Last updated: 27 July 2025
Supplemental update: 17 February 2026 — Additional disclosures added for UK HMRC integrations (including Making Tax Digital for Income Tax Self Assessment) and a layered “key privacy information” summary, plus security incident reporting and breach notification information, and a purpose-to-lawful-basis mapping for UK GDPR/EEA GDPR transparency.
This Privacy Policy is a layered notice. The sections at the top summarize how we handle personal information in Invoice24 (i24) AKA !24 free. Additional region-specific rights information appears further below.
This policy covers the Invoice24 software and services (including web and mobile apps), and (where enabled) features that connect to third parties such as payment processors and UK HMRC integrations (including Making Tax Digital for Income Tax Self Assessment (MTD ITSA)).
Invoice24 (i24) is provided by i24 Limited. For the personal information described in this Privacy Policy, i24 Limited is generally the data controller (or equivalent) and is responsible for protecting that personal information. You can contact us using the details in the “How to Contact Us” section at the bottom of this page.
Depending on how you use the Services, we may process the following categories of personal information (some of which may relate to your customers, suppliers, or other third parties if you upload that data into the Services):
We use personal information to provide and operate the Services; process subscriptions and payments; secure accounts and prevent fraud/abuse; provide customer support; communicate service-related messages; and improve and develop the Services. Where required, we will obtain consent for specific processing (for example, certain marketing communications).
Where UK GDPR/EEA GDPR apply, we process personal information only where we have a lawful basis. Depending on the context, this may include: (a) your consent, (b) performance of a contract with you / steps at your request, (c) compliance with a legal obligation, and/or (d) legitimate interests (for example, to keep the Services secure and prevent fraud), balanced against your rights.
The table below provides a practical mapping between common processing activities, the types of personal information involved, why we process it, and the lawful basis we rely on (where UK GDPR/EEA GDPR apply). The exact lawful basis can vary depending on your use of the Services and the specific context.
| Processing activity | Examples of data | Why we do it | Typical lawful basis |
|---|---|---|---|
| Create and manage your account | Account/profile data, authentication details, contact details | Provide the Services and enable access | Performance of a contract / steps at your request |
| Deliver core product features | Invoice and business records data, activity history | Generate and manage invoices and related records | Performance of a contract / steps at your request |
| Process subscriptions and payments | Billing/subscription data, transaction references | Bill for the Services, manage subscriptions, prevent payment fraud | Performance of a contract; legitimate interests; legal obligation (where applicable) |
| Customer support and communications | Communications and support data, account identifiers | Respond to queries, troubleshoot issues, communicate service messages | Performance of a contract; legitimate interests |
| Security, fraud prevention, and abuse detection | Device/usage/log data, security events, IP address, timestamps | Keep the Services safe, detect and prevent fraud, enforce policies | Legitimate interests; legal obligation (where applicable) |
| Improve and develop the Services | Usage data, diagnostic logs, feedback (where provided) | Fix bugs, improve reliability and features | Legitimate interests; consent (where required) |
| Marketing communications (where enabled) | Contact details, marketing preferences | Send product updates and offers (you can opt out) | Consent (where required); legitimate interests (where permitted) |
| Comply with legal/regulatory requirements | Billing records, audit/security logs, account identifiers | Meet legal obligations, respond to lawful requests, maintain required records | Legal obligation |
| HMRC-connected features (UK), where you choose to use them | Data you instruct us to submit, submission metadata/status, HMRC-required audit data | Enable HMRC integration and transmit/receive information with HMRC | Performance of a contract / steps at your request; legal obligation (where applicable); legitimate interests (security) |
We may share personal information with:
We may process or store personal information in countries other than the country where you live. Where required, we use appropriate safeguards for international transfers (for example, contractual protections and security measures) and limit access on a need-to-know basis.
We implement reasonable administrative, technical, and organizational security measures designed to protect personal information against unauthorized access, loss, misuse, alteration, or disclosure. As the controller (or equivalent) for personal information we handle as described in this Privacy Policy, we are responsible for implementing appropriate measures to protect that information. However, no method of transmission or storage is completely secure.
If you believe you have found a security vulnerability, suspect unauthorised access to an Invoice24 account, or believe Invoice24 data may have been exposed, please report it as soon as possible by emailing hello@i24app.com with the subject line “Security Incident”. Please include sufficient detail to help us investigate (for example, the affected account email, relevant dates/times, and a description of what you observed).
Where we become aware of any issue concerning the security of personal or customer data in connection with HMRC integrations (including Making Tax Digital for Income Tax Self Assessment (MTD ITSA)), we will report it to HMRC within 72 hours by contacting SDSTeam@hmrc.gov.uk, and will provide a breach contact name and telephone number.
Where a personal data breach is reportable under applicable data protection law (including UK GDPR), we will notify the UK Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it. If a breach is likely to result in a high risk to individuals’ rights and freedoms, we will also notify affected individuals without undue delay.
