Privacy Policy

Last updated: 26 June 2026

This Privacy Policy explains how InvoiceFlow collects, uses, shares, and protects your information when you visit invoiceflow.pk, create an account at app.invoiceflow.pk, or use our invoicing services. Please read it carefully so you understand how your data is handled.

1. Who We Are and Scope of This Policy

InvoiceFlow is a Pakistan-based software-as-a-service (SaaS) platform that helps B2B businesses — including manufacturers, importers, wholesalers, distributors, and corporates — issue FBR-compliant digital invoices. For each invoice, the platform obtains a real-time unique FBR Invoice Reference Number (IRN) and QR code through the Pakistan Revenue Automation (Pvt) Limited (PRAL) system.

This policy applies to our marketing website, our web application, and the services we provide. It does not apply to third-party websites or services that we link to but do not operate.

This policy, together with the consent you give when you register, governs how we handle your personal data. The specific legal grounds we rely on — and your right to withdraw consent — are set out in Section 4. Using InvoiceFlow does not, by itself, override those granular choices; where we rely on your consent for a particular activity, you can withdraw it as described below.

2. What Data We Collect

Account Data

When you register and use your account, we collect:

• Company name
• Email address (this also serves as your username / login)
• Password — stored only in hashed form; we never store or have access to your plain-text password
• Phone number
• First and last name (optional)

Registration is protected by Google reCAPTCHA to prevent automated abuse, and accounts are created through our secure API.

Invoicing and Business Data

To generate FBR-compliant invoices, you provide information needed for each invoice, such as buyer/seller details, tax registration numbers, line items, amounts, and applicable tax data. This information is processed and transmitted to FBR/PRAL as described in Section 5.

Payment-Related Data

When you pay for a subscription, we collect and retain certain payment identifiers needed to confirm and reconcile your payment. Depending on the method you choose, these may include:

• EasyPaisa / JazzCash — the mobile wallet number used to send payment, the transaction reference or transaction ID, and the amount and date.
• Bank transfer — the transaction reference, and any bank account name, number, or IBAN you choose to provide to us when confirming a payment.

We do not collect or store credit/debit card numbers on our servers. Full details of how payment data is handled are in Section 6.

Usage and Log Data

When you use the platform, our servers automatically record technical information such as your IP address, browser type, device information, pages visited, timestamps, and error logs. This helps us operate, secure, and improve the service.

Cookies and Similar Technologies

We group cookies and similar technologies into two categories:

Essential cookies (required for the platform to function; set without separate consent because the service cannot be delivered without them):

• Session cookies — to keep you logged in and maintain your session.
• CSRF tokens — to protect against cross-site request forgery and keep your account secure.

Non-essential cookies (set by third parties for security analytics and bot detection):

• Google reCAPTCHA — which may set cookies and collect device/usage signals to distinguish humans from bots. reCAPTCHA is loaded on registration and certain protected actions; by proceeding with those actions you consent to reCAPTCHA's cookies and to Google processing the related signals under Google's Privacy Policy. If you do not wish to allow these cookies, you may be unable to complete registration or those protected actions.

You can control or block cookies through your browser settings, but disabling essential cookies may prevent the platform from working correctly. This subsection serves as our cookie disclosure; we will publish a separate Cookie Policy if our use of cookies expands.

3. How We Use Your Data

We use the data we collect to:

• Create and manage your account and authenticate your logins.
• Generate FBR-compliant digital invoices, including obtaining the IRN and QR code via PRAL.
• Provide, maintain, and improve our services and features.
• Process your subscription, free trial, and payments.
• Communicate with you about your account, support requests, service updates, and important notices.
• Protect the security and integrity of the platform, including preventing fraud and abuse.
• Comply with applicable legal and tax obligations.

4. Legal Basis and Consent

We do not rely on your mere use of the platform as blanket agreement to all processing. Instead, we process your personal data on one or more of the following specific legal grounds, depending on the activity:

• Your consent — for example, for non-essential reCAPTCHA cookies and optional communications. Where we rely on consent, it is specific to that activity and you may withdraw it at any time by contacting us (see Section 9), without affecting processing already carried out.
• Performance of our contract with you — to deliver the invoicing service you signed up for, manage your account, and process your payments.
• Legitimate interests — in operating, securing, and improving the platform and preventing fraud and abuse, where these are not overridden by your rights.
• Legal and regulatory obligations — to meet tax, e-invoicing, accounting, and record-keeping requirements applicable in Pakistan.

Withdrawing consent for an optional activity will not stop processing that we are required to carry out to provide the service or to meet a legal obligation; in such cases, withdrawing consent may mean you can no longer use part or all of the service.

5. Sharing With FBR/PRAL and Service Providers

FBR and PRAL (E-Invoicing Compliance)

A core function of InvoiceFlow is to make your invoices compliant with the Federal Board of Revenue (FBR) digital invoicing requirements. To do this, we transmit invoice data to FBR through the PRAL system in order to obtain the unique FBR Invoice Reference Number (IRN) and QR code. This sharing is essential to the service you request and to comply with applicable tax law and FBR notifications governing electronic/digital invoicing. Without it, FBR-compliant invoices cannot be issued.

