Privacy Policy

Last updated: November 5, 2025

At Invaro Inc. ("Invaro," "we," "us," or "our"), we understand that as accounting, tax, bookkeeping, and advisory professionals, you handle highly sensitive financial data. Your trust is paramount, and this Privacy Policy explains how we collect, use, protect, and handle your information with the highest standards of security and confidentiality.

1. Information We Collect

1.1 Information You Provide Directly

Account Information: Name, email address, company name, phone number, billing address, and payment information.

Professional Information: Firm details, professional credentials, team member information, and organizational structure.

Client Data: Information about your clients that you choose to store or process through our Service, including financial documents, tax records, engagement letters, meeting transcripts, and communications.

1.2 Information We Collect Automatically

Usage Data: How you interact with our Service, features used, pages visited, time spent, and click patterns.

Device Information: IP address, browser type, operating system, device identifiers, and general location data (city/country level).

Log Data: Error reports, performance metrics, and system diagnostics for troubleshooting and service improvement.

1.3 Information from Third-Party Integrations

When you connect third-party services to Invaro, we may access and process data from those services as described in our Google API Services section below.

2. Google API Services and Limited Use Disclosure

2.1 What Google Data We Access and Why

2.2 Google Data Usage Limitations

• No Secondary Use: We use Google user data exclusively for providing or improving our user-facing features. We do not use it for serving advertisements, building user profiles for marketing, or any purpose unrelated to Invaro's core functionality.
• No Data Sale or Transfer: We will never sell, rent, lease, or otherwise transfer Google user data to third parties, except as necessary to provide our Service (e.g., secure cloud infrastructure providers bound by strict confidentiality obligations).
• Human Review: Google user data is not reviewed by humans except when necessary for security purposes (investigating abuse), legal compliance, or when you explicitly request support and grant permission.
• Transparent Processing: All AI processing of your Google data happens transparently. You can see what data is being used and how it's being processed within the Invaro interface.

2.3 Your Control Over Google Data

You have complete control over your Google data:

• You can revoke Invaro's access to your Google account at any time through your Google Account Permissions page.
• You can configure which emails, calendars, or files Invaro can access using granular settings within the Service.
• You can request deletion of any data we've processed from your Google account by contacting support@invaro.ai.
• Revoking access will stop all data processing immediately and trigger automatic deletion of cached Google data within 30 days.

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

• Provide AI-powered accounting, tax, bookkeeping, and advisory automation
• Process and organize client documents and communications
• Generate proposals, engagement letters, tax forms, and other professional documents
• Enable meeting transcription, summarization, and follow-up automation
• Facilitate team collaboration and task management
• Provide customer support and respond to your inquiries

3.2 Service Improvement

• Analyze usage patterns to improve features and user experience
• Train and improve AI models (using only aggregated, anonymized data)
• Conduct research and development for new features
• Monitor and improve system performance and reliability

3.3 Security and Compliance

• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service and other policies
• Conduct security audits and vulnerability assessments

3.4 Communication

• Send service-related notifications (system updates, security alerts, billing notices)
• Provide product updates and feature announcements (with opt-out available)
• Respond to support requests and feedback

4. Data Security and Protection

We implement industry-leading security measures to protect your data:

4.1 Technical Security Measures

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 with perfect forward secrecy.
• Encryption at Rest: All data stored on our servers is encrypted using AES-256 encryption with regularly rotated keys managed through secure key management systems.
• Access Controls: Strict role-based access controls (RBAC) ensure that only authorized personnel can access systems containing user data, and only to the extent necessary for their job functions.
• Multi-Factor Authentication (MFA): All employee and contractor accounts require MFA. We strongly recommend enabling MFA for your Invaro account.
• Network Security: Firewalls, intrusion detection systems, and regular security monitoring protect our infrastructure.
• Secure Development: Regular code reviews, security testing, and vulnerability scanning are integral to our development process.

