Privacy Policy

This Privacy Policy describes how the operator of the Aegis platform ("Aegis", "we", "our", or "us") collects, uses, and shares personal information when you use the Aegis invoicing platform at aegisinvoice.com (the "Service"). This Policy is incorporated by reference into our Terms of Service.

1. Who this policy applies to

This Policy applies to:

• Account users, meaning individuals who sign in to Aegis on behalf of a Customer organization (Aegis team members, Admins, Managers, Team Leads, and Users);
• Invoice recipients, meaning individuals whose email, name, and billing details are entered by a Customer organization into Aegis for the purpose of being invoiced;
• Website visitors, meaning anyone browsing our marketing pages at aegisinvoice.com.

2. Information we collect

2.1 Account data

When you create or are invited to an Aegis account, we collect your name, email address, role, password hash (Argon2id), and metadata about the organization and teams you belong to.

2.2 Invoice and customer data

Customers may enter information about their own customers into Aegis, including name, email, phone, and billing address. That data is controlled by the Customer; Aegis processes it as a service provider on the Customer's behalf.

2.3 Payment information

Aegis does not collect or store full card numbers, card verification values (CVV or CVC), or card expiration dates. When an invoice is paid, cardholder data is entered into the payment provider's hosted form and is processed by the provider directly. Aegis receives only the transaction status, provider transaction ID, authorization code, card brand (for example, Visa or Mastercard), and the last four digits of the card number. A defense-in-depth scrubber strips any unexpected sensitive fields before persistence.

2.4 Technical and security data

We log IP address, user agent, and timestamps for authentication, abuse prevention, fraud detection, and auditing. These records are associated with user sessions and audit-log entries.

2.5 Cookies

We use a small number of first-party cookies:

• aegis_token, an authentication session token (HttpOnly, Secure);
• aegis_theme, which remembers your light or dark theme preference.

We do not use third-party advertising or tracking cookies.

3. How we use information

• to provide, operate, and maintain the Service;
• to authenticate users and enforce the role hierarchy and scoping model;
• to process invoices and reconcile payments;
• to detect, investigate, and prevent security incidents;
• to maintain a tamper-evident audit trail of material activity;
• to communicate with you about the Service (transactional email and support);
• to comply with legal obligations.

We do not sell personal information and we do not use it for behavioral advertising.

4. Legal bases (for users in the EEA and UK)

Where applicable, we rely on the following legal bases:

• Contract, to provide the Service you or your organization requested;
• Legitimate interests, to secure the Service, prevent fraud, and audit activity;
• Legal obligation, to comply with applicable law;
• Consent, where required (and revocable at any time).

5. Sharing of information

We share personal information only with:

• Payment providers (for example, Authorize.Net) as required to process the transactions you initiate;
• Email delivery services for transactional email;
• Hosting and infrastructure providers under contractual confidentiality and data-protection terms;
• Law enforcement or government authorities when required by law or to protect rights, safety, or property, or in connection with a corporate transaction (for example, a merger or acquisition).

6. Data retention

We retain account data for the life of the account and for a reasonable period after termination for legal, tax, and audit purposes. Audit logs may be retained for up to the retention window stated in your subscription plan. On account termination, tenant data is permanently deleted thirty (30) days after the export window closes.

7. Security

We take security seriously. Highlights include AES-256-GCM encryption for payment-provider credentials at rest, Argon2id password hashing, single-session enforcement, TLS 1.3 in transit, a tamper-evident audit log, and rate limiting on sensitive endpoints. No system is perfectly secure; we do not warrant that unauthorized access will never occur. See our Security page for details.

8. Your choices and rights

Depending on your jurisdiction (including under GDPR, UK GDPR, CCPA/CPRA, and similar laws), you may have rights to:

• access the personal information we hold about you;
• request correction or deletion;
• object to or restrict processing;
• request portability of your data;
• opt out of the "sale" or "sharing" of personal information as those terms are defined by U.S. state privacy laws (we do not engage in either).

To exercise these rights, email support@aegisinvoice.com. If you are an invoice recipient, please contact the organization that invoiced you first, because it is the controller for your information.

9. International transfers

Personal information may be processed in countries other than the one in which you reside, including the United States. Where required, we use contractual safeguards such as the Standard Contractual Clauses to protect cross-border transfers.

10. Children

The Service is not directed at children under 16, and we do not knowingly collect personal information from children. If we learn we have collected such information, we will delete it promptly.

11. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you by email or through the Service, and we will update the Effective date above.

12. Governing law

This Policy is governed by the laws of the State of Delaware, United States, without regard to its conflict-of-laws principles, consistent with the governing-law and dispute-resolution provisions of our Terms of Service.

13. Contact

Questions or data-subject requests? Email us at support@aegisinvoice.com.