Oris Invoiceby ORIS Intelligence
Start free
🇧🇪 Belgium home
Belgium · BE

Privacy Policy

How we collect, use, store, and share personal information when you use Oris Invoice. Aligned with the local data-protection regime listed below.

Aligned with: GDPR + Belgian DPA·Effective: April 29, 2026

Not legal advice. This page is a templated baseline aligned with GDPR + Belgian DPA. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.

1. Who we are

Oris Invoice is operated by ORIS Intelligence Pvt Ltd ("we", "us", or "Oris"). For users resident in Belgium, this Privacy Policy is governed by GDPR + the Belgian Data Protection Act (Wet betreffende de bescherming van natuurlijke personen / Loi relative à la protection des personnes physiques). The competent supervisory authority is the Gegevensbeschermingsautoriteit / Autorité de protection des données (DPA / APD).

2. What personal data we collect

We collect: account identifiers (name, email, phone), organisation tax registration data (BTW/TVA-nummer, KBO/CBE number), invoice and customer master data, payment metadata, and standard system telemetry. We do not collect special-category data (GDPR Art. 9) unless you upload it within an invoice description.

3. Lawful basis and purpose

We process personal data on the basis of (a) GDPR Art. 6(1)(b) — contract; (b) GDPR Art. 6(1)(c) — legal obligation under the Belgian VAT Code and accounting regulations; (c) GDPR Art. 6(1)(f) — legitimate interest in security; and (d) GDPR Art. 6(1)(a) — consent for non-essential analytics.

4. Sub-processors and international transfers

We rely on a vetted list of sub-processors. The current list is available on request. For users resident in Belgium, primary data hosting is in eu-west-1 or eu-central-1. Cross-border transfers rely on EU Commission Adequacy Decisions or EU SCCs (2021/914) plus Transfer Impact Assessment per Schrems II.

5. Retention

Account and invoice data is retained for the longer of (a) subscription duration plus 30 days, or (b) the 7-year statutory invoice retention under Belgian VAT Code Art. 60. Audit logs retained on INSERT-only basis. Backups retained 35 days.

6. Your rights (GDPR Art. 15–22)

You may request access (Art. 15), rectification (Art. 16), erasure (Art. 17, subject to retention overrides), restriction (Art. 18), objection (Art. 21), portability (Art. 20), or lodge a complaint with the GBA/APD. Submit requests to privacy@orisinvoice.com — we respond within 30 calendar days.

7. Security

Data at rest encrypted with AES-256-GCM. Bank account numbers, tax IDs and other sensitive fields are individually encrypted at the column level with KMS-managed keys. PostgreSQL Row-Level Security keyed on org context. SOC 2 Type II controls and ISO 27001-aligned ISMS.

8. Cookies and analytics

Essential cookies for authentication only. Optional analytics cookies disabled by default and require consent. We do not use cross-site tracking pixels or sell user data to advertising networks.

9. Children's data

Oris Invoice is a B2B service not directed at individuals under 16 (GDPR Art. 8 + Belgian DPA). We do not knowingly collect personal data from children.

10. Contact and updates

Privacy: privacy@orisinvoice.com. DPO: dpo@orisinvoice.com. Material changes posted 30 days before effective.