Privacy Policy

1. Introduction

Welcome to InvoiceDove's Privacy Policy. Programmers' Court LTD ("we", "us", "our") operates the InvoiceDove mobile application and associated backend services at invoicedove.programmerscourt.com (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.

We are committed to protecting your privacy and complying with the Nigeria Data Protection Regulation (NDPR) 2019 and other applicable data protection laws. By using InvoiceDove, you consent to the practices described in this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

a) Account Information

When you create an InvoiceDove account, we collect the following personal information:

• Email address, first name, and last name (provided during registration)
• Password (stored as a bcrypt hash — we never store or have access to your plain text password)
• Google account information if you choose to use Google Sign-In, including your name, email address, and profile picture URL as provided by Google's authentication service

b) Business Information

To enable you to create professional invoices and manage your business operations, we collect:

• Business name, address, phone number, email address, and website
• Tax identification numbers and business registration numbers
• Bank account details, including account name, account number, routing number, SWIFT/BIC code, and IBAN — these are encrypted at rest using AES-256-GCM encryption
• Business logo and signature images that you upload for use on your documents
• Currency preferences and branding customizations

c) Invoice and Financial Data

In the course of using the Service, you will create and store financial documents. The data associated with these documents includes:

• Invoice details such as line items, amounts, dates, due dates, notes, and payment terms
• Client contact information including name, email address, phone number, postal address, and company name
• Payment records and payment status tracking for each document
• Quotes, receipts, proforma invoices, credit notes, and recurring billing schedules

d) Device Information

We collect limited device information to ensure compatibility and deliver a reliable experience:

• Device type and operating system version (used solely for compatibility and troubleshooting purposes)
• Biometric authentication status (enabled or disabled) — we never store or access your actual biometric data; biometric authentication is handled entirely by your device's secure hardware enclave and operating system
• Push notification tokens (used exclusively for delivering notifications you have opted into)

e) Usage Data

We collect anonymized usage data to help us improve the Service:

• App usage patterns (anonymized and aggregated, not linked to individual accounts)
• Feature interaction data to understand which features are most valuable to our users
• Error reports and crash logs (used solely for service improvement and bug resolution)

f) Google Drive Data (if connected)

If you choose to connect your Google Drive account for cloud backup functionality:

• We store OAuth access and refresh tokens, which are encrypted at rest on our servers
• We only access the specific Google Drive folder we create for your InvoiceDove documents
• We do not read, modify, or access any other files in your Google Drive account

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide and maintain the Service — creating invoices, managing clients, generating PDF documents, and enabling all core app functionality
• Process subscription payments through our payment processor, Paystack, to manage your subscription tier and billing
• Send transactional emails — including welcome emails upon registration, password reset confirmations, payment receipts, subscription notifications, and invoice delivery to your clients on your behalf
• Send service notifications — such as overdue invoice alerts, subscription expiry reminders, and important account-related updates
• Provide analytics and business insights within the app, including revenue summaries, payment tracking, and financial reporting based on your own data
• Improve the Service — fix bugs, analyze usage trends, develop new features, and optimize performance based on aggregated, anonymized usage data
• Ensure security and prevent fraud — monitor for unauthorized access, detect anomalies, and protect the integrity of user accounts and data
• Comply with legal obligations — respond to lawful requests from regulatory authorities or courts of competent jurisdiction

We want to be clear about what we do not do with your data:

• We do NOT sell your personal information to third parties, under any circumstances
• We do NOT use your data for advertising purposes or share it with advertising networks
• We do NOT share your invoice data, financial records, or client information with other InvoiceDove users or any unrelated third parties

4. Data Storage and Security

We take the security of your personal and financial data seriously. We employ multiple layers of technical and organizational measures to protect your information:

• Data is stored on secure servers with industry-standard physical and logical protections, including firewalls, intrusion detection, and access controls
• All data transmitted between your device and our servers is encrypted using TLS/SSL (HTTPS), ensuring that your information cannot be intercepted in transit
• Sensitive financial data — including bank account numbers, SWIFT codes, and IBAN — is encrypted at rest using AES-256-GCM encryption, a symmetric encryption standard recognized for its strength and performance
• Passwords are hashed using bcrypt with salt rounds, making them computationally infeasible to reverse even in the event of a data breach
• Authentication uses JSON Web Tokens (JWT) with secure token rotation to minimize the risk of session hijacking
• Google Drive OAuth tokens are encrypted at rest and stored separately from other user data
• We implement rate limiting on authentication endpoints to prevent brute-force attacks and credential stuffing
• Security headers including HTTP Strict Transport Security (HSTS), X-Content-Type-Options, and X-Frame-Options are enforced on all server responses to protect against common web vulnerabilities
• The mobile app supports biometric lock (fingerprint and face recognition) — your biometric data never leaves your device and is never transmitted to our servers
• We regularly review and update our security practices to address emerging threats and vulnerabilities

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining commercially reasonable safeguards.

5. Data Retention

We retain your data for different periods depending on your subscription tier and the type of data:

• Free and Pay Per Document tiers: Invoice data and generated documents are stored for 14 days from the date of creation. After this period, documents are automatically removed from our servers.
• Startup and Pro tiers: Invoice data and generated documents are stored for 3 months from the date of creation.
• Ultimate tier: Permanent cloud storage is provided for the duration of your active subscription. Your documents remain accessible as long as your subscription is active and in good standing.

