Privacy Policy

Invoset is a software service operated by Ravencord Inc. ("we", "us", "our"). When you use invoset.com, our scanner backend, our embeddable widget, or our badge service, this Privacy Policy applies.

For purposes of the EU and UK GDPR, Ravencord Inc.is the data controller for personal data collected through invoset.com and the dashboard. Where Invoset processes data on a paying customer's behalf as part of a website scan, the customer is the controller and Invoset is the processor under the terms of our Data Processing Addendum.

For privacy questions, contact legal@invoset.com.

We collect three categories of information: account information, scan data, and usage data.

Account information

• Email address and authentication credentials handled by our identity provider
• Billing address and payment instrument data, processed by Stripe (we do not store full card numbers)
• Optional company name, role, and contact preferences

Scan data

• Domains and URLs you ask us to scan
• Public HTML, CSS, and accessibility-relevant DOM attributes from those URLs
• Screenshots of pages where visual analysis is requested
• WCAG findings and remediation history we generate

Usage data

• Pages of invoset.com you visit and interactions with our app
• Browser type, operating system, IP address, and approximate location derived from IP
• Cookies and similar technologies described in our Cookie Policy

• To run scans, generate reports, and deliver the service you signed up for
• To authenticate you and secure your account
• To process billing and prevent fraud
• To improve scanning accuracy, including aggregated analysis of scan patterns
• To send service notifications, security alerts, and (with consent) product updates
• To meet legal obligations and respond to lawful requests

Where the EU General Data Protection Regulation applies, we rely on the following legal bases:

• Performance of a contract for delivering the service you purchased
• Legitimate interests in operating, securing, and improving the service
• Consent for optional cookies and marketing communications
• Compliance with legal obligations such as tax and accounting law

We do not sell personal information. We share data with the following categories of recipients only as needed to operate the service:

• Cloud infrastructure providers (Vercel, Render, Supabase) under data processing agreements
• Payment processor (Stripe) for billing
• Email delivery provider (Brevo) for transactional and authentication messages
• Professional advisors and authorities when required by law

The full, current sub-processor list, including hosting regions and each provider's DPA, is published at /legal/subprocessors. We update that page before adding any new sub-processor with access to personal data and notify active customers by email.

Invoset is operated by Ravencord Inc., a Delaware C Corporation based in Brentwood, Tennessee, United States. Primary infrastructure is hosted in the United States, with a transactional email sub-processor in the European Union (Brevo, France). When personal data of EEA, UK, or Swiss residents is transferred to the United States, we rely on the Standard Contractual Clauses (Module Two: Controller-to-Processor) issued under European Commission Implementing Decision (EU) 2021/914, plus the UK International Data Transfer Addendum where applicable, and the EU-U.S. Data Privacy Framework where the receiving sub-processor is certified.

• Billing and financial records: retained for seven years after the last invoice to satisfy US federal and state tax recordkeeping obligations.
• Active customer scan data and reports: retained for the life of the subscription plus seven years to support the documented good-faith-effort evidence chain referenced in our service description, unless you request earlier deletion through the dashboard or by emailing us.
• Lead-generation scan data (free WCAG checker, no account created): retained for 90 days, then deleted automatically.
• Authentication and security logs: retained for 24 months for incident investigation and fraud prevention.
• Marketing preferences and unsubscribe records: retained until you opt back in or request deletion, in either case subject to the CAN-SPAM 10-business-day suppression requirement.

Depending on your jurisdiction (including the EU/UK GDPR, the California Consumer Privacy Act, the Colorado Privacy Act, and similar US state laws), you may have the right to:

• Access the personal data we hold about you
• Request correction or deletion
• Object to or restrict certain processing
• Receive a portable copy of your data
• Withdraw consent at any time, without affecting prior processing
• Lodge a complaint with your local data protection authority
• Opt out of the sale or sharing of personal information (we do not sell, but you may still submit a request)

To exercise any of these, write to legal@invoset.com.

For requests under the EU/UK GDPR we respond within 30 days as required by Article 12(3). For requests under the CCPA/CPRA we respond within 45 days as required by §1798.130(a)(2) and may extend once by an additional 45 days where reasonably necessary, with notice to you. We do not discriminate against California residents for exercising their privacy rights, as required by §1798.125; you will receive the same service and pricing whether or not you submit a privacy request.

We may need to verify your identity before fulfilling certain requests (for example, by confirming control of the email address on the account). Authorized agents may submit requests on your behalf with written authorization.

Invoset is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

We use TLS in transit, encryption at rest provided by our managed sub-processors, scoped access controls, row-level security policies, and continuous monitoring. No service is perfectly secure, but we work to apply current best practices.

Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify affected users and, where required, the competent supervisory authority within the timeframes required by applicable law: within 72 hours of becoming aware of a qualifying breach under GDPR Article 33, and without unreasonable delay under the CCPA and applicable US state breach notification statutes.

When we make material changes, we will update the "Last updated" date and notify active customers by email. Continued use of the service after a change constitutes acceptance of the updated policy.

For privacy and data protection matters, contact legal@invoset.com, attention: Privacy. If a written channel is not workable you can also reach us by phone at +1 615 413 2151. The data controller is identified below.