numırıo
Legal

Privacy notice

What we collect, what we do with it, and how to get it back or removed.

Who we are

Numirio is operated from Denysa Rachynskoho St., 25, Kyiv, Ukraine. We make invoicing software for solo business owners. When this notice says "we" or "us", we mean Numirio.

What we collect

  • Account data — name, email address, password hash (we never see your plaintext password), workspace name.
  • Business data — clients, invoices, line items, payment status, and any attachments you upload.
  • Identity from sign-in providers — if you use "Sign in with Google", we receive your email and a stable identifier so we can keep your sessions consistent. We never receive your Google password.
  • Payment metadata — Paddle is our merchant of record. They handle cards and billing details; we only see the plan, status, and tax breakdown they send back.
  • Operational logs — timestamps, IP addresses, and request metadata kept for short windows so we can debug issues and prevent abuse.

Why we process it

Under GDPR, our lawful bases are:

  • Contract performance — everything required to run your account: login, sending invoices, billing.
  • Legitimate interest — security, fraud prevention, and basic product analytics.
  • Consent — anything optional, like marketing email. You can withdraw it anytime.

Subprocessors

We rely on a small set of providers:

  • Railway — hosting, Postgres database, object storage for PDFs.
  • Paddle — billing as merchant of record.
  • Google — OIDC sign-in, only if you choose to use it.
  • Resend — transactional email (verification, magic links, invoice delivery).

How long we keep it

Account data lives as long as your account is active, plus 30 days after deletion for support and dispute windows. Invoice and financial records are kept for at least seven years where tax law requires it. Operational logs roll off in 30 days.

Your rights

You can request access, correction, deletion, restriction, portability, or objection at any time. Email contact@numirio.com and we'll reply within 30 days.

Where your data lives

Data is processed in Railway's EU and US regions. Where transfers happen outside the EEA, we rely on Standard Contractual Clauses with our subprocessors.

Changes to this notice

We surface meaningful changes inside the dashboard and via email before they take effect. The latest version is always at numirio.com/privacy.

Contact

Email contact@numirio.com for anything privacy-related. The same inbox handles terms and security questions.