1. Who we are
InvoiceHero is operated by Arete Process Intelligence Limited (“InvoiceHero”, “we”, “us”), a company registered in England and Wales (company number 17184060), with its registered office at D N S House, 382 Kenton Road, Harrow, England, HA3 8DP.
InvoiceHero is a business application that works with Microsoft Invoice Capture and Dynamics 365 Finance to provide AI-assisted invoice exception resolution and related automation.
Our two roles
As a processor. When we process the invoices, purchase orders, and related records that your organisation’s Dynamics 365 environment sends to InvoiceHero, we act as a data processor on your behalf. Your organisation is the controller of that data, and our handling of it is governed by the data-processing terms in your agreement with us.
As a controller. When we handle your account and administrator details, your Microsoft marketplace subscription, billing and usage records, our communications with you, and visitors to our website, we act as a data controller.
This policy describes both roles. Where we act as a processor, the controller’s own privacy notice also applies to the individuals whose data appears in their invoices and purchase orders.
2. Information we collect
Account and administrator data (controller). Name, business email, and the Microsoft Entra tenant and user identifiers of the people who sign in to the InvoiceHero Customer Admin Center, together with the actions they take there.
Marketplace and subscription data (controller). Subscription identifiers, plan, the purchaser and beneficiary details Microsoft provides when a subscription is created, and billing and usage records such as the number of invoices processed in a cycle.
Environment configuration (controller). The Dynamics 365 environment details you register and verify, and the related connection settings held securely by the service.
Customer business data (processor). The invoices, purchase orders, and related records your Dynamics 365 environment submits for processing. These may contain personal data — for example, the names and contact details of supplier or employee contacts that appear on an invoice. We process this solely to provide the service to you.
Operational data (controller). Logs, diagnostic telemetry, processing summaries and audit records generated when the service runs, used for security, troubleshooting, support, billing accuracy and audit.
Website data (controller). Any details you provide when you contact us through invoicehero.ai, and limited technical information needed to serve the site.
3. How we use information and our legal bases
We use the data above to provide and operate InvoiceHero; authenticate administrators; process invoices and related records on your behalf; manage your subscription, billing and onboarding; provide support; keep the service secure; meet legal and accounting obligations; and improve the service.
Where we act as a controller, our legal bases under UK GDPR and the EU GDPR are: performance of a contract (operating your subscription and account); legitimate interests (securing, maintaining and improving the service, and general business administration); legal obligation (accounting and tax records); and consent where required. Where we act as a processor, we act on the controller’s documented instructions.
4. AI processing
InvoiceHero uses Microsoft Azure OpenAI to support invoice exception resolution, configured extraction, matching assistance, and the Ask InvoiceHero query feature. InvoiceHero production processing is hosted in Microsoft Azure UK South. Where Microsoft Commercial Marketplace or other Microsoft global services are used for subscription, billing, support, or identity-related functions, limited associated data may be processed in other Microsoft locations.
Based on Microsoft’s Azure OpenAI data handling commitments, customer content sent to Azure OpenAI is not used to train generative AI foundation models without permission or instruction. We do not make solely automated decisions that produce legal or similarly significant effects on individuals.
5. Sharing and sub-processors
We do not sell personal data. We share data only with the service providers that help us run InvoiceHero, under contract and only as needed:
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Hosting, storage, key management and operational infrastructure | UK South |
| Microsoft Azure OpenAI | AI-assisted exception resolution, extraction, matching assistance and Ask InvoiceHero | UK South |
| Microsoft Commercial Marketplace | Subscription, billing and marketplace operations | Microsoft global |
We will update this policy if we add material sub-processors that handle personal data for the InvoiceHero service.
We may also disclose data where required by law, to protect our rights, or in connection with a business transfer carried out with appropriate safeguards.
6. Data location and international transfers
InvoiceHero production processing is hosted in Microsoft Azure UK South. Some Microsoft services used for subscription, billing, identity, marketplace operations, or support may process limited associated data outside the UK and EEA. Where personal data is transferred internationally, it is protected by appropriate safeguards such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses.
7. Data retention
Our standard retention policy is:
- Detailed invoice, purchase-order and processing data used for InvoiceHero runs: retained for up to 90 days, unless a shorter customer-agreed period applies. This may include selected invoice header and line data, selected purchase-order data, matching results, feature execution details, diagnostic information and detailed run artefacts.
- Run summaries, subscription, billing and audit records: retained for up to 6 years where needed for accounting, tax, billing, audit, dispute handling, and legal compliance.
- Operational logs and telemetry: normally retained for around 90 days, unless needed for a security investigation, support issue, or legal requirement.
- Account and administrator records: retained for the life of the account and for any period required by law afterwards.
8. Security
We protect data using measures appropriate to its sensitivity, including encryption in transit and at rest; secrets and certificates held in Azure Key Vault; Microsoft identity-based authentication patterns; role-based access control; the network and platform controls provided by Microsoft Azure; and audit logging of administrative actions. No system is perfectly secure, but we work to protect your data and to respond promptly to any incident.
9. Your rights
Depending on your location, you may have rights to access, correct, delete, restrict, or object to the processing of your personal data, and to data portability. Where InvoiceHero processes data on behalf of your organisation (as a processor), please direct such requests to that organisation as the controller, and we will assist them in responding. For data where we are the controller, contact us using the details below. You also have the right to complain to a supervisory authority — in the UK, the Information Commissioner’s Office (ico.org.uk).
10. Cookies
The InvoiceHero Customer Admin Center uses only strictly necessary cookies to keep you signed in and to secure your session. We do not use analytics, advertising, or third-party tracking cookies.
11. Children
InvoiceHero is a business service and is not directed to, or intended for use by, children. We do not knowingly collect personal data from children.
12. Changes to this policy
We may update this policy from time to time. We will post the updated version here and change the “Last updated” date; material changes will be communicated as appropriate.
13. Contact us
For questions or requests about this policy or your data:
Arete Process Intelligence Limited
Email: connect@invoicehero.ai
D N S House, 382 Kenton Road, Harrow, England, HA3 8DP