Privacy Policy
Crest Invoice is a personal software project operated by the Crest Invoice Team: Alina Riaby and Pavel Riaby.
This policy explains what happens to personal data when you create an invoice, use a Live Invoice, request returning access, contact us, or visit a Crest page. It also explains which information stays in your browser. If something is not clear, email support@crest-invoice.com.
Identity and joint-controller arrangement
Alina Riaby and Pavel Riaby are joint controllers. Crest Invoice Team is a descriptive team name, not an incorporated legal entity.
They jointly decide why and how Crest processes personal data and share responsibility for notice accuracy, rights handling, processor and transfer decisions, security, and incident response. They use support@crest-invoice.com as their common public contact. You may exercise your rights against either of them. Their internal allocation of work does not restrict those rights.
Crest does not sell or rent personal data, disclose it for advertising, or use it for targeted advertising.
Categories, sources, purposes and lawful bases
The data Crest receives depends on the feature you choose. Invoice data often comes from the invoice creator rather than directly from the client named on the invoice. An invoice creator must have authority to provide client data. Crest does not assume that the invoice recipient has a contract with Crest.
| Purpose | Data and source | Why Crest processes it |
|---|---|---|
| Create a PDF or print an invoice | Invoice fields you enter, including the parties, items, amount, dates, notes and payment instructions | The requested browser-only function. The invoice content stays in the browser unless you choose a server-backed feature. A web request can still create limited infrastructure logs. |
| Create, host, send and operate a Live Invoice | Invoice and contact fields supplied by the creator; tokens, state, client-reported payment and Undo events, owner close state, and delivery metadata generated through use | To provide the service the creator requests. Narrow security, abuse and operational records may rely on legitimate interests after minimization and balancing. |
| Provide Account-Lite access | Owner email, one-time-code metadata, secure access session and invoice associations | To verify the requested access and protect it. Crest does not use the code or access session for marketing. |
| Handle waitlist, contact and completion follow-up | Name, company and email you submit, plus limited source or campaign information | To answer a request. Optional waitlist or marketing contact uses a specific choice where required, and withdrawal is as easy as sign-up. |
| Send transactional email and provide support | Addresses, subject, limited delivery metadata and the contents you send to support | To deliver the requested invoice, access code, notification or support response, and for narrow operational or legal needs. Transactional addresses are not silently reused for marketing. |
| Protect the service and respond to incidents | Request metadata, authentication and action events, rate-limit records and narrow audit evidence | Legitimate interests in preventing abuse and maintaining the service, and legal obligations where they apply, subject to minimization and retention limits. |
| Measure product use | Minimized first-party journey events and cookie-free Gnomik-hosted Umami events | Legitimate interests in understanding aggregate product use after necessity and balancing review. Functional session state is kept separate from passive analytics. |
| Meet legal duties and handle claims | Only the account, invoice, communication, security or audit evidence needed for the specific duty or claim | A relevant legal obligation or the establishment, exercise or defence of a claim. This is not a general reason to keep all product data. |
PDF-only invoice content stays in the browser and in the file or print destination you choose. Crest receives invoice content only when you expressly choose a Live Invoice, Send, requested recovery, or another server-backed feature and the interface says what will be sent before submission.
Recipients, processors and transfers
Crest shares data only for the selected function or where disclosure is necessary and legally required:
- Hetzner provides the infrastructure used to run the Crest application and store its server-side data.
- Beget carries incoming and outgoing email for Crest.
- Product-measurement requests use a Gnomik-hosted Umami endpoint. The live analytics endpoint is delivered through Cloudflare before reaching its origin.
- An invoice creator and recipient receive the invoice information and status appropriate to their roles.
- Professional advisers, public authorities or courts receive information only when it is necessary for advice, a legal duty or a specific claim.
