Personal data processing principles for the Invix platform
Last updated: 20 March 2026
We process data required to operate the Invix administration platform: user account data (such as email), company data, invoicing data, received document data, document attachments, export metadata, and technical operational logs.
Data is processed for user authentication, company and role management, invoice creation/editing, received document import and processing, document export (PDF/ZIP), statistics display, and secure service operation.
The application may process identification and contact data of suppliers/customers (name, address, company ID, tax/VAT IDs, email, phone), banking data (IBAN, SWIFT), invoice and line-item data, received document data (including attachments), IMAP account settings, and data derived from automated document processing.
Data is stored in the operator infrastructure (database, document file storage, queues, cache). In the browser, we use localStorage for auth token, selected company, date filter, and UI language. Documents and company media (for example logo/stamp) are available only to authorized users.
When received documents are processed, document content may be sent to an external AI provider to extract structured data (currently Gemini model via Prism integration). Processing is limited to extracting document fields for the user.
Depending on configuration, we use third-party services: Gemini API (AI extraction), Frankfurter API (exchange rates), customer email provider IMAP servers (attachment import), and Slovensko Digital public registry datasets (legal entity enrichment). Realtime notifications are implemented via Laravel Reverb (Pusher-compatible protocol) on operator infrastructure.
The legal basis is primarily contract performance, legitimate interest in secure platform operation, and compliance with legal obligations (especially invoicing/accounting obligations).
Data is retained for the duration of the contractual relationship and subsequently according to statutory obligations or internal retention rules. Technical logs are retained proportionally to security needs.
We use token-based authentication, authorization rules based on company membership and role, restricted media access, and standard technical and organizational safeguards. IMAP account passwords are stored encrypted in the database.
You have the right of access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with the competent supervisory authority. Requests can be submitted by contacting the service operator.
If AI functionality or other external services are enabled, data may be transferred outside the EEA under the relevant provider terms. In such cases, appropriate GDPR safeguards apply.
Operator contact details and current data-processing information are provided in contractual or client documentation.
