Last Updated: 04-29-2026
Effective Date: 04-24-2026
Version: 2026.1
If different from last updated date, the effective date is when the current version of the policy takes effect; if the same, it indicates that the policy is currently in effect as of the last update.
This Privacy Policy describes how 9344-2481 Québec inc. ("InvoiceCast," "we," "us," or "our") collects, uses, stores, and protects your personal information when you use the InvoiceCast platform available at invoicecast.ca and invoicecast.com (the "Service"), including our Free Tools.
InvoiceCast is headquartered in Longueuil, Quebec, Canada. We primarily store customer data in the United States, in data centers located in the state of New Jersey. Certain limited data (for example, network telemetry or payment-related information) may be processed outside the US by our service providers, as described in the "Sub-processors and international transfers" section below.
This Privacy Policy applies to all users of the Service regardless of which domain you access it from. Sections 12 through 15 contain provisions specific to your country or region of residence.
We are committed to protecting your privacy in compliance with the laws that apply to us, including Quebec's Act respecting the protection of personal information in the private sector (Law 25), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and the European Union's General Data Protection Regulation (GDPR).
In accordance with Quebec privacy law, InvoiceCast has designated a person responsible for the protection of personal information and for overseeing our compliance with applicable privacy legislation.
You may contact our Privacy Officer with any questions, concerns, complaints, or requests related to your personal information:
Email: [email protected]
We may request additional information to verify your identity before responding to certain privacy-related requests.
Account Information. When you create an account, we may collect your full name, email address, password, phone number (optional), country and state (province, region) of residence, and account type (individual or business).
Business Information. If you use the Service for business invoicing, you may provide your business name, business address, tax identification numbers (GST, QST, HST, EIN, VAT, or equivalent), and a business logo.
Client Information. When you add clients to your account, you provide their name, email address, mailing address, phone number, and tax identification number. You are the data controller for this information; InvoiceCast processes it on your behalf.
Contractor Information. Business tier users may add contractors with their name, email address, phone number, mailing address, hourly rate, and tax identification number. You are the data controller for this information.
Invoice and Timesheet Data. The Service stores invoices you create (including line items, amounts, tax breakdowns, and sender/recipient details) and, for Business tier users, timesheets submitted by contractors (including dates, hours, descriptions, and rates).
Payment Information. If you subscribe to a paid plan, payment is processed by Stripe. InvoiceCast does not collect or store your credit card number, bank account details, or other payment instrument data. We store only a Stripe customer identifier to manage your subscription.
Communications. If you contact us for support, we retain the content of your communications.
Log Data. When you access the Service, our servers automatically record your IP address, browser type and version, operating system, referring URL, pages visited, and the date and time of your visit.
Session Data. We use session cookies and tokens to maintain your authenticated state. Session data is stored server-side with time-based expiration. Depending on configuration, this may use technologies such as a database or an in-memory store.
Device Information. We collect basic device information to support security features such as detecting new devices and anomalous login patterns.
Free Invoice Generator. When you use the Free Invoice Generator, we process the invoice data you enter (sender info, recipient info, line items) solely to generate the PDF. This data is not stored. It is discarded immediately after the PDF is generated and delivered to your browser. We log your IP address for rate-limiting purposes; rate-limiter data is retained for up to 24 hours. Separate server access logs that may include your IP address are retained for up to 90 days.
Sales Tax Calculator. The calculator operates client-side. No personal data is collected or transmitted to our servers.
We use the following categories of cookies:
Strictly Necessary Cookies. Session cookies, CSRF protection tokens, authentication tokens, and locale preference cookies. These are required for the Service to function and do not require your consent.
Analytics Cookies (Google Analytics 4). We use Google Analytics 4, provided by Google LLC, to understand how visitors use our website. Google Analytics is implemented using Google's Consent Mode v2:
_ga, _ga_*) to distinguish visitors and collect aggregate usage statistics such as page views, session duration, and feature adoption rates. Your IP address is anonymized before being processed by Google.Google Analytics data is processed by Google LLC, which may transfer data to the United States. Google acts as a data processor under our instructions. See Google's Privacy Policy and Google Analytics Terms of Service for details.
