Privacy Policy

Last updated: 9/19/2025

Introduction

Invaro Inc (“we”, “our”, or “us”) operates the Invaro API service. This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

Information Collection and Use

We collect several different types of information for various purposes to provide and improve our Service to you:

  • Account information (email address, name)
  • Usage data (API calls, request logs)
  • Payment information (processed securely by our payment provider)
  • Documents uploaded for processing - processed temporarily with bank-grade AES-256 encryption using zero-knowledge processing (documents remain encrypted throughout the entire processing pipeline and are not permanently stored)

Use of Data

We use the collected data for various purposes:

  • To provide and maintain our Service
  • To notify you about changes to our Service
  • To provide customer support
  • To detect, prevent and address technical issues
  • To improve our Service

Zero-Knowledge Document Processing

Invaro is designed with privacy at its core. We employ a zero-knowledge processing approach where:

  • Your documents are processed in real-time without being permanently stored on our servers
  • We extract only the structured data you need (transactions, amounts, dates) without retaining the original document content
  • Processing happens in isolated, ephemeral environments that are destroyed after each request
  • We maintain minimal operational logs for service reliability and support purposes only

Security and Privacy Practices

We implement comprehensive security measures to protect your data throughout the processing lifecycle:

  • Encryption in Transit: All data transmissions use TLS 1.3 encryption
  • Encryption at Rest: Any temporary data is encrypted using industry-standard AES-256 encryption
  • Access Controls: Role-based access controls with principle of least privilege
  • Infrastructure Security: We leverage enterprise-grade cloud infrastructure with built-in security controls
  • Regular Security Reviews: Continuous monitoring and regular security assessments of our systems
  • Data Minimization: We collect and process only the minimum data necessary for service functionality
  • Secure Development: Security-first development practices including code reviews and vulnerability scanning

Our infrastructure partners and third-party services maintain SOC 2 Type II compliance and other industry certifications to ensure enterprise-grade security standards.

Data Retention

We practice responsible data retention aligned with our zero-knowledge approach. As stated in our security commitments, your data stays private - even from us:

  • Documents: Processed in real-time and are not permanently stored on our systems
  • Extracted Data: Structured data (transactions, amounts, dates) may be temporarily retained as needed for service functionality
  • Processing Logs: Minimal operational logs retained for a limited period to ensure service quality and customer support
  • Account Information: User account and billing data retained as required for business operations and legal compliance

Enterprise Customers: We provide custom Data Processing Agreements (DPAs) with specific retention periods, data residency requirements, and enhanced security controls tailored to your organization's compliance needs.

Enterprise & Compliance

For enterprise customers and organizations with specific compliance requirements, we offer:

  • Custom Data Processing Agreements (DPAs): Tailored agreements meeting your specific legal and regulatory requirements
  • Data Residency Options: Choose where your data is processed and stored to meet jurisdictional requirements
  • Enhanced Security Controls: Additional security measures including dedicated processing environments
  • Audit Documentation: Comprehensive security documentation and audit reports for compliance teams
  • Custom Retention Policies: Flexible data retention schedules aligned with your business and legal requirements
  • Dedicated Support: Priority support with dedicated account management and technical assistance

We are currently pursuing SOC 2 Type II certification (expected Q4 2025) and work with organizations across regulated industries including finance, healthcare, and government sectors.

Your Data Protection Rights

You have the following data protection rights:

  • The right to access your personal data
  • The right to update or correct your personal data
  • The right to request deletion of your personal data
  • The right to object to processing of your personal data
  • The right to data portability

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date at the top of this Privacy Policy.

Contact Us

If you have any questions about this Privacy Policy, please contact us:

  • By email: support@invaro.ai
  • By visiting our website: https://invaro.ai