Service Providers

We share limited data with trusted third parties who help us run the service:

• Hosting and infrastructure providers — to store data and run the application.
• Google reCAPTCHA — to verify that registrations and certain actions are made by humans, subject to Google's privacy practices.
• WhatsApp — when you contact us via WhatsApp, your message and number are processed through that platform.
• Payment providers — EasyPaisa, JazzCash, and banks — when you pay by mobile wallet or bank transfer, the relevant payment identifiers (such as your wallet mobile number, transaction reference, or bank account details you provide) are processed by, or reconciled with, these providers to confirm your payment. Their handling of your data is also subject to their own privacy practices.

These providers are only permitted to use your data to provide services to us. We do not sell your personal data.

6. Payment Data

InvoiceFlow offers Starter, Business, and Enterprise plans (priced in PKR, billed monthly or yearly), with a 7-day free trial that requires no credit card. Payments are made via bank transfer, EasyPaisa, or JazzCash.

We do not collect or store credit/debit card numbers on our servers. When you pay, we collect and retain the following payment identifiers to confirm your subscription, reconcile accounts, and meet accounting and tax obligations:

• EasyPaisa / JazzCash: the mobile wallet number used to make the payment, the transaction reference / transaction ID, and the amount and date.
• Bank transfer: the transaction reference, and any bank account details (account title, account number, or IBAN) you choose to share with us to confirm the payment.
• All methods: the payment method used, amount, date, and the plan to which the payment relates.

Payments processed through EasyPaisa, JazzCash, or your bank are also subject to those providers' own privacy practices, and these providers are listed among the third parties in Section 5. Retention of payment and invoice records is governed by Section 7.

7. Data Retention

We retain your account and invoicing data for as long as your account is active and as needed to provide the service. Where the law requires us (or requires you, as the taxpayer we support) to keep records, we retain the relevant invoice, payment, and tax records for the statutory record-keeping period.

In particular, under Section 24 of the Sales Tax Act, 1990 records and documents must be retained for six years (and longer where a matter is pending before any authority or court), and under Section 174 of the Income Tax Ordinance, 2001 records must be maintained for six years after the end of the relevant tax year (subject to extension where proceedings are pending). Accordingly, we retain invoice and tax-related records for at least this period.

We may also retain certain records for longer where needed to resolve disputes or to enforce our agreements. When data is no longer required for these purposes, we take steps to delete or anonymise it securely. This statutory period is the benchmark for the deletion carve-out in Section 9.

8. Security Measures

We take reasonable technical and organisational measures to protect your data, including:

• HTTPS encryption for data transmitted between your browser and our servers.
• Password hashing, so passwords are never stored in plain text.
• Access controls that limit who can access systems and data.
• CSRF protection, reCAPTCHA, and monitoring to defend against abuse.

No method of transmission or storage is completely secure, so while we work hard to protect your data, we cannot guarantee absolute security. Please keep your password confidential and notify us promptly of any suspected unauthorised access.

9. Your Rights and How to Exercise Them

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and personal data, subject to legal retention requirements — for example, the invoice and tax records we must keep for the statutory six-year period described in Section 7.
• Withdraw consent or object to certain processing (see Section 4).

To exercise any of these rights, contact us at info@invoiceflow.pk or via WhatsApp at +92 313 4038839. We may need to verify your identity before acting on your request, to ensure we do not disclose data to the wrong person.

We aim to respond to and act on valid requests within a reasonable time, ordinarily within 30 days of receiving the request and completing any necessary identity verification. If a request is complex or we need more time, we will let you know.

10. Children

InvoiceFlow is a business tool intended for use by registered businesses and adults. It is not directed at, or intended for use by, anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a minor has provided us with data, please contact us so we can remove it.

11. International Transfers and Data Location

We are based in Pakistan and aim to keep primary application and database hosting on infrastructure serving the Pakistan / South Asia region. However, some of our service providers process data on servers located outside Pakistan:

• Hosting and infrastructure — our primary hosting is provisioned to serve the Pakistan / South Asia region, though provider infrastructure and backups may also involve data centres in other regions.
• Google reCAPTCHA — Google processes reCAPTCHA signals on its global infrastructure, which includes servers in the United States and other countries.
• WhatsApp — messages you send us are processed on Meta's global infrastructure, which includes servers in the United States and other countries.

Where your data is transferred outside Pakistan, we take reasonable steps — including relying on the provider's own contractual and security safeguards — to ensure it continues to be handled in line with this policy and with an appropriate level of protection.

12. Pakistan Data Protection Context

We aim to handle your personal data responsibly and in line with applicable Pakistani law. Pakistan is in the process of developing a comprehensive data protection framework, including the forthcoming Personal Data Protection Bill. As this and related regulations come into force, we will review and update our practices accordingly. This policy describes our current practices and is not a representation of compliance with any specific law not yet in effect.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or legal requirements. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you. Your continued use of InvoiceFlow after changes take effect means you accept the updated policy, save for any processing that requires your separate consent under Section 4.

14. Contact Us

If you have questions, requests, or concerns about this Privacy Policy or your data, contact us:

• Email: info@invoiceflow.pk
• WhatsApp: +92 313 4038839

This page is provided for general information only and is not tax or legal advice. For advice specific to your situation, please consult a qualified professional.