We do not use advertising cookies, tracking pixels, or social media widgets. If we introduce them in the future, we will update this policy and obtain your explicit consent.
You can change your cookie preferences at any time using the Cookie Preferences link in the footer of our website, or by adjusting your browser settings.
We use your personal information for the following purposes:
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Providing the Service (account management, invoice creation, delivery, storage) | Performance of contract | Account info, business info, client/contractor info, invoices, timesheets |
| Processing payments and managing subscriptions | Performance of contract | Stripe customer ID, email, subscription details |
| Sending transactional emails (invoice delivery, password resets, account notifications) | Performance of contract | Email address, name |
| Security and fraud prevention (login monitoring, rate limiting, anomaly detection) | Legitimate interest | IP address, session data, device info, login timestamps |
| Audit logging for compliance | Legal obligation (Law 25, GDPR) | User actions, timestamps, IP addresses |
| InvoiceCast's own billing and tax records (subscription invoices, payment records) | Legal obligation (tax, accounting law) | InvoiceCast subscription billing data, Stripe customer ID |
| Responding to support requests | Legitimate interest / Performance of contract | Communications content, account info |
| Sending marketing communications | Consent (opt-in only) | Email address, name |
| Improving the Service | Legitimate interest | Aggregated, anonymized usage data |
We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects. If we introduce such features in the future, we will update this policy and provide you with the right to opt out and request human review.
InvoiceCast does not use your personal information, Content, or any data derived from your use of the Service to train, develop, improve, or fine-tune any artificial intelligence model, machine learning algorithm, large language model, or similar technology — whether operated by InvoiceCast or by any third party.
If InvoiceCast introduces AI-powered features in the future (such as an AI support assistant), any use of your data in connection with such features will be disclosed in this Privacy Policy, subject to a separate and clearly identified legal basis, and will require your explicit opt-in consent where consent is the applicable basis. You will have the ability to opt out at any time.
This restriction does not prevent InvoiceCast from using aggregated, non-personal usage statistics (such as total invoice volume or feature adoption rates) to improve the Service, provided such data cannot identify or reconstruct any individual's personal information or Content.
InvoiceCast may use third-party artificial intelligence tools in its internal operations, such as certain automations and customer support. From a privacy perspective, here is how this affects your data:
Internal operations. AI tools used for internal processes do not have access to your personal information or Content. These tools operate on InvoiceCast's own codebase and internal materials.
Customer support. InvoiceCast may use an AI-powered support system trained on InvoiceCast's own help documentation and product guides — not on your data. This system may automatically respond to support requests, including emails sent to [email protected]. When a response is AI-generated, it will be clearly identified as such in the reply. Your support request, including its content and any account context needed to answer it, is processed by the AI system to generate a response. These interactions are treated as support communications and handled in accordance with this Privacy Policy (see "Communications" under Section 3.1). Your support conversations are not used to train, improve, or fine-tune the AI system or any other AI model. You may request escalation to a human support agent at any time by replying to any AI-generated response.
Transparency. You will always be informed when a response was generated by an AI-powered system rather than written by a human. For email support, this disclosure will appear in the email itself.
InvoiceCast does not sell, rent, trade, or otherwise share your personal information with third parties for their own marketing or commercial purposes. This applies to all users in all jurisdictions.
We share personal information with the following categories of service providers who process data on our behalf and under our instructions:
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Amazon Web Services | Cloud infrastructure, storage, hosting, transactional emails | Application data, backups, logs, recipient emails, email content | Multiple global regions |
| Vultr | Cloud infrastructure, storage, hosting | Application data, backups, logs, recipient emails | New Jersey, USA |
| Google Cloud | Storage | File storage, backups | Canada/U.S./selected regions |
| Google Analytics | Website analytics (with consent) | Anonymized IP, page views, session data (only when analytics consent is granted) | United States |
| Brevo | Transactional email delivery | Recipient emails, sender details, email content, invoice attachments where applicable | EU/global |
| Cloudflare | CDN, DDoS protection, DNS | IP addresses, request metadata | Global edge network (origin in Canada) |
| Stripe | Subscription billing | Customer email and name, Stripe customer ID, payment events | United States |
| AI service provider (when AI support is active) | AI-powered support response generation | Support request content (message text; no invoice data, PII beyond what you include in the support message, or Content) | United States |
Each service provider is bound by a Data Processing Agreement that limits their use of your data to the services they provide to us.
