Privacy Policy

Wander Ventures S.L. ("we", "us", or "our") operates invrt, accessible at getinvrt.com. invrt is an invoice processing service that transforms PDF invoices into SEPA PAIN.001 XML payment files, enabling businesses to streamline their accounts payable workflow.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service. It applies to all users of invrt, including account holders and members of organizations using the platform.

By using invrt, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please do not use our service.

We collect the following categories of data:

We use your data for the following purposes:

• Service delivery: To process your invoices, generate SEPA payment files, manage your account, and provide the core functionality of invrt.
• AI-powered invoice extraction: Invoice content (PDF data and extracted text) is sent to Anthropic's Claude API for automated data extraction. This is essential to the service and enables accurate reading of vendor details, amounts, and payment information from your invoices.
• Improving the service: To understand how invrt is used, identify issues, and improve functionality, reliability, and user experience.
• Communication: To send you service-related notifications, respond to support requests, and inform you of important changes to the service or these policies.
• Legal compliance: To comply with applicable laws and regulations, including tax record-keeping obligations and responses to lawful requests from authorities.

Under GDPR Article 6, we process your personal data based on the following legal grounds:

• Contract performance (Art. 6(1)(b)): Processing your invoices and account data is necessary to provide the invrt service you signed up for.
• Legitimate interest (Art. 6(1)(f)): We have a legitimate interest in improving our service, ensuring security, and preventing fraud. We balance these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)): Where required, we obtain your explicit consent before processing, such as for optional communications. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Some processing is necessary to comply with legal obligations, including tax record retention requirements.

We do not sell, rent, or trade your personal data. We share data only with the following sub-processors, which are necessary for the operation of the service:

We may also disclose data if required by law, regulation, or legal process, or to protect the rights, property, or safety of our users or the public.

Your data is primarily stored and processed within the European Union. Our hosting infrastructure is located in the EU, and we prioritize keeping your data within European borders.

However, AI-powered invoice extraction via Anthropic's Claude API may involve the transfer of invoice content to servers outside the EU. These transfers are covered by Anthropic's Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of data protection in accordance with GDPR requirements.

We continuously evaluate our sub-processors to ensure they maintain appropriate safeguards for international data transfers.

We retain your data for the following periods:

• Account data: Retained while your account is active, plus 30 days after account deletion to allow for recovery and to complete any pending operations.
• Invoice data: Retained under your control. You can delete individual invoices or all invoice data at any time through the application.
• Audit logs: Retained for 7 years in compliance with Dutch tax law (Algemene wet inzake rijksbelastingen) requirements for financial record keeping.
• Backups: Automated backups are retained for a maximum of 30 days, after which they are permanently deleted.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can request correction of inaccurate or incomplete personal data.
• Right to erasure: You can request deletion of your personal data, subject to legal retention requirements.
• Right to data portability: You can request your data in a structured, commonly used, and machine-readable format.
• Right to restriction of processing: You can request that we limit the processing of your data in certain circumstances.
• Right to object: You can object to the processing of your data based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you can withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, such as the Agencia Española de Protección de Datos (AEPD) in Spain or the relevant authority in your country of residence.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days of receiving your request.

invrt uses only essential session cookies for authentication purposes. These cookies are strictly necessary for the operation of the service and allow us to maintain your login session securely.

We do not use any third-party tracking cookies. We do not use any analytics cookies. We do not use cookies for advertising or profiling purposes.

Because we only use strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.

We implement robust technical and organizational measures to protect your data:

• Encryption at rest: Sensitive data, including invoice content and vendor payment details, is encrypted using AES-256 encryption.
• Encryption in transit: All data transmitted between your browser and our servers is protected using HTTPS (TLS).
• Password hashing: User passwords are hashed using Argon2, the winner of the Password Hashing Competition and the current industry standard for secure password storage.
• CSRF protection: We employ double-submit cookie CSRF protection to prevent cross-site request forgery attacks.
• Role-based access control: Users are assigned roles (owner, admin, member) within their organization, ensuring access is limited to authorized functionality and data.

While no system can guarantee absolute security, we continuously review and improve our security practices to protect your data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

For material changes that significantly affect your rights or how we process your data, we will notify you via email at the address associated with your account before the changes take effect.

We encourage you to review this page periodically for the latest information on our privacy practices. The "Last updated" date at the top of this policy indicates when it was most recently revised.