4.2 Organizational Security Measures

• IRS Publication 7216 Compliance: We comply with IRS Publication 7216 requirements for protecting tax return information, including strict use, disclosure, and consent requirements.
• Compliance Certifications: We are actively pursuing SOC 2 Type II and ISO 27001 certifications to demonstrate our commitment to security, availability, and confidentiality controls.
• Employee Training: All employees undergo comprehensive security and privacy training, including handling of sensitive financial data and tax return information.
• Background Checks: Employees with access to production systems undergo background checks.
• Incident Response: We maintain a documented incident response plan with clear procedures for detecting, responding to, and recovering from security incidents.
• Third-Party Audits: Regular penetration testing and security audits by independent third parties.

4.3 Infrastructure Security

Our infrastructure is hosted on enterprise-grade cloud platforms (AWS, Google Cloud Platform) that maintain:

• ISO 27001, SOC 2, and SOC 3 certifications
• Physical security at data center facilities
• Geographic redundancy and disaster recovery capabilities
• Regular security updates and patch management

4.4 Data Residency Options

We offer data residency options for firms with specific geographic requirements:

• Choose where your data is stored (US, EU, UK regions available)
• Ensure compliance with local data protection regulations
• Maintain control over data location for regulatory requirements
• Available for Professional and Enterprise plans - contact sales@invaro.ai

5. Data Sharing and Disclosure

5.1 We Do NOT Sell Your Data

We never have and never will sell, rent, or trade your personal data or client data to third parties for their marketing purposes.

5.2 Service Providers

We share data with trusted service providers who assist us in operating our Service:

• Cloud Infrastructure: Amazon Web Services (AWS), Google Cloud Platform (GCP), Supabase for hosting and data storage
• AI and Machine Learning: OpenAI, Anthropic for AI processing (with strict data processing agreements prohibiting use of your data for model training)
• Payment Processing: Stripe for secure payment processing (we never store full credit card numbers)
• Communication: Resend, Twilio for email and SMS notifications
• Analytics: PostHog for privacy-focused product analytics (with IP anonymization enabled)
• Error Monitoring: Sentry for application error tracking and debugging

All service providers are bound by strict data processing agreements (DPAs) and are prohibited from using your data for any purpose other than providing services to Invaro.

5.3 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal process (subpoena, court order, search warrant)
• Government or regulatory requests
• Protection of our legal rights and safety of our users
• Prevention of fraud or security threats

When legally permitted, we will notify you of such requests and give you an opportunity to object.

5.4 Business Transfers

If Invaro is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

6. Data Retention and Deletion

6.1 Retention Periods

We retain your data only as long as necessary to provide the Service and comply with legal obligations:

• Account Data: Retained for the duration of your active subscription plus 90 days for account recovery purposes
• Client Data: Retained according to your instructions or until account deletion
• Usage Logs: Retained for 12 months for security and performance analysis
• Billing Records: Retained for 7 years to comply with tax and accounting regulations
• Support Communications: Retained for 3 years for quality assurance and legal compliance

6.2 Data Deletion

You can request deletion of your data at any time:

• Self-Service Deletion: Delete individual documents, clients, or projects directly within the Service
• Account Deletion: Request full account deletion through settings or by contacting support@invaro.ai
• Deletion Timeline: Data is permanently deleted within 30 days of your request, except where retention is required by law
• Backup Deletion: Deleted data is also removed from backups within 90 days

7. Your Privacy Rights

7.1 Rights Under GDPR (EU/EEA Residents)

If you are located in the European Economic Area, you have the following rights:

• Right to Access: Request a copy of all personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Right to Restriction: Request limitation of processing of your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for processing where consent is the legal basis
• Right to Lodge a Complaint: File a complaint with your local data protection authority

7.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have additional rights:

• Right to know what personal information is collected and how it's used
• Right to request deletion of personal information
• Right to opt-out of sale of personal information (we don't sell data)
• Right to non-discrimination for exercising privacy rights
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information

7.3 Other Jurisdictions

Regardless of your location, we respect your privacy rights and will honor requests for access, correction, or deletion of your personal data in accordance with applicable law.

7.4 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@invaro.ai or through your account settings. We will respond within 30 days (or as required by applicable law). We may ask you to verify your identity before processing your request.

