Not legal advice. This page is a templated baseline aligned with CCPA, CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, MDPA, DDPA, OCPA, and other state privacy laws. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.
1. Notice at Collection
This Notice at Collection summarises the categories of personal information we collect, the purposes for which we collect each category, and how long we retain each category. It is provided at or before the point of collection per Cal. Civ. Code § 1798.100(a).
Categories of personal information collected (CCPA § 1798.140(v)): (A) identifiers — name, email, phone, IP address, account ID; (B) customer-records information — postal address, employer, billing details; (C) commercial information — invoices issued, products sold, transaction history; (D) internet/network activity — pages visited, session telemetry, device fingerprint; (E) geolocation data — coarse country/state from IP; (F) professional or employment information — job title, role within the organisation; (G) inferences — derived risk scores, plan-fit signals.
We do NOT collect categories (H) biometric information, (I) sensory data (audio/video), (K) education records, or (L) genetic/health information.
Purposes for collection (CCPA § 1798.100(a)(2)): to operate the service you subscribed to, process payments, comply with tax and accounting law, prevent fraud and abuse, and (with consent) deliver marketing communications.
Retention period for each category: while your subscription is active plus 30 days, then deleted unless statutory retention applies (typically 7 years for tax records; longer for backups up to 35 days).
2. Sale, Sharing, and Targeted Advertising — Do Not Sell or Share
We DO NOT sell personal information for monetary consideration in the meaning of CCPA § 1798.140(ad).
We DO NOT share personal information for cross-context behavioral advertising in the meaning of CPRA § 1798.140(ah).
We DO NOT engage in profiling for decisions producing legal or similarly significant effects within the meaning of VCDPA § 59.1-575 / CPA § 6-1-1303(20).
Because we do not sell or share, the "Do Not Sell or Share My Personal Information" link is not strictly required, but we publish a placeholder at /legal/us/do-not-sell so visitors expecting it find clear text confirming our position. If we ever begin to sell or share, this policy and the link target will be updated and the change announced 30 days in advance.
3. Sensitive Personal Information
CPRA § 1798.140(ae) defines "sensitive personal information" (SPI) including government identifiers (SSN, driver's licence, passport), financial account log-in credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic data, biometric data, health information, and sex-life information.
We collect ONE category of SPI: financial account information (specifically: bank account numbers, IFSC / SWIFT codes, and tokenised payment credentials), strictly to deliver the invoicing service you contracted for.
Per CPRA § 1798.121, you have the right to limit our use of SPI to that necessary to perform the service. Because the financial account data we hold is collected solely to provide the service, the use already aligns with the statutory limitation. No additional opt-out mechanism is required for this purpose. If we ever process SPI for any other purpose, we will publish a "Limit the Use of My Sensitive Personal Information" link.
4. Financial Incentives
Our free tier (10 invoices/month per organisation) is offered on equal terms to all visitors regardless of whether they consent to optional marketing communications or analytics. Free-tier access is NOT contingent on data sharing for advertising or other secondary purposes, and so does not constitute a "financial incentive" under CPRA § 1798.125.
If we ever introduce a referral, loyalty, or marketing opt-in incentive, the program terms will be published with: (a) a description of the incentive, (b) a good-faith estimate of the value of the personal information used, (c) the methodology used to calculate that value, and (d) instructions for opting in and withdrawing at any time.
5. Your California Rights (CCPA / CPRA)
Right to Know (Cal. Civ. Code § 1798.110): the categories and specific pieces of personal information we have collected about you in the prior 12 months, the source categories, the business purpose, and the categories of third parties we shared with. Submit at privacy@orisinvoice.com or via the in-app /account/privacy portal.
Right to Delete (§ 1798.105): we will delete the personal information we have collected about you, subject to the statutory exceptions in § 1798.105(d) (necessary to complete the transaction, comply with legal obligation, exercise free speech, etc.).
Right to Correct (§ 1798.106): we will correct inaccurate personal information.
Right to Opt-Out of Sale or Sharing (§§ 1798.120, 1798.121): not applicable as described above. The placeholder is at /legal/us/do-not-sell.
Right to Limit Use of Sensitive Personal Information (§ 1798.121): not applicable as described above.
Right to Non-Discrimination (§ 1798.125): we will not deny service, charge differently, or provide a different level of service because you exercised any of the above rights.
Right to Data Portability (§ 1798.130): you may request your personal information in a structured, commonly used, machine-readable format.
You may designate an Authorized Agent to submit requests on your behalf per § 1798.135(c). The agent must provide signed permission from you and attest to your identity. We will verify the relationship before responding.
