.

07

International data transfers#

Our sub-processors may store or process data outside Malaysia (notably in the United States, the European Union, and Singapore). When transferring data internationally we ensure adequate protection by:

  • engaging only sub-processors with recognised compliance certifications such as SOC 2 Type II or ISO 27001;
  • relying on Standard Contractual Clauses or equivalent transfer mechanisms where applicable;
  • limiting transfers to entities operating under data protection regimes comparable to PDPA.

You consent to such transfers when you use the Service. If you require additional information on transfer safeguards, contact us at the address in Section 14.

08

Data retention#

We keep personal data only for as long as is necessary for the purposes described in this Policy, and in accordance with our legal obligations. Specific retention periods are:

  • Account information — until you delete your account, plus up to 30 days in encrypted backups.
  • Invoices, quotations, receipts, payment records — seven (7) years from the date of issue, in accordance with the Income Tax Act 1967 and LHDN record-keeping requirements.
  • Customer records — until you delete them or close your account.
  • Server and security logs — 30 days.
  • Analytics data — 26 months; pseudonymised after 12 months.
  • Marketing preferences — until you unsubscribe, plus a suppression record indefinitely so we honour your opt-out.
  • Payment records held by Stripe — governed by Stripe's own retention policy, typically seven (7) years.

After the applicable period, data is securely deleted, anonymised, or aggregated such that it can no longer be linked to you.

09

Your rights#

Under PDPA, GDPR, and other applicable laws, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right of correction — request that we correct inaccurate or incomplete data.
  • Right to withdraw consent — where processing relies on consent, you may withdraw it at any time. This does not affect the lawfulness of processing carried out before withdrawal.
  • Right to restrict processing — request that we limit certain processing in defined circumstances.
  • Right to object — to processing based on legitimate interest, including profiling.
  • Right to data portability — receive your data in a structured, machine-readable format (we provide JSON and CSV export).
  • Right to erasure — request deletion of your account and personal data, subject to retention obligations described in Section 8.
  • Right to lodge a complaint — with the Personal Data Protection Commissioner of Malaysia or your local data protection authority.

To exercise any of these rights, contact us at hello@invoice-diy.com. We will respond within twenty-one (21) days, as required by PDPA section 30. If we are unable to comply with a request (for example because we are required to retain the data by law), we will explain why.

10

Cookies & tracking#

We use only the cookies and similar technologies that are strictly necessary to operate the Service:

  • Session cookie — keeps you signed in. Expires when you sign out or after a defined period of inactivity.
  • Preference cookies — remember UI choices such as currency format and sidebar collapsed state. These are stored on your device, not transmitted to our servers.

We do not use advertising cookies, cross-site tracking pixels, or third-party trackers that build behavioural profiles. We do not sell or share personal information with advertisers.

11

Security#

We apply industry-standard administrative, technical, and physical safeguards to protect personal data, including:

  • encryption in transit (TLS 1.2 or higher) for all requests;
  • encryption at rest for database storage and file uploads;
  • row-level security policies in the database restricting access so that one user cannot see another user's data;
  • passwords hashed with bcrypt — they are never visible to us;
  • regular dependency scanning and security patching;
  • access controls and audit logs for administrative operations.

No system is completely secure. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority and affected individuals without undue delay (and where feasible, within 72 hours of becoming aware), as required by applicable law.

12

Children's privacy#

The Service is intended for users aged 18 or older. We do not knowingly collect personal data from children. If we learn that we have inadvertently collected personal data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us.

13

Changes to this policy#

We may update this Policy from time to time as our service evolves or as required by law. The "Last updated" date at the top of this page indicates the most recent revision. Material changes will be communicated by email and/or a prominent in-product notice at least thirty (30) days before they take effect. We encourage you to review this page periodically.

14

Contact us#

For questions, complaints, or to exercise any of your rights:

If you are unable to resolve your concern with us directly, you may lodge a complaint with:

  • Personal Data Protection Department (JPDP), Malaysia — www.pdp.gov.my
  • Your local data protection authority if you reside in the EU, United Kingdom, or another jurisdiction with a regulator.
Read next
Terms of Service
Have a question?
Get in touch

Privacy requests, legal queries, or anything else.

hello@invoice-diy.com →