Privacy Policy

Effective Date: 10 March 2025

This Privacy Policy explains how QIPP Ltd. ("Company", "we", "us", or "our") collects, uses, discloses, and protects personal data when you use the Qipp service ("Service").

We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

For the purposes of applicable data protection laws, the data controller is:

Company Name: QIPP Ltd.
Registered Address: 7 Heathfield Drive, CR4 3RD, United Kingdom
Contact Email: hello@q-ipp.com

2. Data We Collect

2.1 Information You Provide

When you register and use the Service, we collect:

  • Account information: full name, email address, password (stored in hashed form)
  • Business profile: business name, business email, business address, business phone number, business logo
  • Payment details displayed on invoices: bank name, account name, sort code, account number, IBAN, SWIFT/BIC, payment instructions
  • Invoice data: all information you enter into invoices including client details, line items, amounts, and upsell content
  • Subscription and billing information: plan selection, payment history (payment details are processed by Stripe)
  • Branding preferences: font choices, colour preferences

2.2 Information We Collect Automatically

When you use the Service, we automatically collect:

  • Usage data: features used, invoices created, emails sent
  • Technical data: IP address, browser type, device information, operating system
  • Log data: access times, pages viewed, errors encountered

2.3 Information About Invoice Recipients

When users send invoices through the Service, we process data about invoice recipients including:

  • Contact information: name, email, company name, address (as entered by the invoice sender)
  • Engagement data: when invoices are viewed, click interactions with upsell blocks
  • Click tracking data: IP address, user agent, timestamp (when recipients click upsell links)
  • Payment data: payment status, Stripe checkout session information

3. How We Use Your Data

3.1 To Provide the Service

We use your data to:

  • Create and manage your account
  • Process and send invoices on your behalf
  • Generate PDF invoices with your branding
  • Process subscription payments
  • Provide click tracking and analytics
  • Enable online payments via Stripe Connect

3.2 To Improve the Service

We use aggregated and anonymised data to:

  • Analyse usage patterns and trends
  • Identify and fix technical issues
  • Develop new features and improvements

3.3 To Communicate With You

We may use your email address to:

  • Send service-related notifications and updates
  • Respond to support enquiries
  • Send important notices about your account or the Terms of Service

3.4 Legal Basis for Processing

We process personal data on the following legal bases:

  • Contract: Processing necessary to perform our contract with you
  • Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service and preventing fraud
  • Legal obligation: Processing necessary to comply with applicable laws
  • Consent: Where you have given consent for specific processing activities

4. Data Sharing and Third Parties

4.1 Service Providers

We share data with the following third-party service providers who process data on our behalf:

ProviderPurposeData SharedLocation
SupabaseDatabase, authentication, file storageAll account and invoice dataEU/US
StripeSubscription billing, payment processingEmail, payment details, invoice amountsUS (Privacy Shield)
ResendEmail deliveryRecipient email, invoice content, PDF attachmentsUS
VercelWebsite hostingRequest data (IP, headers)US/EU

All service providers are contractually obligated to protect your data and process it only as instructed.

4.2 Legal Requirements

We may disclose your data if required to do so by law or in response to valid legal process, such as a court order or regulatory request.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy protections.

5. International Data Transfers

Your data may be transferred to and processed in countries outside the UK and European Economic Area, including the United States, where our service providers are located.

Where we transfer data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the UK Information Commissioner
  • Adequacy decisions where applicable
  • Binding corporate rules of our service providers

6. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfil the purposes described in this Privacy Policy.

  • Active account data: Retained while your account is active
  • Invoices and transaction data: Retained for 7 years after creation for tax and legal compliance
  • Click tracking data: Retained for 2 years
  • Account deletion: Upon account deletion, we delete your personal data within 30 days, except where retention is required for legal or regulatory purposes

7. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of your personal data
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure: Request deletion of your data (subject to legal retention requirements)
  • Right to restrict processing: Request limitation of how we use your data
  • Right to data portability: Receive your data in a machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent

To exercise any of these rights, please contact us at hello@q-ipp.com. We will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk/ if you believe your data protection rights have been violated.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Password hashing using industry-standard algorithms
  • Access controls and authentication
  • Regular security assessments

While we strive to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

9. Children's Privacy

The Service is designed for business use. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

10. Data Processing on Behalf of Users

When you use the Service to send invoices to your clients, you act as the data controller for your clients' personal data, and we act as your data processor.

Our Data Processing Agreement governs this relationship and sets out our obligations regarding the processing of your clients' data.

You are responsible for:

  • Having a lawful basis to collect and process your clients' data
  • Providing appropriate privacy notices to your clients
  • Responding to data subject requests from your clients

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The date of the most recent revision will be indicated at the top of this page.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: hello@q-ipp.com
Address: QIPP Ltd., 7 Heathfield Drive, CR4 3RD, United Kingdom