Privacy Policy

Last updated: November 19, 2025

This Privacy Policy explains how Roques OÜ ("Invoo", "we") processes the personal data of Users who access the Website or use the Platform accessible through https://invoo.es. We are committed to complying with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 (LOPDGDD) and applicable Spanish tax regulations where relevant.

Data Controller

The data controller for personal data is:

Roques OÜ

Ahtri tn 12

15551, Tallinn (Estonia)

Email: legal@invoo.es

Data We Process

The type of data processed depends on how the User uses the Platform:

Data provided during registration

This includes full name, email address, tax data required for invoicing (such as NIF/CIF or tax address), and in the case of paid plans, payment method data (which remains tokenized; Invoo only stores the last digits of the card).

Data generated through Platform use

During normal User activity, Invoo processes data that forms part of the contracted service, such as:

  • issued invoice data
  • client and supplier data entered by the User
  • invoicing records in accordance with RD 1007/2023
  • expenses, receipts and uploaded documents
  • information necessary for generating tax estimates
  • gestoría dashboard activity when the User shares access

This data belongs exclusively to the User, who acts as the Data Controller regarding the content of their own invoices, clients or expenses. Invoo only processes it for the proper provision of the contracted service.

Data derived from technical use

We process certain technical data necessary to ensure the security and operation of the service: IP address, access logs, device or browser identifiers, performance data and error logs.

Cookies and similar technologies

The Website uses technical cookies and, with consent, analytics cookies. Detailed information can be found in our Cookie Policy.

Purposes of Processing

Invoo processes User personal data to:

  • provide the Service, enabling invoice issuance, data synchronization, generation of Invoicing Records and access to the gestoría dashboard
  • manage the User's account, including operational communications, technical notifications and relevant service information
  • bill and process payments when the User subscribes to a paid plan
  • comply with legal obligations, especially those derived from tax regulations
  • improve the Service through statistical analysis of Platform usage (only with consent for analytics cookies)
  • send commercial communications, only when the User has given consent or when sending is covered by legitimate interest in B2B contexts

Legal Basis for Processing

Depending on each purpose, data processing is based on:

  • Performance of contract, when we process data necessary to provide the Service
  • Legal obligation, when tax regulations require storing and processing certain data
  • Legitimate interest, to improve Platform performance and security or for commercial communications in B2B relationships
  • Consent, when we use analytics cookies or send non-essential communications

Disclosure of Data to Third Parties

Invoo does not sell personal data or share it with third parties for commercial purposes unrelated to the Service. Data will only be disclosed:

  • To the external tax connectivity provider (currently Verifacti – Bilbabit, S.L.) when necessary for submitting Invoicing Records to the Tax Administration
  • To technology providers that provide hosting, infrastructure, transactional email or technical support services
  • To financial institutions or payment gateways to execute billing
  • To gestorías or collaborators when the User decides to grant them access
  • To public authorities when there is a legal obligation

All providers with data access act as data processors in accordance with Article 28 GDPR.

International Transfers

The Service's servers are located within the European Economic Area. Invoo may work with providers located outside the EEA only when they are subject to adequate safeguards such as standard contractual clauses or mechanisms recognized by the GDPR (including the Data Privacy Framework in the case of the United States).

Data Retention

Data will be retained while the account is active. After requesting cancellation, data will remain accessible during the period indicated in the Terms and Conditions and will subsequently be deleted or blocked unless a legal obligation requires longer retention (for example, Spanish tax regulations).

Data from analytics cookies will be retained for the period indicated in the Cookie Policy.

User Rights

The User may exercise the following rights:

  • access to their personal data
  • rectification of inaccurate data
  • erasure where appropriate
  • restriction of processing
  • objection to processing based on legitimate interest
  • portability of their data
  • withdrawal of consent at any time

These rights may be exercised by sending an email to legal@invoo.es, verifying your identity. You may also file a complaint with the competent supervisory authority, including the Spanish Data Protection Agency (AEPD).

Data Security

Invoo applies technical and organizational measures designed to protect personal data against unauthorized access, alteration or loss. Although no system is completely invulnerable, we adopt security standards appropriate to the nature of the data processed.

Third-Party Data Entered by the User

The User is responsible for ensuring they have legitimacy to enter third-party personal data into the Platform, such as clients, suppliers or invoice recipients. Invoo acts solely as a data processor regarding such data, processing it under User instructions and exclusively to provide the contracted service.

Policy Updates

Invoo may modify this Privacy Policy when necessary to adapt it to regulatory, technical or operational changes. The current version will always be the one published at https://invoo.es.