The above list includes our primary service providers as of the last update. When the AI-powered support feature is activated, we will identify the specific AI service provider in this table. We may engage additional service providers in the future, and we will update this policy accordingly.
We may disclose your personal information if required to do so by law, regulation, legal process, or enforceable governmental request. We will notify you of such disclosure unless prohibited by law or authorities.
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email before your information becomes subject to a different privacy policy. The acquiring entity will be bound by the terms of this Privacy Policy with respect to data collected prior to the transfer.
In the event of insolvency, bankruptcy, or receivership, the handling of your personal information will be subject to applicable insolvency laws and the decisions of the court-appointed trustee or receiver. It is InvoiceCast's stated intent that your Content and personal data should not be treated as a sellable asset of the estate, and that users should be given reasonable opportunity to export their data. However, InvoiceCast cannot guarantee the performance of its obligations during insolvency proceedings. For further detail, see Section 14.2 of our Terms of Service.
We may share your information with third parties when you have given us explicit consent to do so.
At different levels we implement the following technical and organizational measures to protect your personal information:
Encryption at Rest. Database encryption at the disk level. Additionally, most personal information fields are encrypted at the application level; certain identifiers required for authentication (such as account email) are stored unencrypted but protected by access controls.
Encryption in Transit. All connections to and from the Service use TLS 1.2 or higher. This includes user-to-server connections, inter-service communications, and connections to third-party providers.
Access Controls. Access to personal data within the application is controlled by account-scoped authorization policies. Users can only access data belonging to their own account. Role-based permissions further restrict sensitive operations within an account.
Audit Logging. Access to and modification of personal information is logged for compliance and breach investigation purposes.
Backup Security. Database backups are encrypted before transfer and stored in encrypted form.
Infrastructure Security. The Service runs in a secure environment with network isolation between components. We regularly apply security patches and updates to all software components.
We retain personal information only for as long as necessary to provide the Service, comply with legal obligations, maintain security, resolve disputes, and protect our legal rights.
| Data | Retention Period | Basis |
|---|---|---|
| Account profile, clients, contractors, invoices/quotes, expenses, timesheets, and other user-created content | Account lifetime + up to 30 days after account deletion, then permanently deleted | Providing the Service; account recovery window |
| Transactional email logs (invoice delivery, password resets, notifications) | Rolling up to 90 days | Service operation, troubleshooting, and compliance |
| Export files | 24 hours after generation | Temporary download availability |
| Session data | Session lifetime | Technical operation of the Service |
| Server access logs, IP addresses, and user agents | Up to 90 days | Security, abuse prevention, and troubleshooting |
| Audit logs and security logs | Up to 3 years, unless needed longer for investigation, fraud prevention, legal claims, or security purposes | Security, compliance, and abuse prevention |
| Terms, Privacy Policy, consent, and legal notice records | As long as reasonably necessary for legal, compliance, and dispute-resolution purposes | Proof of agreement, consent, notice, and account actions |
| Account deletion records | As long as reasonably necessary for legal, compliance, and dispute-resolution purposes | Evidence of deletion request and fulfilment |
| InvoiceCast billing records, subscription history, receipts, tax records, and payment processor references | As required by applicable tax, accounting, chargeback, fraud-prevention, and legal obligations | InvoiceCast legal and financial obligations |
| Database backups | Rolling up to 14 days | Operational recovery |
| Payment card and payment instrument data | Not stored by InvoiceCast | Processed by our payment processor |
When your account is deleted, access to the Service ends immediately. For up to 30 days, we may retain your account data internally in a recoverable state to allow account restoration on request. After that recovery period expires, we permanently delete all user-created content, including invoices, quotes, expenses, client records, contractor records, timesheets, and custom tax formulas.
