Back to login

Privacy Policy (GDPR)

Last updated: March 2, 2026

1. Data controller

Controller: Idir Ouhab Meskine (Pay by idir.ai).

Legal and privacy contact email: contact@idir.ai.

Competent supervisory authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin, Germany).

2. Personal data we process

  • Account users: first name, last name, email, password hash, OAuth provider, OAuth identifier, optional avatar, role, account status, and activity timestamps.
  • Legal evidence: acceptance timestamp, IP, user-agent, and accepted terms/privacy version.
  • Invoiced clients: identifier, first/last name, optional email, encrypted tax ID, encrypted address, city, postal code, region, country, and optional payment details.
  • Billing: invoice data, line items, amounts, statuses, traceability, and action audit logs.

3. Purposes and legal basis

  • Providing the invoicing SaaS service: contract performance (Art. 6.1.b GDPR).
  • Accounting and tax compliance: legal obligation (Art. 6.1.c GDPR).
  • Security, fraud prevention, and technical traceability: legitimate interest (Art. 6.1.f GDPR).
  • Non-essential cookies and public-site analytics: consent (Art. 6.1.a GDPR), managed by CMP.

4. Processors and transfers

We use technology providers for hosting, database, email delivery, monitoring, and authentication. Processing is limited to what is necessary to operate the service.

Under your current setup, EU infrastructure is prioritized. If international transfers occur, valid legal safeguards (e.g., SCCs) will be applied before enabling them.

5. Retention periods

  • Inactive accounts: access deletion/deactivation after 3 months of inactivity.
  • Tax and accounting records: retained for 10 years due to legal obligations.
  • Legal acceptance evidence: retained for 10 years for legal defense.

6. Data subject rights

You can exercise access, rectification, erasure, objection, restriction, and portability rights by contacting contact@idir.ai. We will respond within the standard legal period of 1 month, unless a lawful extension applies.

7. Security

We apply proportionate technical and organizational measures, including access control, encryption of sensitive client fields, and audit event logging.