PRIVACY POLICY FOR ORIGINAL INVOICE
Effective Date: 19 April 2026
Data Controller: Original Invoice Company No.
Address:45 Awolowo Road Ikoyi, Lagos, Nigeria
Contact: admin@originalinvoice.com
Domain: www.originalinvoice.com
Introduction
Original Invoice is a web and mobile based invoicing app that helps individuals, freelancers and businesses create invoices, calculate tax, track payments, and manage clients. This privacy policy explains how original invoice collects, uses and stores your information when you use our web and mobile invoicing app. It is separate from our Terms & Conditions. By using this app, you have agreed to this policy.
The Data We Collect.
We collect only data needed to provide the invoicing service. You provide some directly while some are automatically collected.
Account Data: (Personal Information): Full name, email address, telephone number and password to create and secure your account. We also collect email verification status and account role (User, Admin, or Super admin).
And out
Business Profile Data (For Business Users): Business full name, business address, business type, Country of business registration number, telephone number, email address and invoice prefix for invoice numbering. You may optionally upload your business logo which is stored with our cloud provider (Cloud nary) for storage.
Invoice Data: Client information (customer type, title, full names, business names, telephone numbers, email addresses, countries) product /item details (item names, categories, descriptions, quantities, rates, amounts) invoice amount, tax information, invoice status (paid, pending, overdue and outstanding’s)due dates, payment terms, notes and invoice generation preferences. (language & currency). Generated invoice PDFs and related metadata are stored.
Payment Data/Financial Information: Subscription plan types (Free, Essentials, Premium. Billing cycle (monthly or yearly) subscription status and expiry dates, invoice counts & usage limits. Payment processing is handled by Pay stack, a PCI-DSS compliant payment gateway. We do not store full credit card numbers. Payment transaction references and webhook data from Pay stack are stored for subscription management and verification purposes.
The Client Management Information: We enter customers details including customer types(individual/business) titles, full names, business names, emails, addresses and countries to generate and send invoices to respective clients.
Files & Documents: Business Logos, signatures, payment receipts, user profile photos and payment receipts which you upload are sent to cloud storage provider (Cloud nary). We store the secured URLs to enable access to files.
Tax Configuration Data: Tax type, tax rates (individual and business rates) and default tax settings for your account and invoices.
Notification Data: In-app notifications about invoice activities (sent, paid, overdue and outstanding) payment recordings, client addition, system alerts and subscription updates. We store your notification preferences. (which types of notifications you want to receive) and read/unread status.
Usage Data: We collect information about how the app is used to improve features and keep the app secured.
Authentication & Session Data: Your password is encrypted using by crypt hashing and never stored in plain text Email verification status, one-time passwords (OTP) for email verification and password reset (stored temporarily with 10-minute expiry and 5-attempt limit), OAuth provider information (Google or Apple) if you sign in using social login including provider name and provider user ID, current session tokens (for security validation), and blacklisted tokens (for logout tracking and security).
User Settings & Preferences: Language preference (for invoice generation), notification preferences, (payment recorded, invoice sent, invoice reminders, client added, system alerts), and tax application settings.
Device Model: Device ID, IP address, OS, app version.
Communication Data: Contact form submissions, including full names, support email address, telephone number(optional), subject, message content, communication consent status, message status (new, read, responded) submission time stamp and chats sent to us.
Administrative & Audit Data: for security and compliance purposes we log administrative actions including admin user identifier, action type, target entity, timestamp, and action details. System configuration changes are also tracked.
Technical & Security Data: We automatically collect IP address, browser type, and operating system information from standard HTTP request headers for security monitoring, fraud prevention, and service improvement. API request logs for debugging and monitoring purposes.
Approximate Location: Lagos Nigeria for Fraud prevention, provision of tax rates but not shared.
We do NOT collect: precise location, contacts, SMS, microphone, or device photos unless you explicitly used upload/scan a file.
Legal Basis under NDPA 2023.
We process your data under the legal basis from the Nigeria Data Protection Act of 2023:
Contract: To provide the app you signed up for creating invoices, storing data and sending emails.
Legitimate Interest: To secure the app, prevent fraud and improve features using analytics
Consent: For non-essential cookies on our web app. You may withdraw your consent at any time.
Legal Obligation: To keep financial records for five (5) years as required by the Federal Inland Revenue Service (FIRS).
Data Sharing Limits
We do NOT sell your data. We do NOT use your invoice contents for advertising We share limited data only with trusted third parties’ others obligated to for their respective services:
Service providers:
· Pay stack - Payment processing and subscription management
· Cloud nary - Secure file storage for logos and receipts
· Twilio (SendGrid) - Email delivery for notifications, OTPs, and invoice delivery
· Google - OAuth authentication (if you choose to sign in with Google)
· Apple - OAuth authentication (if you choose to sign in with Apple)
· Twilio - WhatsApp messaging for invoice delivery (if you chose this option, note that the integration of Twilio is subject to change as its implementation is not yet complete).
Legal obligation: In compliance with NDPR (Nigeria Data Protection Regulation) 2019. their requests and fraud prevention. We process data based on consent for marketing and legitimate interest.