InvoiceCast is not your tax, accounting, or legal record-keeping system. You are responsible for exporting and retaining copies of invoices, timesheets, receipts, reports, and other records required for your own tax, accounting, legal, or regulatory obligations. Tax record-retention obligations (such as those under the Canadian Income Tax Act, s. 230) bind the taxpayer, not InvoiceCast.
We may retain limited legal, billing, security, consent, transactional email, and compliance records after account deletion where reasonably necessary to comply with law, prevent fraud, troubleshoot delivery issues, resolve disputes, enforce our Terms, or demonstrate compliance. These retained records are not used to continue providing the Service or for marketing purposes.
Regardless of where you reside, InvoiceCast provides the following rights to all users. Additional rights specific to your jurisdiction are described in Sections 12–15.
You can view all personal data we hold about you from your Account settings at any time. You may also request a full machine-readable export of your data (see Section 8.4).
You can edit your profile information, client data, and contractor data at any time through the Service. All changes are recorded in our audit log.
You can delete your Account at any time from your Account settings. Section 7 explains what data may be retained, why, and for how long.
You can export all of your exportable data at any time through the self-service export tools in your Account settings. Exports are provided in structured, machine-readable formats including JSON and/or CSV (depending on data type and technical feasibility). The export includes your profile information, client records, contractor records, invoices, timesheets, and custom tax formulas. There is no additional fee for data export.
Exports are generated as a downloadable file available for 24 hours, after which the file is automatically deleted from our servers.
Upon account deletion, access to the Service ends immediately. InvoiceCast prompts you to export your data before confirming deletion. For 30 days following deletion, your data is retained internally in a recoverable state, and you may contact [email protected] to request account restoration on a best-effort basis. After 30 days, all your personal data is permanently purged.
Where we process your data based on consent (e.g., marketing emails, analytics cookies), you may withdraw that consent at any time through your Account settings or cookie preferences. Withdrawing consent does not affect the lawfulness of processing performed before withdrawal.
You can exercise most of these rights directly through the self-service tools in your Account settings. For any request that cannot be handled through the self-service interface, or if you do not have an account, contact our Privacy Officer at [email protected]. We will respond to your request within 30 days.
The Service is not intended for anyone under the age of 18 (or the age of majority in their jurisdiction, whichever is greater). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at [email protected].
In the event of a discovered and confirmed security breach involving your personal information that presents a risk of serious harm, we will:
The Service is not designed, intended, or authorized for use by or on behalf of any government, governmental agency, or public-sector entity in any country. InvoiceCast makes no representations or warranties regarding compliance with government procurement requirements, security certifications (such as FedRAMP, StateRAMP, or equivalent), or public-sector data handling standards. If you are a government entity or acting on behalf of one, do not use the Service without our prior written consent, and be aware that our data handling practices may not meet your regulatory requirements.
If you are a resident of Canada, your personal information is protected under PIPEDA and, for Quebec residents, under Quebec's Law 25.
Privacy Regulator. You have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca. Quebec residents may also file a complaint with the Commission d'accès à l'information du Québec (CAI) at www.cai.gouv.qc.ca.
Consent. We obtain your consent for the collection, use, and disclosure of your personal information as required under PIPEDA and Law 25. Your consent is obtained at the time of collection through clear and prominent notices, and you may withdraw consent at any time as described in Section 8.5.
Transparency. In accordance with Law 25, we publish the title and contact information of our Privacy Officer (Section 2) and maintain this Privacy Policy in accessible, plain language.
Data Residency. Customer data is stored at rest in the United States. Limited transit and ancillary processing may occur outside the United States through our Sub-processors as described in Section 5.2 and our Data Processing Agreement.
Language. This Privacy Policy is available in both English and French. Both versions are equally authoritative. If there is any discrepancy between the two versions, we will work in good faith to resolve it in a manner consistent with the intent of this policy and applicable law.
If you are a resident of the European Economic Area, the United Kingdom, or Switzerland, the following additional provisions apply under the GDPR (and UK GDPR where applicable).
We process your personal data on the following legal bases:
Your personal data is transferred to and stored in the United States, where InvoiceCast's primary data infrastructure is located.
