PRIVACY POLICY

Last updated April 18, 2026

Data Controller

The data controller for the personal information processed through Order Invoicer (the "Services") is:

Company: Bewizit — SARL (société à responsabilité limitée)
Registered office: 2 rue de Vienne, 75008 Paris, France
SIREN: 813 538 956 — RCS Paris
SIRET (registered office): 813 538 956 00018
VAT number: FR74 813 538 956
Legal representative: Alexandre Wizel (Gérant)
General contact: contact@orderinvoicer.com
Privacy contact: privacy@orderinvoicer.com
Data Protection Officer (DPO): dpo@orderinvoicer.com

This Privacy Notice describes how and why we access, collect, store, use, and/or share ("process") your personal information when you use the Services, including when you:

Visit our website at https://www.orderinvoicer.com, or any website of ours that links to this Privacy Notice.
Contact us via our contact form, email, or other channels.
Engage with us in other related ways, including any sales, marketing, or events.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@orderinvoicer.com.

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

What personal information do we process? When you visit, use, or navigate our Services, we process personal information depending on how you interact with us — account data, billing data, contact-form submissions, and technical logs. Learn more in section 1.

Do we process any sensitive personal information? No. We do not intentionally process sensitive personal data as defined by GDPR article 9.

Do we collect any information from third parties? No.

How do we process your information? To provide and administer the Services, communicate with you, process payments, meet our legal obligations, and ensure the security of the Services. See section 2.

Who processes your data on our behalf? We rely on a limited number of sub-processors (hosting, database, payments). See section 4.

Are your data transferred outside the EU? Some of our sub-processors are based in the United States. Transfers are covered by the EU–US Data Privacy Framework and/or Standard Contractual Clauses (SCCs). See section 4.

Do we use cookies? We use a limited number of cookies and trackers. Non-essential trackers (audience measurement) are only activated with your consent. See section 5.

How long do we keep your information? We apply specific retention periods depending on the purpose. See section 6.

What are your rights? Access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority (CNIL in France). See section 9.

How do you exercise your rights? Email privacy@orderinvoicer.com or dpo@orderinvoicer.com.

WHAT INFORMATION DO WE COLLECT?
HOW DO WE PROCESS YOUR INFORMATION?
WHAT LEGAL BASES DO WE RELY ON?
WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
COOKIES AND TRACKERS
HOW LONG DO WE KEEP YOUR INFORMATION?
HOW DO WE KEEP YOUR INFORMATION SAFE?
DO WE COLLECT INFORMATION FROM MINORS?
WHAT ARE YOUR PRIVACY RIGHTS?
CONTROLS FOR DO-NOT-TRACK FEATURES
DO WE MAKE UPDATES TO THIS NOTICE?
HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide when you create an account, subscribe to a plan, interact with our Services, or contact us.

Account and billing data:

Full name
Email address
Password (stored hashed)
Billing address
Debit/credit card information (processed and stored exclusively by Stripe — see section 4)

Contact form data (/contact):

Full name
Email address
Phone number
Shop URL
E-commerce platform in use
Invoicing software in use
Estimated monthly order volume
Free-text message

Technical data collected automatically:

IP address, user agent, device/browser information
Connection timestamps and server logs (LCEN article 6-II)
Cookies and similar technologies (see the Cookies and trackers section below)

Sensitive Information. We do not process "special categories" of data (GDPR art. 9).

Payment Data. All payment data is handled and stored by Stripe. You can find their privacy notice at https://stripe.com/privacy.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for the following purposes:

Account management: create and manage your user account and authentication.
Service delivery: operate the connectors between your e-commerce platform and invoicing software.
Billing and accounting: issue and store invoices as required by French accounting law.
Customer support: answer your questions via the contact form or email.
Commercial prospecting: contact you about our Services on the basis of your legitimate interest or your consent.
Security and fraud prevention: detect abuse, protect the integrity of the Services, and respond to security incidents.
Legal obligations: respond to legally binding requests from competent authorities.

3. WHAT LEGAL BASES DO WE RELY ON?

Under the GDPR, we rely on the following legal bases:

Performance of a contract (art. 6.1.b): account management, service delivery, billing.
Legal obligation (art. 6.1.c): accounting archiving, response to legal requests, connection-log retention (LCEN).
Legitimate interest (art. 6.1.f): security, fraud prevention, service improvement, B2B prospecting of existing customers.
Consent (art. 6.1.a): non-essential cookies, commercial prospecting of non-customers, newsletters.

You can withdraw your consent at any time by contacting privacy@orderinvoicer.com.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

We do not sell your personal information. We share it only with the sub-processors listed below, strictly within the limits of the Services.

Sub-processors

| Sub-processor | Purpose | Location | Transfer safeguards | |---|---|---|---| | Vercel Inc. | Hosting, CDN, Web Analytics (contact-form submission tracking for commercial follow-up), bot detection (BotId) | United States | EU–US Data Privacy Framework + SCCs | | Supabase Inc. | Database (PostgreSQL), authentication | European Union (EU region) | N/A (intra-EU) | | Stripe Payments Europe | Payment processing | Ireland / United States | EU–US Data Privacy Framework + SCCs | | Resend, Inc. | Transactional email delivery (account notifications, and forwarding contact-form messages to our team) | United States | EU–US Data Privacy Framework + SCCs | | Slack Technologies (Salesforce, Inc.) | Internal sales-team notification on incoming contact-form messages | United States | EU–US Data Privacy Framework + SCCs | | Inngest, Inc. | Orchestration of background jobs (syncs, retries) | United States | EU–US Data Privacy Framework + SCCs |

Contact-form data (categories listed in section 1) is forwarded to Resend, Slack and Vercel Analytics for the purposes above.

Each sub-processor is bound by a Data Processing Agreement in compliance with GDPR article 28.

