This policy explains what personal data the Invoice Organizer iOS application (“the App”, bundle ID com.invoiceorganizer.app) collects, why, and what your rights are under Regulation (EU) 2016/679 (GDPR) and Law 4624/2019 (Greece).
1. Data we collect
| Category | What | Source | Purpose | Legal basis |
|---|---|---|---|---|
| Identifiers | Phone number, Firebase UID | You (sign-in) | Account authentication | Art. 6(1)(b) GDPR |
| Profile | Role (freelancer / business / accountant), optional ΑΦΜ | You | Tailoring the app and exports | Art. 6(1)(b) |
| Receipt content | Photos of receipts/invoices and extracted fields (vendor, vendor ΑΦΜ, total, date, category, note) | You (camera, photo library) | Storing and organising your receipts | Art. 6(1)(b) |
| Device tokens | Apple Push Notification (APNs) token | iOS | Securing phone-number sign-in | Art. 6(1)(f) |
| Diagnostics | Crash logs, basic usage events | iOS / Firebase | Stability and quality | Art. 6(1)(f) |
We do not collect: bank account or card numbers, government ID images, location, contacts, microphone audio, or health data.
2. How data is processed
Receipt images you capture or import are uploaded to Firebase Storage under your user-scoped path. Image content is also sent to Google’s Gemini model via Firebase AI Logic so the app can extract vendor name, vendor ΑΦΜ, amount, date, and category. The extracted fields are written to Firebase Firestore under your user document. Images and metadata are scoped per-user and access is enforced by Firestore and Storage security rules.
3. Sub-processors
- Google Ireland Limited / Google LLC — Firebase Authentication, Firestore, Cloud Storage for Firebase, Firebase AI Logic (Gemini 2.5 Flash via Google AI). EU and US regions; transfers covered by Standard Contractual Clauses and the EU–US Data Privacy Framework.
- Apple Inc. — Apple Push Notification service (APNs), App Store distribution.
4. International transfers
Some processing occurs on Google infrastructure outside the EEA. Transfers rely on the EU Commission’s Standard Contractual Clauses and, where applicable, Google’s adherence to the EU–US Data Privacy Framework.
5. Retention
Receipt records and images are kept for as long as your account exists. You can delete individual receipts in-app at any time. When you delete your account, we delete your Firestore document and your Storage folder within 30 days, except where retention is required by Greek tax or accounting law.
6. Your rights
Under GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your data, and to lodge a complaint with the Hellenic Data Protection Authority (www.dpa.gr). To exercise these rights, email johnkotsias@hotmail.gr.
7. Children
The App is not directed to children under 16. We do not knowingly collect data from children.
8. Security
Data in transit is encrypted with TLS. Data at rest in Firestore and Storage is encrypted by Google. Access from the App is authenticated by Firebase ID tokens and constrained by security rules to your own user ID.
9. Push notifications
The app registers for remote notifications solely so Firebase Authentication can send silent verification pushes during phone-number sign-in. We do not send marketing pushes.
10. Changes
We will post any material change to this policy at this URL and update “Last updated”. Continued use after a change constitutes acceptance.
11. Contact
Giannis Kotsias
Greece
johnkotsias@hotmail.gr