Regardless of your subscription tier, the following retention policies apply:

• Upon account deletion, all your personal data, business information, invoices, client records, and generated documents are permanently removed from our active servers within 30 days
• Backup copies may persist in encrypted, access-restricted backups for up to 90 days after deletion, after which they are permanently purged
• We retain anonymized, aggregated usage statistics that cannot be linked back to individual users. These statistics are used for service improvement and do not constitute personal data

6. Google Drive Integration

InvoiceDove offers optional Google Drive integration for cloud backup of your generated documents. This feature is available to Ultimate tier subscribers. Here is how it works and what you should know:

• Google Drive integration requires your explicit authorization via the OAuth consent flow — you must actively grant InvoiceDove permission to access your Google Drive
• Upon connection, we create a dedicated folder called "InvoiceDove-Documents" in your Google Drive account. All document backups are stored exclusively within this folder
• We only upload PDF documents that you generate within InvoiceDove and choose to back up. We do not upload any other data to your Google Drive
• We do not read, modify, delete, or access any other files, folders, or data in your Google Drive account — our access is strictly limited to the InvoiceDove-Documents folder
• You can disconnect your Google Drive at any time from Settings, then Connected Accounts within the InvoiceDove app
• Upon disconnection, we immediately revoke our OAuth access tokens and permanently delete any stored Google credentials from our servers
• Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements. We only use Google user data to provide and improve the Google Drive backup feature within InvoiceDove

7. Third-Party Services

We rely on a limited number of trusted third-party services to operate InvoiceDove. Each of these services receives only the minimum data necessary to perform its function:

a) Paystack

Paystack processes all subscription payments for InvoiceDove. When you subscribe to a paid tier, Paystack receives your payment information (such as card details or bank account information) to process the transaction. We do not store your full card details on our servers — all payment processing and card data storage is handled securely by Paystack in compliance with PCI DSS standards. For more information, please review Paystack's Privacy Policy.

b) Google (Sign-In and Drive)

Google provides two optional services within InvoiceDove: authentication via Google Sign-In and cloud storage via the Google Drive API. When you use Google Sign-In, Google shares your basic profile information (name, email, profile picture) with us. When you connect Google Drive, we access only the InvoiceDove-Documents folder as described in Section 6. Both services are subject to Google's Privacy Policy.

c) Firebase Cloud Messaging

We use Firebase Cloud Messaging (FCM) to deliver push notifications to your device. FCM receives your device's push notification token to route notifications correctly. We use push notifications only for service-related alerts (such as overdue invoice reminders, payment confirmations, and subscription updates). This service is subject to the Google/Firebase Privacy Policy.

d) SMTP Email Service

We use an SMTP email service to deliver transactional emails, including welcome messages, password reset instructions, payment confirmations, and invoice delivery emails sent on your behalf to your clients. The email service receives recipient email addresses solely for the purpose of message delivery.

8. Your Rights Under NDPR

Under the Nigeria Data Protection Regulation (NDPR) and other applicable data protection laws, you have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you, along with information about how it is being processed
• Right to Rectification: You may request correction of any inaccurate or incomplete personal data we hold about you
• Right to Deletion: You may request deletion of your personal data and account. This can be done directly through the app at Settings, then Delete Account, or by contacting us
• Right to Data Portability: You may request your data in a structured, commonly used, and machine-readable format so that it can be transferred to another service
• Right to Objection: You may object to the processing of your personal data for specific purposes, including direct marketing or profiling
• Right to Restriction: You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal

To exercise any of these rights, please contact us at programmerscourt@gmail.com. We will acknowledge your request within 7 days and respond substantively within 30 days. Account deletion can also be initiated directly from the app's Settings page, where you will receive a confirmation email before your data is permanently removed.

9. Children's Privacy

InvoiceDove is a business invoicing tool designed for use by adults and is not intended for use by children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13.

If we become aware that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete that information from our servers. If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at programmerscourt@gmail.com so that we can take appropriate action.

10. International Data Transfers

Our servers are located in the United States. If you are accessing InvoiceDove from outside the United States, please be aware that your data will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your country of residence.

We ensure that appropriate safeguards are in place to protect your data in accordance with the Nigeria Data Protection Regulation (NDPR) and other applicable data protection laws. These safeguards include encryption in transit and at rest, access controls, and contractual obligations with our hosting and infrastructure providers.

By using the Service, you acknowledge and consent to the transfer of your data to the United States for processing. If you do not consent to this transfer, you should discontinue use of the Service.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes to this policy:

• We will update the "Last updated" date at the top of this policy to reflect the date of the most recent revision
• For material changes that significantly affect how we collect, use, or share your data, we will notify you via email to the address associated with your account or through an in-app notification
• Continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy
• If you disagree with any changes to this Privacy Policy, you should stop using the Service and may request deletion of your data by contacting us or using the in-app account deletion feature

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us:

• Email: programmerscourt@gmail.com
• Website: https://invoicedove.programmerscourt.com
• Company: Programmers' Court LTD, Lagos, Nigeria
• Data Protection Officer: Available upon request at programmerscourt@gmail.com

For complaints about how we handle your personal data, you may also contact the National Information Technology Development Agency (NITDA), the regulatory body responsible for data protection in Nigeria, at https://nitda.gov.ng.