Vai al contenuto

GDPR Compliance

Invoicetronic takes great care when handling personally identifiable data. This page provides GDPR-specific documentation. For the complete legal framework, please also refer to our Terms of Service and our Personal Data Processing Agreement (DPA).

Invoicetronic is a brand of C.I.R. 2000 snc, based in Ravenna, Italy (VAT IT01180680397). For over 30 years, we have provided invoicing, warehouse management, and accounting software to Italian companies and professionals.

What data we store

Account data

When you sign up for an Invoicetronic account, we collect and store:

  • Email address and login credentials
  • API keys for authentication
  • Company billing information (name, VAT number, fiscal code, address)

Invoice data

As part of the electronic invoicing service through SDI (Sistema di Interscambio), we process and store:

  • Electronic invoice XML payloads, which may contain personal and identification data (name, surname, tax code, VAT number, address), contact data (phone number, email), and tax/accounting data of your customers, suppliers, employees, and collaborators
  • SDI identifiers, transmission metadata, and delivery status updates
  • Webhook configuration and delivery history
  • API event logs (method, endpoint, status code, timestamps)

Data you input

We store all data that you upload or transmit during the use of the service, including invoice payloads, company records, and any optional metadata attached to invoices.

Roles and responsibilities

In the context of GDPR, the roles are defined as follows:

  • You (the Client) act as the Data Controller for the personal data of third parties (your customers, suppliers, etc.) processed through the Invoicetronic API.
  • Invoicetronic (C.I.R. 2000 snc) acts as the Data Processor, processing personal data on your behalf and only according to your documented instructions, as outlined in our DPA.

This is governed by our Data Processing Agreement pursuant to Article 28 of EU Regulation 2016/679.

Where data is stored

All Invoicetronic servers and services are located in the European Union. We do not transfer personal data outside the EU/EEA.

Encryption and security

Encryption at rest

All invoice payloads and other sensitive data are encrypted at rest using modern encryption algorithms (AES-256). Only the data owner can retrieve the original content through authenticated API requests over a secure connection.

Encryption in transit

All API communications are encrypted via HTTPS/TLS. Unencrypted HTTP connections are not accepted.

Access control

API access is authenticated via API keys using HTTP Basic authentication. Each client receives dedicated credentials for both the Sandbox and production environments.

Event logging

Every API operation is logged and available for audit purposes. Log records include method, endpoint, status code, timestamp, and response details. Logs are retained for 15 days.

Data retention

Data type Live environment Sandbox
Sent invoices 2 years 15 days
Received invoices 2 years 24 hours
SDI status updates 2 years 15 days
Event logs 15 days 15 days
Webhook history 15 days 15 days

Upon contract termination, client data is retained for a maximum of 90 days, during which it remains available for download. After this period, data is permanently deleted.

Sub-processors

We rely on a limited number of trusted third-party services to operate Invoicetronic. All sub-processors are located in the European Union and are bound by data processing agreements that impose the same GDPR obligations we observe.

Our sub-processors fall into the following categories:

  • Infrastructure and hosting: cloud providers for application hosting, database management, and data storage
  • Payment processing: services for handling subscription billing and payments
  • Electronic invoice exchange: the Italian Sistema di Interscambio (SDI), managed by the Agenzia delle Entrate, for the transmission and reception of electronic invoices

A complete and up-to-date list of our sub-processors, including entity names, specific purposes, and data locations, is available upon request. Please contact us at info@invoicetronic.com to obtain a copy.

As per our DPA (Section 6), we will inform you of any intended changes concerning the addition or replacement of sub-processors, giving you the opportunity to object.

Your rights as a data subject

Under the GDPR, you have the right to:

  • Access your personal data and obtain a copy
  • Rectify inaccurate or incomplete personal data
  • Erase your personal data ("right to be forgotten")
  • Restrict the processing of your personal data
  • Data portability — receive your data in a structured, commonly used format
  • Object to the processing of your personal data
  • Withdraw consent at any time, where processing is based on consent

To exercise any of these rights, please contact us at info@invoicetronic.com.

Data breach notification

In the event of a personal data breach, Invoicetronic will:

  1. Notify the Data Controller (you) without undue delay after becoming aware of the breach
  2. Provide all necessary information to allow the Controller to fulfill its own notification obligations under Articles 33 and 34 of the GDPR
  3. Cooperate with the Controller and take reasonable steps to mitigate the effects of the breach

Data Processing Agreement

A complete Data Processing Agreement (DPA) pursuant to Article 28 of EU Regulation 2016/679 is available at invoicetronic.com/privacy. The DPA is an integral part of our Terms of Service and is automatically accepted upon registration.

If your organization requires a separately signed DPA, please contact us at info@invoicetronic.com.

Contact

For any questions regarding data protection or GDPR compliance:

C.I.R. 2000 snc Via Amalsunta 6, Ravenna, Italy Email: info@invoicetronic.com Web: invoicetronic.com