Last updated June 24, 2026 · Revision: 8d3ab49b-c989-424d-b01d-09a3497d386f
This Privacy Policy explains how Curried Software S.L.U. ("Curried Software", "we", "us") collects, uses and protects personal data when you use uninvoice.app and related services (the "Services"). We are committed to processing personal data in accordance with Regulation (EU) 2016/679 (the "GDPR") and Spanish data protection law (Ley Orgánica 3/2018, LOPDGDD).
The controller of your personal data is:
Curried Software S.L.U.For any question or request relating to your personal data, contact us at [email protected]. We are not required to appoint a Data Protection Officer; privacy requests are handled through that address.
This Policy covers the personal data we process as a controller, primarily the data of our users (account holders) and of visitors to our website.
When you use the Services to manage your own business records, you may enter personal data of your own clients or contacts (for example, the name, address and tax identifier of an invoice recipient). With respect to that data, you are the controller and we act as the data processor, processing it solely on your instructions in order to provide the Services. You are responsible for having a legal basis to provide us with that data and for informing your own contacts as required by law. This processing on your behalf is governed by our Data Processing Agreement (DPA), which sets out the safeguards required by Article 28 of the GDPR. It is worth distinguishing this content —which we process as a processor— from the data we process as a controller (for example, your account data and the invoices we issue you for your subscription), described in the rest of this Policy.
Unless otherwise indicated, providing the account, identity and business data is a necessary requirement to conclude and perform the contract for the provision of the Services: if you do not provide it, we will not be able to create your account or provide you with the Services. The retention of certain billing data also responds to a legal obligation of a commercial and tax nature. By contrast, non-essential analytics data is processed only with your consent; providing it is voluntary and not providing it does not affect your access to or use of the Services.
We process personal data for the following purposes and on the following legal bases under Article 6 of the GDPR:
| Purpose | Legal basis |
|---|---|
| Create and manage your account; provide and operate the Services; generate invoices and records | Performance of a contract (art. 6.1.b) |
| Manage subscriptions and payments and issue you our invoices | Performance of a contract; legal obligation (art. 6.1.b and c) |
| Report invoicing records to the AEAT through VeriFactu, when you enable it | Legal obligation; performance of a contract (art. 6.1.c and b) |
| Retain accounting and tax records for the periods required by law | Legal obligation (art. 6.1.c) |
| Send transactional emails (welcome, receipts, password reset, subscription notices) | Performance of a contract (art. 6.1.b) |
| Protect the Services, prevent fraud and abuse and debug errors | Legitimate interest (art. 6.1.f) |
| Product analytics and improvement of the Services | Legitimate interest, or consent where required for non-essential cookies (art. 6.1.f / a) |
| Respond to your inquiries and provide support | Legitimate interest; performance of a contract (art. 6.1.f and b) |
| Comply with legal requirements and enforce our terms | Legal obligation; legitimate interest (art. 6.1.c and f) |
Where we rely on legitimate interest, we have assessed that such interest does not override your rights and freedoms. Where we rely on consent, you can withdraw it at any time without affecting prior processing.
Automated decision-making and profiling. We do not make decisions based solely on automated processing, including profiling, that produce legal effects on you or similarly significantly affect you (Article 22 of the GDPR). The product analytics we use have a statistical and Service-improvement purpose and are not used to make that kind of decision.
