Privacy Policy

Last updated: May 4, 2026

1. Identity and Contact Details of the Controller

Greenstamp Software, Inc. ("Greenstamp", "we", "our", or "us") is the data controller responsible for your personal data when you use our electronic invoicing platform and related services.

  • Controller: Greenstamp Software, Inc.
  • Address: 2093 Philadelphia Pike #6970, Claymont, DE 19703, United States
  • Privacy contact: privacy@greenstamp.io
  • EU Representative (Art. 27 GDPR): We have appointed EU Rep as our Representative under Article 27 of the EU General Data Protection Regulation ("GDPR"). All GDPR queries from EU Data Subjects or Data Protection Authorities should be submitted to eurep.ie via their dedicated form. BizLegal Ltd trading as EU Rep, 27 Cork Road, Midleton, Co. Cork, Ireland. Company number 635921.

This policy explains what personal data we collect, why we process it, with whom we share it, and the rights you have under the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

European Representative under Article 27 of GDPR

We have appointed EU Rep as our Representative under Article 27 of the EU General Data Protection Regulation ("GDPR"). All GDPR queries from EU Data Subjects or Data Protection Authorities should be submitted to eurep.ie via their dedicated form.

BizLegal Ltd trading as EU Rep have their registered office at 27 Cork Road, Midleton, Co. Cork, Ireland. Company number 635921.

2. Data We Collect

Account Data

  • Name and email address
  • Phone number (optional)
  • Password (stored in hashed form)
  • Authentication and session records

Business Data

  • Tax identification numbers (RFC, VAT ID, etc.)
  • Business addresses and fiscal information
  • Digital certificates for invoice signing (where applicable)
  • Counterparty, customer, and vendor information you enter
  • Invoices, bills, receipts, and related financial documents

Usage Data

  • IP address, browser type, and device information
  • Access times and activity logs
  • Pages viewed and actions taken within the platform

AI Interaction Data

  • Conversations with the Greenstamp Copilot
  • Inputs submitted to AI features and their outputs

3. Purposes and Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): To provide core invoicing, billing, tax filing, and account management services you have contracted with us.
  • Legitimate interests (Art. 6(1)(f)): For platform security, fraud prevention, service analytics, and product improvement. You may object at any time.
  • Consent (Art. 6(1)(a)): For optional marketing communications and other features that request explicit consent. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): To comply with tax, accounting, and invoice-retention laws, and to respond to lawful requests from public authorities.

4. Recipients and Sub-Processors

We share your personal data with the following sub-processors, each bound by a data processing agreement:

Sub-Processor Location Purpose
Render Services, Inc. United States Cloud hosting, compute, and database
Amazon Web Services, Inc. United States File storage (S3) for invoice PDFs, receipts, data exports, and source documents
Storecove B.V. Netherlands PEPPOL network connectivity
SW Sapien S.A. de C.V. Mexico CFDI invoice stamping (PAC)
Stripe, Inc. United States Payment processing
Twilio Inc. United States SMS and WhatsApp message delivery for the Greenstamp Business Messaging program
Anthropic PBC United States AI-powered invoice features (Copilot)

5. International Transfers

Our servers are located in the United States. Personal data transferred from the European Economic Area (EEA) or the United Kingdom to the United States is protected by the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) pursuant to GDPR Art. 46(2)(c). Copies of the applicable clauses are available upon request at privacy@greenstamp.io.

6. Retention Periods

  • Invoices and bills: 5 years from creation
  • Tax filings: 10 years
  • Activity logs: 7 years
  • Account data: duration of the account plus 30 days
  • AI conversation data: duration of the account

After the applicable retention period, personal data is deleted or anonymized.

7. Your Rights (GDPR Art. 15–22)

If you are located in the EEA, the United Kingdom, or another jurisdiction with equivalent rights, you have the right to:

  • Access: Obtain a copy of your personal data.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations.
  • Restriction: Limit how we process your data.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests or for direct marketing.

You can exercise most of these rights directly from your Greenstamp account settings under "My Data", or by emailing privacy@greenstamp.io. You also have the right to lodge a complaint with your local supervisory authority.

8. Automated Decision-Making (GDPR Art. 22)

Greenstamp's AI features (Copilot) assist with invoice classification, data extraction, and validation. These features do not make automated decisions that produce legal effects or similarly significantly affect you. You may disable AI features at any time from your account settings.

9. Security Measures

  • AES-256 encryption for sensitive data at rest
  • TLS 1.3 encryption for data in transit
  • Secure storage of digital certificates with access controls
  • Role-based access controls and principle of least privilege
  • Regular security audits and vulnerability assessments

10. Cookies

Greenstamp currently uses only functional and essential cookies required for authentication, session management, and security. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Because no non-essential cookies are set, no consent banner is required.

11. SMS & WhatsApp Messaging

If your phone number is added to a Greenstamp customer's account as an authorized contact under our SMS / WhatsApp messaging program ("Greenstamp Business Messaging"), this section describes how we handle the data associated with that program. Full program terms — including how to opt in, opt out, message frequency, and HELP / STOP behavior — are at greenstamp.io/sms-terms.

Data we collect for the messaging program

  • Your phone number, including the channel prefix (e.g. whatsapp: or SMS)
  • The content of messages you send and receive on the program, including any media you attach (e.g. receipt or invoice photos)
  • Your consent state and history: whether you have replied YES to confirm enrollment, whether you have replied STOP to opt out, and the timestamps of those events
  • Delivery metadata returned by our messaging provider (message identifiers, delivery status, channel)

How we use it

We use messaging-program data solely to (a) deliver the operational messages you have opted in to receive from the business that added you, (b) honor your consent, opt-in, and opt-out preferences, (c) keep an audit record of what was sent and received for that business, and (d) provide and improve service reliability and abuse prevention on the messaging program itself.

Information sharing — what we do not do

We do not sell your phone number or the contents of your messages. We do not share your phone number or message content with third parties for their own marketing, advertising, or promotional purposes, and we do not use this data to send you marketing messages from Greenstamp. Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. The only third parties with access to messaging-program data are the sub-processors listed in Section 4 — specifically our messaging provider, Twilio Inc. — and only as required to deliver the messages on our behalf under a written data processing agreement. Consent to receive messages is not transferred to any third party or affiliate.

Opting out

You can stop all messages at any time by replying STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT to any message on the program. We will record your opt-out, send a single confirmation, and stop sending you further messages. Your opt-out is honored separately from any other relationship you may have with the business that added you.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email and update the "Last updated" date above.

13. Contact Us