Privacy Policy

Invoke(“we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our Service.

1. Information We Collect

1.1. Information You Provide

Account Information: Name, email address, password (hashed), and payment information (processed by Stripe — we do not store full card numbers).

Product Description: Text descriptions, questionnaire responses, brand preferences, uploaded documents, images, and other materials you provide during product creation.

Third-Party Credentials: If your product requires integration with third-party services, you may provide API keys through our chat interface. These are encrypted using AES-256-GCM before storage.

1.2. Information Collected Automatically

Usage Data: Pages visited, features used, browser type, device type, IP address, and referring URLs.

Build Data: Technical data about products built, including build duration, step counts, error logs, and quality metrics.

1.3. End User Data

Products built for you may collect data from your End Users. You are the data controller for this data. We are the data processor — we process it solely to host and run your product.

2. How We Use Information

To Provide the Service: Build products, host them, process payments, execute edits, provide support.

To Improve the Service: Analyze build quality, extract generalized code templates (no proprietary data), improve AI systems using aggregated data.

To Communicate: Build notifications, support responses, service announcements, marketing (with consent — opt out anytime).

Legal Compliance: Respond to legal requests, prevent fraud, enforce our Terms.

3. How We Share Information

We do not sell your personal information. We share data only with:

Infrastructure Providers: Google Cloud (database, hosting, storage), Stripe (payments), Anthropic (AI), GitHub (code), Cloudflare (DNS). All under data processing agreements.

Legal Requirements: When required by law, regulation, or legal process.

Business Transfers: In the event of a merger or acquisition, with advance notice.

4. Data Retention

Account data: Duration of account + 30 days after deletion.

Product and build data: Duration of subscription + 30 days after cancellation.

End User data: Duration of subscription + 30 days.

Payment records: 7 years (legal requirement).

Encrypted credentials: Deleted immediately on cancellation.

5. Data Security

We implement: AES-256-GCM encryption at rest, TLS 1.2+ in transit, secure password hashing (bcrypt), role-based access control, and automated security monitoring. We will notify affected customers within 72 hours of discovering a data breach.

6. Your Rights

All customers: Access, correct, or delete your personal data. Export End User data (CSV/JSON, within 30 days). Opt out of marketing.

EU/EEA/UK residents (GDPR): Additionally: restriction of processing, data portability, right to object, lodge complaints with your data protection authority.

California residents (CCPA): Right to know, right to delete, right to non-discrimination. We do not sell personal information.

To exercise any right, contact privacy@invoke.build.

7. International Data Transfers

Data may be processed in the US and Singapore. We use Standard Contractual Clauses and data processing agreements for international transfers.

8. Children's Privacy

The Service is not for individuals under 18. If your Product targets children, you are responsible for COPPA compliance.

9. Cookies

We use: session cookies (authentication), privacy-friendly analytics (Plausible/PostHog), and Stripe (payment processing). We do NOT use advertising cookies or cross-site tracking.

10. End User Privacy

If your Product collects End User data, you are responsible for providing your own Privacy Policy to End Users, obtaining consent, and complying with applicable data protection laws.

11. Data Processing Agreement

For GDPR purposes: we process End User data only on your instructions, use sub-processors listed above, implement security measures in Section 5, notify of breaches within 72 hours, and return/delete data on termination. For a formal signed DPA, contact privacy@invoke.build.

12. Changes

Material changes communicated 30 days in advance via email or in-app notification.

13. Contact

Email: privacy@invoke.build