Security trackers (BotId / anti-spam)

The website integrates the BotId library (published by Vercel Inc.) on form-submission pages. This library fingerprints the browser in order to detect and block automated submissions by bots.

Purpose: site security and spam prevention on the contact form.
Legal basis: legitimate interest of the controller in protecting the Service against abuse (GDPR art. 6.1.f).
Regulatory status: tracker strictly necessary for a service expressly requested by the user (submitting a form), and therefore eligible for the consent exemption provided by the CNIL guidelines on cookies and other trackers (deliberation n°2020-091) and article 82 of the French Data Protection Act.
Duration: collected signals are retained only for the time needed to perform the anti-bot evaluation (session).
Recipient: Vercel Inc. (United States), under the transfer conditions described above.

International transfers

Transfers to non-EU/EEA sub-processors are framed by:

the EU–US Data Privacy Framework (adequacy decision of 10 July 2023), where the recipient is certified; and/or
the Standard Contractual Clauses (SCCs) adopted by the European Commission (art. 46.2.c GDPR), when applicable.

Other disclosures

We may share your information in case of:

Legal obligations: to comply with applicable law or respond to lawful requests from public authorities.
Business transfers: in connection with, or during negotiations of, any merger, sale of assets, financing, or acquisition of all or part of our business.

5. COOKIES AND TRACKERS

In Short: We use a limited number of cookies and trackers. Non-essential trackers (audience measurement) are only activated after your consent.

In accordance with article 82 of the French Data Protection Act and the CNIL guidelines (deliberation n°2020-091), we inform you of the trackers placed on your device.

Tracker categories

| Name | Publisher | Purpose | Category | Duration | Consent | |---|---|---|---|---|---| | orderinvoicer.cookie-consent.v1 | Bewizit (first-party localStorage) | Stores your consent choice so that the banner is not shown again | Strictly necessary | 13 months | Exempt (French Data Protection Act art. 82) | | _vercel_insights* | Vercel Inc. | Aggregate audience measurement (Web Analytics) — page views, platforms, form submissions | Audience measurement | Session | Required — enabled only after "Accept all" or "Customize" → Audience measurement | | BotId fingerprint | Vercel Inc. | Detection and blocking of automated submissions on the contact form | Security (anti-spam) | Session | Exempt — tracker strictly necessary to a service expressly requested by the user (form submission), see section 4 |

Managing your preferences

The consent banner displayed on your first visit lets you:

Accept all: enable audience measurement (Vercel Web Analytics).
Reject all: no non-essential tracker is placed. Only strictly necessary trackers (consent storage, anti-spam security) remain active.
Customize: choose per-purpose which trackers you accept.

Refusing is as easy as accepting. You can update your choices at any time by removing the orderinvoicer.cookie-consent.v1 key from your browser's local storage: the banner will re-appear on your next visit.

Browser settings

You can also configure your browser to block all cookies or to notify you whenever a cookie is set. Blocking certain essential trackers may however affect the proper functioning of the site.

6. HOW LONG DO WE KEEP YOUR INFORMATION?

We keep personal data only as long as necessary for the purposes for which it was collected, and then archive or delete it.

| Data category | Retention period | |---|---| | Account data (identification, authentication) | Duration of the contractual relationship + 3 years after the last interaction | | Billing and accounting data (invoices, payment history) | 10 years from the issuance date (French Commercial Code art. L123-22) | | Contact-form submissions (prospects) | 3 years after the last contact | | Commercial prospecting | 3 years after the last interaction (CNIL recommendation) | | Connection logs / server logs | 1 year (LCEN art. 6-II) | | Cookies and similar technologies | Max. 13 months (CNIL) | | Data subject requests | 3 years after closure |

Once the retention period has expired, data is either deleted or anonymised for statistical purposes.

7. HOW DO WE KEEP YOUR INFORMATION SAFE?

We have implemented appropriate technical and organisational security measures designed to protect the security of any personal information we process, including TLS encryption in transit, encryption at rest on our sub-processors' infrastructure, strict access controls, and regular backups. However, no method of transmission over the Internet or method of electronic storage is 100% secure.

8. DO WE COLLECT INFORMATION FROM MINORS?

We do not knowingly collect data from or market to children under 18 years of age. If you become aware of any data we may have collected from children under 18, please contact us at dpo@orderinvoicer.com.

9. WHAT ARE YOUR PRIVACY RIGHTS?

Under the GDPR and the French Data Protection Act, you have the right to:

Access your personal data (art. 15)
Rectify inaccurate data (art. 16)
Erase your data ("right to be forgotten", art. 17)
Restrict processing (art. 18)
Data portability (art. 20)
Object to processing, including for prospecting purposes (art. 21)
Withdraw your consent at any time
Define directives regarding your data post-mortem (French Data Protection Act art. 85)

To exercise these rights, email privacy@orderinvoicer.com or our DPO at dpo@orderinvoicer.com. We will respond within one month.

If you believe that our processing of your personal data does not comply with the GDPR, you have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) — https://www.cnil.fr.

10. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers include a Do-Not-Track ("DNT") feature. No uniform technology standard for recognising and implementing DNT signals has been finalised, so we do not currently respond to DNT browser signals. However, our cookie-consent banner lets you refuse non-essential tracking.

11. DO WE MAKE UPDATES TO THIS NOTICE?

Yes, we will update this notice as necessary to stay compliant with relevant laws. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Notice.

12. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

Data Protection Officer: dpo@orderinvoicer.com
Privacy: privacy@orderinvoicer.com
Postal address: Bewizit, 2 rue de Vienne, 75008 Paris, France

13. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

You may request access to, correction of, or deletion of your personal data by emailing privacy@orderinvoicer.com. You may also manage most account data directly from your account settings.