If you use features that connect Invoice24 to HMRC (including features designed to support Making Tax Digital for Income Tax Self Assessment (MTD ITSA)), we will process additional data to enable those features.
Authorisation and HMRC sign-in details: HMRC authorisation is designed so that you authenticate directly with HMRC and grant authority for specific scopes. We do not need you to provide your HMRC username and password to us in order to use HMRC-connected features.
Data you ask us to send to HMRC: This may include information you provide or generate in the Services that you instruct us to transmit to HMRC (for example, summaries, updates, and submission metadata/status information returned by HMRC).
Fraud prevention and audit data: When using certain HMRC APIs (including MTD-related APIs), HMRC requires software providers to submit specific user audit data (fraud prevention header data). To provide these HMRC-connected features, Invoice24 may collect and transmit to HMRC certain technical and contextual information (for example, device/app/browser details, timestamps, network and connection information, identifiers, and similar audit data required by HMRC specifications).
This data is used for transaction monitoring and fraud prevention and may be legally required for certain HMRC API requests. Missing or incorrect data may cause HMRC-connected features to fail.
We keep personal information for as long as needed to provide the Services, comply with legal or regulatory obligations, resolve disputes, enforce agreements, and protect the security and integrity of the Services. Retention periods vary depending on the type of data, how it is used, and applicable legal requirements.
If you request deletion (or delete information within the Services where available), we will take reasonable steps to delete personal information within a reasonable time, subject to required or permitted retention (for example, billing records, fraud prevention, security logs, and legally required recordkeeping).
If you have concerns about how we use personal information, you can contact us using the details below. Depending on where you live, you may also have the right to lodge a complaint with a relevant data protection supervisory authority.
When it comes to controlling the privacy of your personal information, you have options.
We won't be able to give you any more customised recommendations based on your credit profile if you live in Brazil and have requested to have your registration cancelled on each of our partners as permitted by Brazilian Federal Law No. 12,414/2011.
If you are a resident of Brazil, you may have the following rights:
To exercise any of your rights, please contact us at the link provided below in the "How to Contact Us" section for Brazil.
When it comes to managing the privacy of your personal information, you have options.
While we take precautions to secure your personal information, it may be revealed in response to valid demands or requests from governments, regulators, courts, and law enforcement officials in those other territories or nations.
If you are a resident of Canada, you may have the following rights:
When it comes to managing the privacy of your personal information, you have options.
Where Indian individuals' data is involved, you hereby agree that "reasonable security practises and procedures" under section 43A Explanation (ii) of the Information Technology Act, 2000 means this i24's Privacy Statement and such data security procedures as i24 may implement from time to time and as i24 may inform you of from time to time.
When it comes to managing the privacy of your personal information, you have options.
If you are a resident of Mexico, you may have the following rights known as “ARCO rights”:
When it comes to managing the privacy of your personal information and exercising your ARCO rights, you have options. Please keep in mind that we must validate your request before executing your rights. After we receive a request, we will respond with whether the request for access, rectification, cancellation, or opposition is appropriate, and if so, we will make a determination within 15 business days after that date. The deadlines may be extended in accordance with the conditions of the applicable laws.
If you are a Mexican resident, you may also limit the use or disclosure of your personal information by contacting us via the link provided in the "How to Contact Us" section for Mexico, below.
If you are a Mexican resident, you may also limit the use or disclosure of your personal information by contacting us via the link provided in the "How to Contact Us" section for Mexico, below.
i24 Inc.'s UK and EEA representatives are:
In the United Kingdom: i24 Ltd.; contact information for i24 Ltd. can be found in the "How to Contact Us" section below.
The type of personal information and the exact context in which we acquire it will determine our legal justification for collecting and processing the personal information detailed in this Privacy Statement. However, we will generally process your personal information when:
We have your permission to do so; we have a contract with you, and it is necessary to process your personal information in order to perform our contract with you, including providing you with the benefits of the i24 Platform and running our business; we have your consent to do so; we have a contract with you; we have a contract with you; we have a contract with you
The processing is necessary for us to operate our operations, improve and grow the i24 Platform, communicate with you, sell our offers and services, and personalise your experience, as well as detect criminal activity; and/or To adhere to legal obligations, such as applicable laws and regulations.
We may share your personal information, including your contact details, date of birth, and the information you give us about your employment, income, and housing and employment expenses, with third parties to determine your eligibility for a credit card or a personal loan through the i24 Platform. You can find more information about their data protection practises in their privacy policies by contacting us at hello@i24app.com.
If you are a resident of the UK or EEA, you may have the following rights:
When it comes to managing the privacy of your personal information, you have options.
If you have any questions or concerns concerning this Privacy Statement or our practises, please write to i24 Limited,
20 Bankside, Station Approach, Kidlington, OX5 1JE, UK.
Alternatively, you can contact us by email at hello@i24app.com.