Business transfers: Users of this app shall be notified in case we are acquired. All third parties are strictly obligated to comply with data protection standards, inclusive but not limited to NDPR.
How We Use Your Data. We use your data for the following purposes:
such as;
· Providing the service: i.e. log you in, save invoices, synchronize across web and mobile.
· Send Emails: i.e. to deliver invoices, receipts, password resets, service notices to you and your clients.
· App functionality: i.e. to store logos, generate pdfs and payment status.
· Improvement & Debugging: i.e. to fix crashes and prevent abuse.
· Legal Compliance: Responding to lawful request, enforcing our terms and the issuance of tax records. Communicate with you by responding to your queries and important service updates.
We do NOT collect: Precise GPS location, device contacts, SMS messages, microphone recordings, device camera access, or device photos unless you explicitly choose to upload a file through the app's file upload interface. We do not track your device ID, app version, screen views, taps, or use analytics services like Firebase or Mix panel
1. Data Security
Our security protocol is up to date for the protection of your data through multiple layers of encryption and access. Multi Factor Authentication (MFA)regular security updates/audits. While we strive to protect against loss and unauthorized access.
Data in Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS 1.2+ secure communication protocols.
Authentication & Access Control: We use JWT (JSON Web Token) authentication with RSA-512 encryption for secure session management. Your session tokens are stored in HTTP-only cookies that cannot be accessed by JavaScript, protecting against cross-site scripting (XSS) attacks. Cookies are configured with Secure and Same Site attributes for additional protection. We implement role-based access control with three permission levels (User, Admin, Super Admin) to ensure users can only access data appropriate to their role.
Password Security: Your password is encrypted using Crypt hashing with automatic salting and is never stored in plain text. We cannot retrieve your original password.
Email Verification: One-time passwords (OTP) are required during account registration and password reset. OTPs expire after 10 minutes and are limited to 5 attempts to prevent unauthorized access and brute force attacks.
Session Management: Access tokens expire after 15 minutes of inactivity. Refresh tokens are valid for 30 days. When you log out, your session tokens are immediately blacklisted and invalidated. Previous tokens are automatically invalidated when you log in from a new device or browser.
Security Monitoring: We maintain detailed audit logs of all administrative actions including user management, subscription changes, tax configuration updates, and notification activities. Each audit log records the admin who performed the action, what was changed, when it occurred, and the before/after values for compliance and security review. We use Prometheus and Grafana for real-time application health monitoring and performance metrics. Authentication failures and security events are logged to our application logs for technical review.
Third-Party Security: Payment processing is handled by Pay stack, a PCI-DSS compliant payment gateway. We do not store your credit card numbers. File uploads are stored securely with Cloud nary using industry-standard security practices. OAuth authentication (Google, Apple) follows industry security standards and we only receive your basic profile information.
Your Responsibilities: You are responsible for keeping your password secure, using a strong and unique password, notifying us immediately of any unauthorized account access, logging out when using shared or public computers, and keeping your email account secure as it is used for account recovery.
2. Data Retention & Deletion
We keep data only for as long as necessitated by the service.
Active account: The Data kept while your account is open
Financial records: The invoice metadata is kept for five (5) years after last invoice issued per FIRS/LIRS/NDPR compliance, then deleted thereafter.
Tax compliance: We shall retain your records for six (6) years from the end of the relevant tax year of assessment in accordance with the Nigeria Revenue Service (NRS) tax act of 2025
Backups/Logs: Information’s are purged within twelve (12) calendar months
Deleted Account: If you delete your account: Data will be held and deleted within thirty (30) days, following such deletion excepting financial records that are required by law.
To request deletion: Email admin@originalinvoice.com or use Settings > Delete Account. (www.originalinvoice.com).
3. Your Rights
Under the Nigeria NDPA 2023 you have the right to: access, correct, delete, restrict, or port your data, and object to processing by emailing our; admin@originalinvoice.com to exercise your rights. You can lodge a complaint with the Nigeria Data Protection Commission (NDPC) http://services.ndpc.gov./breach/
4. Children’s Privacy
Original invoice is not for the use of persons under the age of eighteen (18). We do not knowingly collect data from children. If you believe we have, contact us to have such data deleted.
5. International Transfers
Our Data is stored on servers provided by our service providers in the United States of America. Therefore, we ensure its protection via standard contractual clause approved by NDPC, vendor security certifications such as SOC and the encryption of the same in transit and at rest.
6. Request Permissions
Camera/Storage: Only if you choose to scan receipts or upload logos. We don’t access it otherwise.
Internet: This is required for cloud synchronization and sending invoices.
Whilst you can deny permissions and still use core features.
7. Third-Party Links
Invoices may contain links to payment pages such as Pay stack. Their privacy policies apply once you leave our app.
8. Changes to This Policy
We will update the “Effective Date” above and notify you in-app or by email of any material changes fourteen (14) days prior to such changes. Your continued use of Original invoices constitutes an automatic acceptance.
9. Contact Us
for your request, complaints and feedback
Email us: admin@originalinvoice.com search Our: www.originalinvoice.com
Call us on +234(704)730-0083,
Opening Hours: Mondays to Fridays from 8am to 5pm.