A provider's public general terms do not by themselves prove the role, region, subprocessors, retention or transfer arrangement for Crest's exact account. Crest therefore does not infer a country, adequacy status or safeguard from a network route. Those details are stated only when the exact Crest arrangement has been verified. Processing may occur outside your country; contact support@crest-invoice.com for the current verified provider and transfer information relevant to your request.
Retention and deletion
Crest publishes a fixed maximum only where this release enforces and tests it. For other records, the objective deletion trigger or current control is stated without turning the future Task 6 target into a present promise:
- Temporary Live Invoices: the later of creation or the end of the due date, plus 30 days; tombstone hashes for a further 30 days.
- Demo invoices: no more than 24 hours; demo tombstone hashes: 7 days.
- When the owner deletes a managed Live Invoice, Crest removes the primary invoice, access, create/action idempotency, and delivery-claim rows. Some event or sent-email evidence can remain for narrow operational or legal needs. This release claims no fixed maximum yet for managed records or their remaining supporting evidence.
- Invoice-linked delivery claims are removed under the current invoice expiry or owner-deletion paths. Standalone delivery and sent-email evidence has no enforced expiry in this release. This release claims no separate fixed maximum yet for delivery records.
- One-time verification codes expire after 30 minutes; Account-Lite cookies expire after 30 days. Those deadlines stop the code or cookie from granting access; this release does not prove deletion of every related durable server-side row on those deadlines and claims no separate fixed maximum yet for server-side code and access records.
- Verified-owner payment defaults are stored only after an explicit save in a verified owner session and can be replaced by saving new defaults. This release claims no fixed maximum yet for server-side payment defaults. No anonymous browser key stores payment defaults.
- Completion events: 30 days. Completion leads older than 30 days are deleted only when no in-window completion event or Live Invoice references them. Live Invoice-linked completion leads have no fixed maximum claimed yet.
- Waitlist leads: 180 days, with earlier deletion when consent is withdrawn or the contact is no longer needed.
- First-party journey events: 90 days.
- Normal Crest-controlled Nginx and application request logging is disabled; this configuration creates no ordinary Crest access-log retention.
- Support messages are deleted through the mailbox or provider controls when they are no longer needed for the request or a specific legal need. This release claims no fixed maximum yet for support messages.
- Crest has not verified an automated rolling-backup expiry control for this release. This release claims no fixed maximum yet for backups.
- Isolated rights, security, or legal records are reviewed and deleted when the specific need ends and are not reused for product measurement or marketing. This release claims no fixed maximum yet for isolated rights, security, or legal records.
The current fixed retention period for provider-controlled Gnomik/Umami, Cloudflare, Hetzner and Beget technical or business records is not stated because the exact Crest-account period has not been objectively established. Crest does not turn an unknown provider period or deletion timeline into a promise. A rights response will describe the actual verified provider outcome that applies to the request.
You may delete hosted data through the available product control or ask support@crest-invoice.com. The deletion result follows the trigger-specific rules above: a managed owner deletion removes the primary invoice, access, create/action idempotency and delivery-claim rows, while some narrow event or sent-email evidence can remain. Provider propagation and backup deletion timing are reported only when they have been verified for the request. Crest will explain any narrow operational or legal exception that actually applies.
Rights and complaints
Depending on the law that applies, you may ask to access, correct or delete personal data; restrict processing; receive portable data; object to processing based on legitimate interests; object to direct marketing; withdraw consent without affecting earlier lawful processing; and ask about safeguards against solely automated decisions. Crest does not use invoice data for solely automated decisions with legal or similarly significant effects.
Send a request to support@crest-invoice.com and identify the feature or invoice involved without sending unnecessary sensitive data. Crest may request only the information reasonably needed to verify that data belongs to you. Crest will respond within the time set by the governing law. Requests are normally free; a lawful fee or refusal may apply only to a manifestly unfounded or excessive request, with an explanation.
You may complain to the competent data-protection authority. In Serbia this is the Commissioner for Information of Public Importance and Personal Data Protection. That complaint path is not your only remedy.
