Privacy Policy

Effective: June 30, 2026 · Last updated: June 30, 2026 · Notice version 2026-06-30

Summary — Invoice Folder stores your projects, invoices and checklists in your own Google Drive, never on our servers. We use Supabase only for sign-in and to hold your account record — your name and email. We don't sell your data, share it with advertisers, or use it for anything but running the app for you. Guest mode stores nothing anywhere — it lives only in your browser. You can access, correct, export and permanently delete everything, and withdraw consent, at any time.

This notice is provided under Section 5 of India's Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the Digital Personal Data Protection Rules, 2025. It describes the personal data we process, why, how you exercise your rights, and how to complain to the Data Protection Board of India. It is available in English; request it in any Eighth Schedule language by writing to the contact below.

1. Who We Are (Data Fiduciary)

Invoice Folder ("the App", "we", "us", "our") is a billing-and-scope document tool operated as an independent project by Jorzier (jorzier.com), accessible at invoicefolder.jorzier.com. For the DPDP Act, Jorzier is the Data Fiduciary determining the purpose and means of processing, and you are the Data Principal.

Data-protection / grievance contact: support@jorzier.com
General contact: hello@jorzier.com

2. Personal Data We Process, and Why

Personal data	Purpose	Where it is stored
Name and email (from Google Sign-In)	Create and authenticate your account; contact you about it	Supabase (authentication)
Business data you enter — your profile, client details, projects, invoices, service summaries, checklists and templates	To provide the core service: building, storing and displaying your documents	Your own Google Drive "Application Data" folder
Google OAuth tokens	To keep you signed in and read/write only your own files in the App's Drive folder	Your browser session
Guest mode: anything you enter	To build a document on the spot, with no account	Your device only — never sent to us, and only saved if you download a file yourself
IP address, browser type (by infrastructure providers)	Security and performance only — not analysed at an individual level	Vercel, Supabase logs

We limit processing to what these purposes need (data minimisation). We do not collect payment-card numbers or bank credentials, run no individual behavioural analytics, and use no advertising or tracking cookies.

3. Legal Basis: Your Consent

We process your personal data on the basis of your consent, given by a clear affirmative action when you create your account (you confirm you are 18+ and agree to this notice). Your consent is limited to the purposes above.

You can withdraw consent at any time, as easily as you gave it — by deleting your account, or revoking the App's access from your Google Account permissions. Withdrawal does not affect processing done before it. On withdrawal we stop processing and erase your data unless the law requires retention. Guest mode requires no consent because we process nothing.

4. How We Store and Protect Your Data

Your documents — Google Drive AppData storage: Your projects, invoices and checklists are stored as files in your personal Google Drive Application Data folder. This folder is private to you, invisible to other apps and to people you share Drive files with, and protected by Google's encryption at rest and in transit. We cannot read the contents of your Google Drive.

Your account — Supabase authentication: We use Supabase only for sign-in and to hold your account record (name and email). Supabase provides AES-256 encryption at rest, TLS 1.2+ in transit, and Row Level Security so each user reaches only their own record. The App is served over HTTPS via Vercel.

We apply reasonable safeguards to prevent a personal data breach (DPDP Rules 2025, Rule 6) — encryption, access controls and monitoring. No system is fully secure, and you use the App at your own risk. If a breach occurs, we will notify you and the Data Protection Board of India without undue delay, per the DPDP Act (§8(6)) and Rule 7.

5. What the App Can and Cannot See in Your Drive

Invoice Folder uses Google's narrow drive.appdata scope:

The App does not access your Google Drive. It cannot read, list, search, modify or delete your personal files, folders, photos or documents.
It can only see its own dedicated, hidden folder — Google's private "Application Data" folder scoped exclusively to Invoice Folder.
The only files there are the project, invoice and checklist files the App creates for you.

You can verify this on your Google Account permissions page.

6. Data Sharing and Processors

We do not sell, rent or trade your personal data. We engage these Data Processors under contract, strictly to run the service:

Google — Sign-In and Drive (app-data storage). Governed by Google's Privacy Policy. We receive only your name, email and an OAuth token.
Supabase — authentication and your account record. Privacy Policy.
Vercel — hosting. Privacy Policy.
Legal obligations — we may disclose data where required by law, court order or a competent authority.

7. Cross-Border Transfer

Our processors (Google, Supabase, Vercel) may store and process data on servers outside India. Such transfers are permitted under Section 16 of the DPDP Act, subject to restrictions the Central Government may notify. We rely on these processors' security and contractual commitments wherever data is processed.

8. Your Rights as a Data Principal

Access (§11): obtain a summary of the data we process. You can view all your data in the App and export any project or section as a file.
Correction, completion, updating (§12): edit any data directly in the App at any time.
Erasure (§12): permanently delete a project, or your whole account and its Drive files, from within the App.
Grievance redressal (§13): raise a concern with our data-protection contact (Section 10). We aim to respond within 90 days.
Nominate (§14): nominate someone to exercise your rights in case of death or incapacity, by writing to us.
Withdraw consent at any time (Section 3).

If you are in the European Economic Area, you may also have rights under the GDPR.

9. Data Retention

We retain personal data only while your account is active and the purpose is served. When you delete your account or withdraw consent, your account record and your Drive files are erased. Residual copies may remain in processors' backups briefly before being purged. We retain data longer only where the law requires.

10. Grievance Redressal & Complaints

For any grievance about how your data is handled, contact support@jorzier.com. We will acknowledge and aim to resolve it within 90 days. Please give us the chance to address it first. If still dissatisfied, you may complain to the Data Protection Board of India.

11. Children

Invoice Folder is intended only for individuals aged 18 or older. Under the DPDP Act a "child" is anyone under 18. We do not knowingly process children's data and run no behavioural tracking or targeted advertising. If you believe a child has given us data, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Policy. On material changes we update the "Last updated" date and notice version above and make reasonable efforts to notify users. Continued use after changes constitutes acceptance.

13. Contact Us

Data protection / grievances: support@jorzier.com
General: hello@jorzier.com
jorzier.com