Privacy Policy - Facturo

Last updated: January 7, 2026

Effective date: January 7, 2026

1. Information We Collect

1.1 Account Information

• Registration data: Email address and password
• Social authentication: Basic profile information from Google and Apple Sign-In
• Business information: Business name, tax contact information

1.2 Billing Information

• Invoice data: Invoice numbers, dates, product/service descriptions
• Customer information: Names, basic contact information for billing
• Financial details: Amounts, taxes, totals (no credit card data)

1.3 Technical Information

• Device: Device type, operating system
• Usage: Anonymous usage data to improve the service
• Identifiers: Authentication tokens to maintain active sessions

2. How We Use Your Information

2.1 Primary Purposes

• Invoice management: Create, store, and manage your billing documents
• Service operation: Maintain your account and provide access to your data
• Service improvements: Analyze usage patterns to improve the application
• Communication: Send important service notifications

2.2 Legal Basis

We process your information based on:

• Consent: You have given us consent to process your data
• Legitimate interest: To provide and improve our services
• Contractual obligation: To comply with our service agreement

3. Storage and Security

3.1 Service Providers

• Supabase: Primary storage for billing and account data
• Firebase: Push notification service
• Apple/Google: Social authentication services

3.2 Security Measures

• Encryption: All data is transmitted using HTTPS
• Access control: Only you have access to your information
• Authentication: Protection via password and secure social methods
• Backup: Secure backups to protect your data

4. Your Rights (CCPA and U.S. Privacy Laws)

4.1 California Privacy Rights (CCPA)

As a California resident, you have the right to:

• Know: What personal information we collect, how we use it, and who we share it with
• Delete: Request deletion of your personal information
• Opt-out: Sell or not sell your personal information (including sharing with analytics services)
• No discrimination: Not receive different treatment for exercising your rights
• Access: Request a portable copy of your personal information
• Correction: Request correction of inaccurate personal information

4.2 New CCPA 2026 Requirements

According to CCPA updates effective January 2026:

• Cybersecurity audits: We conduct annual security assessments
• Risk assessments: We evaluate privacy impacts of new processes
• Automated decision-making technology: Transparency in algorithms affecting your rights
• Granular opt-out: You can opt-out of sharing specific data

4.3 Data Sales - Full Transparency

Important: We do not sell your personal information. However, we use services that may process data:

• Supabase: Data storage - does not sell information
• Firebase: Notifications - uses anonymous data for delivery
• Analytics: Anonymous data to improve the service

You can request opt-out of any data processing by writing to facturohn@gmail.com

4.4 Exercising Your Rights

To exercise your CCPA rights:

• Email: facturohn@gmail.com
• Response time: 45 days (extendable to 90 if complex)
• Verification: We may request information to verify your identity
• Format: We provide data in readable and portable format

5. Data Retention and Deletion

5.1 Legal and Commercial Retention Periods

• Account data: While your account is active + 12 months after
• Billing data: Minimum 7 years to comply with tax obligations (IRS, FTC)
• Customer information: 7 years (tax and commercial compliance)
• Transaction records: 7 years (IRS and FTC requirements)
• Technical/analytics data: 24 months for analysis and service improvement
• Security logs: 90 days for threat detection

5.2 Legal Basis for Retention

We retain data based on:

• Tax obligations: IRS requires 7 years for audits
• Commercial requirements: Evidence of commercial transactions
• Legal security: Defense against claims and disputes
• Regulatory compliance: FTC and financial regulations

5.3 Deletion Process

When you delete your account, we implement the following process:

• Personally identifiable information: Immediate deletion (48 hours)
• Billing data: Anonymization after 7 years
• Technical data: Anonymization after 24 months
• Backup copies: Deletion in next backup cycle

5.4 Right to Deletion (CCPA)

You can request immediate deletion of:

• Account and profile information
• Contact data
• Preferences and settings
• Usage data (when not legally required)

Exceptions: We cannot delete data required by tax law (invoices, transactions) until the legal retention period expires.

6. International Transfers and Protection Mechanisms

6.1 Storage Locations

Your data may be processed and stored outside your country:

• Supabase: Primary servers in United States and Europe
• Firebase (Google): Google's global infrastructure
• Backup: Security copies in multiple regions

6.2 Transfers from EU/UK

For transfers from European Union and United Kingdom:

• Standard Contractual Clauses: Legal agreements with providers
• Data Privacy Framework: Compliance with EU-U.S. DPF when applicable
• Impact assessments: We evaluate risks of each transfer

6.3 Additional Protection Measures

We implement measures to protect international data:

• End-to-end encryption: Data encrypted in transit and at rest
• Regional access control: Location-restricted access
• Provider audits: We verify partner compliance
• Local compliance: We adapt to country-specific regulations

6.4 Transfer Rights

You have the right to:

• Know where your data is stored
• Request restrictions on international transfers
• Obtain copies of applicable contractual clauses

7. Changes to This Policy

We may update this policy periodically. We will notify you of significant changes:

• By email
• Within the application
• By publishing the new policy at this URL

8. Contact Information

9. Additional Policies

This policy complements our:

• Terms and Conditions
• Cookie Policy
• Developer Guide