Security, incidents, children and changes
Crest uses encryption in transit, secure HTTP-only access cookies, high-entropy access links, data minimization and access controls where the released feature supports them. Access links should be treated like passwords and shared only with the intended person. No internet service is completely secure.
Report a suspected privacy or security incident to support@crest-invoice.com. Crest will assess the facts, contain the issue, preserve only necessary evidence and notify affected people or authorities when the applicable law requires it.
Crest is intended for people aged 18 or older who have legal capacity and authority to issue invoices or act for the invoice sender. It is not directed to children. If child data was submitted without appropriate authority, email support@crest-invoice.com so Crest can assess and delete it.
The effective date and version appear at the top. Material changes will be announced through an appropriate product or email notice, and prior versions will remain retrievable. Continued use does not supply consent for a new purpose when the law requires a separate choice.
Browser storage and analytics
Browser storage is broader than cookies. Crest documents browser mechanisms and the separate analytics network transmission together:
| Mechanism | Data and purpose | Browser lifetime | Does data leave the browser, and to whom? | Classification and server retention |
|---|---|---|---|---|
__Host-crest_access and __Host-crest_invoice_access | Requested Account-Lite and invoice access; secure, HTTP-only, SameSite=Lax, Path / | Up to 30 days | Sent only to Crest with matching requests | Necessary for the access you request after verification; Crest maximum 30 days |
crest-theme | Remembers a theme you choose | Until you clear browser data | No | User-requested preference |
| Verified-owner payment defaults (server-side, not an anonymous browser-storage key) | Reuses payment instructions only after you explicitly save them in a verified owner session | No anonymous browser-storage lifetime; access is returned only through the verified session | Yes, to Crest when you explicitly save them | User-requested server-side convenience; replaceable by saving new defaults; no fixed maximum claimed yet |
| Requested draft, live, demo, report and Undo keys | Draft recovery and idempotency for the operation you start | Browser-session lifetime unless the interface states otherwise | Only the requested operation key and data are sent to Crest | Necessary functional state for that operation |
crest-generator-session-id | Created only after a generator or feature action needs functional idempotency or draft recovery | Browser-session lifetime | It can accompany the requested Crest operation but is not sent to Gnomik | Necessary only for the deliberate function, not passive measurement |
| Gnomik/Umami analytics request (network transmission) | Sends the Crest website identifier, hostname and URL path for aggregate product measurement. The network connection also exposes request metadata such as IP address and user agent to the receiving infrastructure. Query and hash values, invoice content, the Crest session id and optional performance data are excluded. | One request per measured page or event; it does not persist data in browser storage | Yes, to analytics.gnomik.org, delivered through Cloudflare before the unverified origin | Non-essential aggregate measurement; the exact provider retention period remains unknown |
umami.disabled | Records an explicit Gnomik/Umami analytics opt-out for this site | Until you opt in or clear it | The tracker reads the preference locally; it does not send the preference value as a Crest identifier | User-controlled analytics preference; separate from the analytics request |
Local and session storage are not cookies, but storage or access on a device can still be subject to terminal-device rules.
The minimized Gnomik/Umami configuration is cookie-free, does not receive a Crest Distinct ID or persistent Crest client identifier, and is not used for advertising, fingerprinting or cross-site tracking. Official Umami documentation describes anonymous sessions created server-side, but Crest does not assert the exact Gnomik hashing or salt configuration without deployed-instance verification. The minimized tag respects browser Do Not Track, excludes URL query and hash values, and leaves optional performance collection off. Gnomik/Umami is separate from crest-generator-session-id.
The Analytics privacy control lets you opt out or opt back in. Opting out sets only the documented per-site preference; opting in removes it. Crest uses no generic cookie banner in this minimized configuration. This is Crest's product configuration, not a court or regulator decision. The posture applies only to the mechanisms listed here and is reviewed whenever storage, payloads, providers or applicable law change.