We use a small number of cookies and browser-storage technologies. Strictly necessary cookies are used without consent because they are essential to provide a service requested by you; analytics cookies are only activated after obtaining your consent, in accordance with Article 22.2 of Ley 34/2002 (LSSI-CE). The following inventory describes each item, its purpose and its duration:
| Name | Type | Purpose | Duration |
|---|---|---|---|
session_jwt | Cookie (HttpOnly; scope .uninvoice.app) | Keep you securely signed in. | 7 days |
csrf_token | Cookie (scope .uninvoice.app) | Protection against cross-site request forgery (CSRF) attacks. | 7 days |
oauth_state, oauth_lang, oauth_return_to | Cookies (HttpOnly; path /v1/auth) | Temporary cookies that secure the sign-in flow with an external provider (anti-CSRF state, language and return origin). | Until the browser is closed |
user, language, companyConfirmed | Local storage (localStorage) | Remember your session, your language and the essential application state between reloads and tabs. | Until you sign out or clear it |
| Name | Type | Purpose | Duration |
|---|---|---|---|
ph_* (PostHog) | Cookie and local storage | Product analytics: understand in aggregate how the Services are used in order to improve them. They are only created if you accept analytics. | Up to 12 months |
You can manage or withdraw your consent for analytics at any time from the cookie notice or settings. If you withdraw it, we will stop loading PostHog and capturing analytics events.
We do not sell your personal data. We share it with public authorities where the law requires, with professional advisors or potential successors in the context of a corporate transaction, and with the providers indicated below, distinguishing according to their role under the GDPR.
Data processors. They process personal data on our behalf and in accordance with our instructions, under a processing contract (Article 28 of the GDPR):
| Provider | Purpose |
|---|---|
| Cloudflare, Inc. | Website/application hosting and content delivery |
| Resend (Resend, Inc.) | Delivery of transactional emails |
| PostHog (PostHog, Inc.) | Product analytics (EU data residency), only with your consent |
Independent third-party controllers. When you use these services, the provider processes your data as an independent controller, under its own privacy policy, and not on our behalf:
| Provider | Role |
|---|---|
| Google (Google Ireland Ltd / Google LLC) | Optional authentication via OAuth: if you choose to sign in with Google, Google processes your identity data as a controller. |
| Revolut (Revolut Payments UAB / Revolut Bank UAB) | Processing of payments and subscriptions: as a payment institution, Revolut processes your payment data as a controller for the purposes of, among others, payment-services regulation and anti-money-laundering. |
In addition, when invoices are reported electronically —whether because you choose to or because, for invoices issued by businesses or professionals established in Spain, the applicable Spanish law requires it—, the invoicing records are transmitted to the Spanish Tax Agency (Agencia Estatal de Administración Tributaria, AEAT) through the VeriFactu system. This is a communication to a public authority necessary to give effect to your electronic invoicing, not a commercial transfer of data.
We endeavor to keep personal data within the European Economic Area (EEA). Some of our processors may process data outside the EEA. When this happens, we rely on appropriate safeguards under the GDPR, such as the European Commission's Standard Contractual Clauses or an adequacy decision. You can request more information about these safeguards through the contact details set out below.
We retain personal data only for as long as necessary for the purposes described, applying the following periods:
When data is no longer needed, we delete it or irreversibly anonymize it.
We apply appropriate technical and organizational measures to protect personal data, including encryption in transit, password hashing, access controls and periodic backups. No system is completely secure, but we work to protect your data and respond appropriately to any incident, including notifying you and the competent authority when the law requires. You can report any security issue to [email protected].
Subject to the conditions of the GDPR, you have the right to: access your personal data; rectify inaccurate data; erase data ("right to be forgotten"); restrict or object to processing; data portability; and withdraw consent where processing is based on it. To exercise these rights, contact us at [email protected]. We may need to verify your identity, and we will respond within the legal time limits.
If you consider that we have not processed your personal data correctly, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD), www.aepd.es, or with the supervisory authority of your country of residence.
The Services are intended for businesses and for persons over 18 years of age. We do not knowingly collect personal data from minors. If you believe that a minor has provided us with personal data, contact us so that we can delete it.
We may update this Privacy Policy from time to time. When we make material changes, we will post the updated Policy with a new "Last updated" date and, where appropriate, notify you by email or in the application. Continued use of the Services after the changes take effect indicates your awareness of the updated Policy.
For any privacy matter or to exercise your rights, contact us at:
Curried Software S.L.U.