Privacy Policy

Last updated: February 19, 2026

1. Data Controller

Além do Código, Lda
NIF: 518014088
Rua Dom Francisco Gomes 4 1A
8000-306 Faro, Portugal
Email: lusoinvoice@alemdocodigo.pt

2. Data Collected

LusoInvoice collects and processes the following data as part of its functionality:

  • Stripe identifiers: User ID, Account ID, Customer IDs, Payment Intent IDs
  • Payment data: Amounts, dates, items, tax information (VAT)
  • Customer data: Name, email, customer code
  • InvoiceXpress credentials: Account subdomain and API key (stored in the Stripe Secret Store)
  • Synchronization logs: Created document IDs, sync status, timestamps

3. Purpose of Processing

Data is processed exclusively for:

  • Synchronizing Stripe payments with InvoiceXpress for invoice issuance
  • Linking Stripe customers to InvoiceXpress customers
  • Maintaining a record of created documents to prevent duplications

4. Legal Basis

Processing is carried out based on the user's consent, expressed through the installation and configuration of the app.

5. Storage and Security

  • InvoiceXpress credentials: Stored in the Stripe Secret Store (encryption managed by Stripe)
  • Operational data: Stored in a Supabase database with Row Level Security enabled
  • Access: Restricted via Stripe Signature verification (HMAC-SHA256) — only requests authenticated by Stripe are accepted
  • Isolation: All data is filtered by Account ID — each user accesses only their own data

6. Data Sharing

Data is shared exclusively with:

  • Stripe: Payments platform (where the app operates)
  • InvoiceXpress: Invoicing platform (synchronization destination)
  • Supabase: Database and edge functions infrastructure

We do not sell, rent, or share data with third parties for marketing purposes.

7. Data Retention

  • Operational data: Retained while the app is installed and configured
  • Synchronization logs: Retained for audit purposes and to prevent duplications
  • Deletion: When disconnecting the app, all data is deleted (webhook, customer links, settings). Synchronization logs are retained as historical records.

8. Data Subject Rights

Under the GDPR, users have the right to:

  • Access their data
  • Rectify incorrect data
  • Delete their data (via the "Disconnect InvoiceXpress" feature)
  • Data portability
  • Object to processing

To exercise these rights, contact: lusoinvoice@alemdocodigo.pt

9. Changes

This policy may be updated periodically. Significant changes will be communicated by email.