The United States is not the subject of a general adequacy decision from the European Commission, and InvoiceCast is not currently self-certified under the EU-US Data Privacy Framework, the UK Extension to the Data Privacy Framework, or the Swiss-US Data Privacy Framework.
To provide a lawful basis for transfers of personal data from the European Economic Area, the United Kingdom, and Switzerland to the United States, InvoiceCast relies on the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) and, where applicable, the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office. Equivalent safeguards apply to transfers originating in Switzerland under the Swiss Federal Act on Data Protection.
InvoiceCast has carried out a transfer impact assessment of the relevant United States laws and practices and implements supplementary technical and organizational measures intended to ensure a level of protection essentially equivalent to that required under EU law.
These measures include:
For sub-processors located in the United States or other third countries (including Stripe and our cloud infrastructure providers), InvoiceCast requires equivalent transfer safeguards to be in place before any transfer occurs. These safeguards typically take the form of the Standard Contractual Clauses, the UK Addendum, the sub-processor's self-certification under the EU-US Data Privacy Framework, or another lawful transfer mechanism recognized under Applicable Data Protection Laws.
You have the right to request a copy of the safeguards relied on for a specific transfer by contacting our Privacy Officer at [email protected]. Commercially confidential information may be redacted.
In addition to the rights described in Section 8, you have the right to:
In accordance with Regulation (EU) 2023/2854 (the EU Data Act), you have the right to switch to an alternative service provider or port your data to your own systems. InvoiceCast supports this right through the self-service data export tools described in Section 8.4. Exports are provided in standard, machine-readable formats (JSON and/or CSV) at no additional charge. InvoiceCast will not impose technical, contractual, or commercial barriers to switching. Upon termination, you have full data export access during the 30-day post-deletion period. InvoiceCast will cooperate in good faith with any transition to an alternative provider.
For GDPR-related inquiries, contact our Privacy Officer at [email protected].
If you are a resident of the United States, the following additional provisions may apply depending on your state of residence.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
Categories of Personal Information Collected (CCPA Categories):
| CCPA Category | Examples from InvoiceCast | Sold? | Shared for Advertising? |
|---|---|---|---|
| Identifiers | Name, email, phone, IP address | No | No |
| Commercial information | Invoices, subscription history | No | No |
| Internet activity | Log data, pages visited | No | No |
| Professional information | Business name, tax IDs | No | No |
| Geolocation | IP-derived approximate location | No | No |
InvoiceCast is committed to complying with applicable privacy laws in all states. In case this Policy does not explicitly address a specific right provided by your state's legislation, we will still honor that right to the extent possible.
If you reside in a country not specifically addressed in Sections 12–14, we still respect your fundamental privacy rights. We process your data in accordance with the principles described in this policy and comply with the data protection laws of your country to the extent they are applicable to our operations.
If your country's laws provide you with rights not described in Section 8, please contact our Privacy Officer and we will work with you to address your request.
When you store personal information about your clients or contractors in the Service, you act as the data controller and InvoiceCast acts as the data processor. A Data Processing Agreement (DPA) is incorporated into our Terms of Service and governs our processing of such data on your behalf.
The DPA covers:
A copy of the DPA is available at invoicecast.com/data-processing-agreement. If you require a signed copy, contact us at [email protected].
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or a prominent notice within the Service at least 30 days before the changes take effect. The "Last Updated" date at the top of this policy indicates when it was most recently revised.
We encourage you to review this policy periodically. Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes. If you do not agree, you may delete your Account before the changes take effect.
Previous versions of this Privacy Policy are available upon request.
If you have questions about this Privacy Policy or wish to exercise any of your rights, you can reach us at:
General inquiries: [email protected] Privacy Officer: [email protected]
Legal notices may be sent to the mailing address provided in our Enterprise Register filing.
For Canadian residents: Office of the Privacy Commissioner of Canada: www.priv.gc.ca Commission d'accès à l'information du Québec (Quebec residents): www.cai.gouv.qc.ca
For EEA/UK residents: European Data Protection Board: https://edpb.europa.eu/about-edpb/about-edpb/members_en UK Information Commissioner's Office: https://ico.org.uk