6. Your Rights — Other US States
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Montana (MDPA), Delaware (DDPA), Oregon (OCPA), Iowa (ICDPA), Tennessee (TIPA), New Jersey (NJDPA), New Hampshire (NHDPA), Indiana, Kentucky, Maryland, Minnesota, and Rhode Island have rights substantially similar to the California rights above: to access, delete, correct, port, and opt out of "sale," "targeted advertising," and "profiling for decisions producing legal or similarly significant effects."
Submit any of these requests to privacy@orisinvoice.com or via the in-app portal. We will respond within the statutory window applicable to your state — 45 days under most laws, 60 days under others, plus a permitted extension where the law allows.
Right to appeal: if we deny your request, residents of CO/CT/VA/UT/TX/MT/DE/OR/IA/TN/NJ/NH/MN may appeal under the relevant state law. The appeal contact is privacy-appeals@orisinvoice.com.
7. Categories of Personal Information Disclosed to Third Parties
In the prior 12 months we have disclosed the following categories of personal information to the following categories of third parties for a business purpose (CCPA § 1798.110(a)(4)):
Identifiers, customer-records information, commercial information, internet/network activity, geolocation: disclosed to (a) cloud hosting providers (AWS, GCP — for the service to run); (b) email delivery providers (Resend — to send invoice notifications); (c) payment processors (Razorpay, Stripe — to process tenant payments); (d) error monitoring (Sentry — to detect crashes); (e) auth providers (ORIS Identity — to sign you in).
Sensitive personal information (financial account information): disclosed only to payment processors strictly to enable the transactions you initiate.
See /legal/sub-processors for the current list with each vendor's purpose, jurisdiction, and transfer basis.
8. Sub-processors and International Transfers
A current list of sub-processors is published at /legal/sub-processors with name, purpose, jurisdiction, and transfer basis. We notify customers of sub-processor changes at least 30 days in advance via the change-notification mailing list at /legal/sub-processors#subscribe.
For US users, primary data hosting is in us-east-1 (Northern Virginia). Cross-border transfers — for example to AWS me-central-1 (UAE) for Middle East data residency commitments — are documented in the sub-processor list and rely on appropriate contractual safeguards including Standard Contractual Clauses where the destination country lacks an adequacy mechanism.
9. Retention
We retain each category of personal information for the period stated in the Notice at Collection above. Account and invoice data is held while the subscription is active plus 30 days, then deleted, except where statutory retention applies (US tax records: 7 years per IRS recommendation; backups: 35 days). Audit logs are retained for 7 years on an INSERT-only basis.
When the retention period expires, the data is deleted from production systems. Backups containing the data are deleted on the standard 35-day rotation; deletion from backups is not immediate.
10. Security
We implement reasonable security procedures and practices (CCPA § 1798.81.5) appropriate to the nature of the personal information: AES-256-GCM encryption at rest, TLS 1.3 in transit, AWS KMS-managed keys for individually encrypted sensitive fields (bank account numbers, IFSC, tax IDs), PostgreSQL Row-Level Security keyed on organisation context, append-only audit logs, SOC 2 Type II controls, ISO 27001-aligned ISMS.
In the event of a breach affecting your unencrypted personal information, we will notify you and (where required) the relevant Attorney General without unreasonable delay per state breach notification statutes.
11. Cookies, Pixels, and Cross-Device Tracking
We use a minimal set of essential cookies for authentication and session integrity. Optional analytics cookies are disabled by default and require your explicit consent through our Consent Management Platform.
We do not use cross-site tracking pixels and do not respond to "Do Not Track" browser signals (which are not standardised). We do honour Global Privacy Control (GPC) signals received from your browser as opt-out requests under CPRA § 1798.135(b)(1).
12. Children's Information
Oris Invoice is a B2B service not directed at children under 16. We do not knowingly collect personal information from children under 16, and we do not sell or share such information (CPRA § 1798.120(c)). COPPA (15 U.S.C. § 6501) likewise governs information collected from children under 13.
If you believe a child has submitted personal information through our service, contact privacy@orisinvoice.com and we will delete it.
13. Verification of Requests and Authorized Agents
To verify a Right to Know or Right to Delete request, we will ask you to confirm two pieces of personal information that match what we already hold (typically: account email + most recent invoice date or invoice number).
You may designate an Authorized Agent to submit requests on your behalf per CPRA § 1798.135(c). The agent must provide a written, signed authorisation from you and attest to your identity under penalty of perjury. We will independently confirm the relationship before processing.
14. Contact and Updates
Privacy queries: privacy@orisinvoice.com. Privacy appeals (CO/CT/VA/UT/TX/MT/DE/OR/IA/TN/NJ/NH/MN): privacy-appeals@orisinvoice.com. Toll-free phone: +1 (888) ORIS-INV (placeholder — wire actual number before sales). DPO: dpo@orisinvoice.com.
We post material changes to this Policy at least 30 days before they take effect, with prominent notice. Continued use of the service after the effective date constitutes acceptance of the revised Policy.