Privacy
Privacy Policy
invico takes the protection of your personal data seriously. This policy explains what data we collect, why, for how long, and what your rights are.
1. Data controller
The controller of personal data collected on invico.pro is:
Company name, legal form, registered office at address.
For any question, write to tomwallyntel@gmail.com.
2. Data we collect
a) Data you provide
- First and last name, email, company, trade (contact form, account creation)
- Voice notes and photos uploaded to the service
- Generated quotes, price lines, customer information you enter
- Payment data (handled by our processor Stripe / other, we have no access)
b) Data collected automatically
- IP address, browser type, operating system, pages visited
- Technical identifiers (cookies, session tokens)
- Aggregated, anonymous usage statistics
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Provision of the service (quote generation, storage, sending) | Performance of contract |
| Account management and billing | Performance of contract |
| Responding to contact requests | Legitimate interest |
| Service improvement and statistics | Legitimate interest |
| Sending marketing communications | Consent (opt-in) |
| Compliance with legal obligations (tax, accounting) | Legal obligation |
4. Retention periods
- Account data: throughout the subscription, then 3 years after the last activity
- Quotes and business data: throughout the subscription, exportable before deletion
- Billing data: 10 years (French legal obligation)
- Technical and security logs: 12 months maximum
- Non-customer contact requests: 3 years after the last exchange
5. Recipients
Your data is never sold. It may be shared with subprocessors strictly necessary to provide the service:
- Hosting: Vercel Inc. (United States, DPF-certified) and European infrastructure
- Transactional email: Resend (United States, DPF-certified)
- Payment: Stripe or equivalent (European hosting)
- AI models: OpenAI / Anthropic / other (voice notes are sent to third-party models for transcription and generation)
- Privacy-friendly analytics: Plausible / none
An up-to-date list of subprocessors is available on request.
6. Transfers outside the EU
Some subprocessors are located in the United States. These transfers are governed by:
- Membership in the Data Privacy Framework (DPF) where applicable
- Standard Contractual Clauses (SCC) approved by the European Commission
- Additional technical measures (encryption in transit and at rest)
7. Your rights
Under the GDPR, you have the following rights at any time:
- Access: obtain a copy of your data
- Rectification: correct inaccurate data
- Erasure: request deletion of your data ("right to be forgotten")
- Restriction: temporarily block processing
- Portability: retrieve your data in a structured format
- Objection: refuse processing based on legitimate interest
- Withdrawal of consent: withdraw a previously granted consent
To exercise your rights, write to tomwallyntel@gmail.com. We respond within one month.
You also have the right to lodge a complaint with the CNIL (French data protection authority) or any other competent supervisory authority.
9. Security
We apply technical and organisational measures to protect your data, detailed on the security page: TLS encryption, encryption at rest, European hosting, strict access control, regular audits.
10. Changes
This policy may evolve. Any substantial change will be notified to affected users by email at least 30 days before taking effect.
For any question regarding this policy, please write to tomwallyntel@gmail.com.