8. International Data Transfers

Invaro is headquartered in the United States. Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

8.1 EU-US Data Transfers

For transfers of data from the EU/EEA to the United States, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequate safeguards as required by GDPR Article 46
• Supplementary measures to ensure data protection equivalent to EU standards

8.2 Custom Data Processing Agreements

We provide custom Data Processing Agreements (DPAs) for firms requiring specific terms:

• Standard Contractual Clauses for international data transfers
• Industry-specific requirements and compliance terms
• Custom security and confidentiality provisions
• Breach notification procedures tailored to your needs
• Available for Professional and Enterprise customers - contact legal@invaro.ai

9. Cookies and Tracking Technologies

9.1 What We Use

We use cookies and similar technologies to:

• Essential Cookies: Required for the Service to function (authentication, security, load balancing)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Understand how you use the Service to improve it (anonymized)

We do NOT use advertising cookies or sell data to advertisers.

9.2 Your Cookie Choices

You can control cookies through your browser settings. Note that disabling essential cookies may impact Service functionality. Most browsers also support Do Not Track (DNT) signals, which we honor.

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take immediate steps to delete that information.

11. AI and Automated Processing

11.1 How We Use AI

Invaro uses artificial intelligence and machine learning to:

• Process and categorize documents
• Transcribe and summarize meetings
• Generate draft documents (proposals, letters, forms)
• Organize emails and communications
• Provide intelligent search and recommendations
• Automate routine accounting and bookkeeping tasks

11.2 AI Data Processing Agreements

We have strict agreements with our AI providers (OpenAI, Anthropic):

• Your data is NOT used to train their general AI models
• Data is processed only to provide services to you
• Data is encrypted in transit and at rest
• Data retention is limited to 30 days for abuse monitoring only
• Zero data retention options are available for enterprise customers

11.3 Human Oversight

AI-generated content is clearly marked. You maintain final review and approval over all AI-generated documents. We recommend reviewing AI outputs before sending to clients or filing with authorities.

12. Professional and Regulatory Compliance

12.1 Industry Standards

We understand that accounting, tax, and advisory professionals must comply with various regulations:

• IRS Circular 230 (tax practice standards)
• IRS Publication 7216 (safeguarding taxpayer data)
• AICPA professional standards
• State board of accountancy regulations
• Client confidentiality requirements
• Sarbanes-Oxley (SOX) for publicly traded clients

Our Service is designed to support your compliance with these standards, but you remain responsible for ensuring your use of Invaro complies with applicable professional regulations.

12.2 Data Processing Agreement (DPA)

For customers subject to GDPR or similar regulations, we provide a comprehensive Data Processing Agreement that:

• Defines Invaro as a data processor and you as the data controller
• Specifies the scope, nature, and purpose of data processing
• Includes Standard Contractual Clauses for international transfers
• Details security measures and breach notification procedures
• Addresses subprocessor requirements

Contact legal@invaro.ai to request a signed DPA.

13. Third-Party Services and Integrations

When you connect third-party services (QuickBooks, Xero, Notion, Slack, etc.) to Invaro, those services have their own privacy policies. We encourage you to review them. We are not responsible for the privacy practices of third-party services.

You can disconnect third-party integrations at any time through your account settings.

14. Security Incident Notification

In the unlikely event of a security incident affecting your information:

• We will notify you as soon as possible, and within timeframes required by applicable law (typically within 72 hours)
• We will provide detailed information about the incident, affected data, and remediation steps
• We will notify relevant regulatory authorities as required by law
• We will work with you to mitigate any potential impact

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Material Changes: If we make material changes that reduce your rights or significantly change how we process your data, we will:

• Notify you via email at least 30 days before the changes take effect
• Display a prominent notice in the Service
• Give you the opportunity to review the changes and opt-out if desired

Non-Material Changes: Minor updates (clarifications, contact information changes, etc.) will be posted on this page with an updated "Last updated" date.

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all inquiries within 48 hours during business days.

Version: 2.0 | Effective Date: November 5, 2025