All policies
Legal

Privacy Policy

Last updated April 1, 2026 · v1.0

1. Introduction

Invoco ("we," "us," "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with our business system service (the "Service").

This Policy applies to:

  • Businesses who subscribe to our Service
  • Staff who use the Service on behalf of Businesses
  • Customers who place orders via QR codes

By using the Service, you consent to the practices described in this Policy.

Compliance: This Policy is compliant with Singapore's Personal Data Protection Act (PDPA) 2012.

2. Data Controller

Invoco
Email: legal@invoco.org
Website: https://invoco.org

For privacy-related inquiries, contact: legal@invoco.org

3. Personal Data We Collect

3.1 Restaurant Data

When a Restaurant creates an Account, we collect:

  • Business name, address, phone number, email
  • Unique Entity Number (UEN) or business registration details
  • GST registration number (if applicable)
  • Authorized representative's name and contact information
  • Stripe Connected Account ID (for payment processing)

3.2 Staff Data

When Staff are added to the Service, we collect:

  • Name
  • Role/position
  • PIN hash (for authentication purposes)
  • Shift schedules and clock-in/out times
  • Activity logs (orders processed, actions taken)

3.3 Customer Data

When Customers place orders, we may collect:

  • Name (optional, for table service or delivery)
  • Phone number and/or email (optional, for order updates or loyalty program)
  • Order history and preferences
  • Payment information (tokenized via Stripe; we do not store full card details)
  • QR scan metadata (table number, timestamp, device information)

3.4 Usage and Technical Data

We automatically collect:

  • IP address, browser type, device information
  • Pages viewed, clicks, session duration
  • Error logs and diagnostic data
  • Cookies and similar tracking technologies (see our Cookie Policy)

3.5 Third-Party Data

We receive data from:

  • Stripe: Payment transaction details, payout information
  • Cloudflare: Web analytics, traffic data, security logs
  • Supabase: Database logs, authentication events

4. How We Use Personal Data

4.1 To Provide the Service

  • Create and manage Restaurant Accounts
  • Process orders and payments
  • Enable Staff authentication and access control
  • Display menus and facilitate QR ordering
  • Generate reports and analytics

4.2 To Improve the Service

  • Analyze usage patterns and trends
  • Troubleshoot issues and improve performance
  • Develop new features

4.3 To Communicate

  • Send transactional emails (order confirmations, receipts, password resets)
  • Provide customer support
  • Send service updates and security notices
  • Marketing communications (with consent; opt-out available)

4.4 For Legal and Security Purposes

  • Comply with legal obligations (PDPA, IRAS tax records, subpoenas)
  • Prevent fraud and abuse
  • Enforce our Terms of Service
  • Protect our rights and property

5. Legal Bases for Processing (PDPA)

Under Singapore's PDPA, we process personal data based on:

PurposeLegal Basis
Account creation and managementConsent (when you create an Account)
Order processingConsent (when Customer places order)
Payment processingContractual necessity
Service improvementLegitimate interest
Legal complianceLegal obligation (e.g., IRAS records retention)
Marketing communicationsConsent (opt-in; opt-out available)

6. Data Sharing and Disclosure

6.1 Service Providers (Sub-Processors)

We share personal data with trusted third parties to provide the Service:

ProviderPurposeLocationSafeguards
SupabaseDatabase hosting, authenticationUnited StatesData Processing Agreement, encryption
StripePayment processingUnited StatesPCI-DSS compliant, Stripe DPA
CloudflareHosting, CDN, analytics, DDoS protectionGlobal networkData Processing Agreement, encryption

Cross-Border Transfers: Data may be transferred to the United States. We rely on:

  • Standard Contractual Clauses (SCCs)
  • Data Processing Agreements with all sub-processors
  • Encryption in transit and at rest

6.2 Legal Disclosures

We may disclose personal data if required by law:

  • To comply with court orders, subpoenas, or regulatory requests
  • To enforce our Terms of Service
  • To protect our rights, safety, or property
  • To investigate fraud or security incidents

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you and ensure the new entity complies with this Policy.

6.4 Your Consent

We do not sell, rent, or share personal data for marketing purposes without explicit consent.

7. Data Retention

Data TypeRetention PeriodReason
Restaurant AccountDuration of Subscription + 30 daysService provision, data export opportunity
Staff DataDuration of Staff employment + 30 days after removalService provision
Customer Order DataDuration of Restaurant Subscription + 30 daysService provision, dispute resolution
Financial Records7 years after transactionIRAS compliance (Income Tax Act)
Analytics/Logs12 monthsService improvement, security

After the retention period, data is permanently deleted using secure deletion methods.

8. Your Rights Under PDPA

You have the following rights:

8.1 Right to Access

Request a copy of your personal data we hold (data portability available via Account dashboard).

8.2 Right to Correction

Request correction of inaccurate or incomplete personal data.

8.3 Right to Withdraw Consent

Withdraw consent for marketing communications or optional data collection (does not affect prior processing).

8.4 Right to Data Portability

Export your data in a machine-readable format (CSV, JSON).

8.5 Right to Lodge a Complaint

File a complaint with the Personal Data Protection Commission (PDPC) Singapore if you believe we have violated PDPA.

How to Exercise Your Rights:

  • Email: legal@invoco.org
  • Via Account dashboard: Settings > Privacy

We will respond within 30 days of your request.

9. Data Security

We implement industry-standard security measures:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access, staff PIN authentication, multi-factor authentication (MFA) for Accounts
  • Monitoring: Real-time security monitoring via Cloudflare
  • Audits: Regular security audits and vulnerability scans
  • Incident Response: Data breach notification within 72 hours (as required by PDPA)

Your Responsibility: Keep your Account credentials and Staff PINs secure. Do not share them with unauthorized persons.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Authenticate users
  • Remember preferences
  • Analyze usage patterns
  • Improve performance

Types of Cookies:

  • Strictly Necessary: Required for Service functionality (authentication, session management)
  • Analytics: Track usage patterns (Invoco tracking script, Cloudflare Web Analytics)
  • Functional: Remember preferences (language, layout)

For detailed information, see our Cookie Policy.

Cookie Consent: By using the Service, you consent to our use of strictly necessary cookies. For analytics cookies, you can opt-out via your browser settings or our cookie consent banner.

11. Third-Party Links

The Service may contain links to third-party websites (e.g., Stripe dashboard). We are not responsible for their privacy practices. Please review their privacy policies.

12. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal data from children under 13 without parental consent.

Staff Under 18: Restaurants are responsible for obtaining parental consent for Staff under 18 (if required under Singapore law).

13. International Data Transfers

Personal data may be transferred to and stored in countries outside Singapore (e.g., United States for Supabase and Stripe).

Safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission and recognized by PDPC
  • Data Processing Agreements with all sub-processors
  • Encryption and secure transmission protocols

14. Data Breach Notification

In the event of a data breach involving personal data, we will:

  1. Notify affected individuals within 72 hours (if required by PDPA)
  2. Report to the Personal Data Protection Commission (PDPC) if necessary
  3. Provide details of the breach, data affected, and remedial actions taken

15. Changes to This Policy

We may update this Policy periodically. Material changes will be notified via:

  • Email to your registered address
  • Notice on our website at /privacy
  • In-app notification

The "Last Updated" date at the top will be revised. Continued use after changes constitutes acceptance.

16. Contact Us

For privacy-related questions or to exercise your rights, contact:

Invoco
Email: legal@invoco.org
Website: https://invoco.org

Personal Data Protection Commission (PDPC) Singapore:
Website: https://www.pdpc.gov.sg
Email: info@pdpc.gov.sg