Who We Are
Folio by c3 ("we", "us", "our") is an invoicing and billing management service operated by:
Code3
Železnička 14, 22320 Inđija, Serbia
Registration number: 62611421
VAT number: 107254196
By using the service you agree to the collection and use of information as described in this policy.
Information We Collect
Account Information
When you create an account we collect your email address and a securely hashed password. We do not store your password in plain text.
Business & Invoice Data
To operate the service you may provide your company name, address, tax identification numbers, client details (names, addresses, emails), invoice line items, and payment records. This data is yours — we store it to provide the service and never sell or share it with third parties for marketing purposes.
Logo & Image Uploads
If you upload a company logo, the image is stored and served via Cloudinary (cloudinary.com), a third-party image management service. Uploaded images are associated with your account and are subject to Cloudinary's Privacy Policy. You can remove your logo at any time by clearing the logo URL in your branding settings.
Subscription & Payment Data
Subscription billing is handled by Paddle (paddle.com), our payment processor. We do not store credit card numbers or full payment details on our servers. We receive subscription status events (plan, billing period, status) from Paddle via webhooks to manage your access. Paddle acts as the Merchant of Record for your subscription and has its own Privacy Policy.
Technical Data
We collect standard server logs including IP addresses, request URLs, HTTP status codes, and response times for operational monitoring and debugging. Logs are retained for a limited period and are not used for profiling.
How We Use Your Data & Legal Basis
We do not use your data for advertising. We do not sell your data to third parties.
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Providing the service (accounts, invoices, clients) | Account & business data | Contract performance (Art. 6(1)(b)) |
| Sending transactional emails (verification, password reset, invoice delivery) | Email address | Contract performance (Art. 6(1)(b)) |
| Managing subscription and trial status | Subscription data | Contract performance (Art. 6(1)(b)) |
| Operational monitoring, security, and fraud prevention | Server logs | Legitimate interests (Art. 6(1)(f)) |
| Measuring the effectiveness of advertising campaigns (signup conversion only, on the registration page) | Page view and signup event, IP address, browser data | Legitimate interests (Art. 6(1)(f)) |
| Responding to support requests | Email address, message content | Legitimate interests (Art. 6(1)(f)) |
Data Storage & Security
Your data is stored in a PostgreSQL database hosted on a secured server. We use industry-standard security practices including HTTPS, session encryption, and hashed credentials. No security measure is 100% guaranteed, but we take the protection of your data seriously.
Data Retention
We retain your account and invoice data for as long as your account is active. All data belongs to you — we store it solely to provide the service. If you delete your account, we will permanently delete all your data within 30 days. Server logs are retained for a maximum of 90 days.
Your Rights
If you are located in the European Economic Area or the United Kingdom, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data ("right to be forgotten") — you can do this directly from your account settings
- Object to or restrict certain processing
- Receive your data in a portable format (data export available in account settings)
- Lodge a complaint with your local data protection authority (EU users: your national DPA; UK users: the ICO at ico.org.uk)
To exercise any of these rights, you can use the tools in your account settings or contact us at the email below.
Third-Party Services & International Transfers
We use the following third-party services. Where these providers are based outside the EEA, transfers are governed by Standard Contractual Clauses (SCCs) or the provider's own adequacy mechanisms.
- Paddle (US) — subscription billing and payment processing; your email is shared with Paddle to create your billing account. Privacy Policy
- Cloudinary (US) — logo image storage and delivery; uploaded images are stored on Cloudinary's servers. Privacy Policy
- NOWPayments — cryptocurrency payment processing for subscriptions. Privacy Policy
- Google Fonts — typography loaded client-side on some pages; your IP address is sent to Google's servers. Privacy Policy
- jsDelivr CDN — open-source library delivery; your IP address is sent to jsDelivr's servers. Privacy Policy
- NBS (Narodna Banka Srbije) — IPS QR code generation for RSD invoices
- Meta Platforms, Inc. (Facebook Pixel + Conversions API) (US) — used solely to measure signup and paid-subscription conversions from paid advertising campaigns. (a) The browser-side Pixel is loaded only on the account registration page (
/auth/register) and sends Meta a page view and, on successful signup, a CompleteRegistration event together with your IP address and standard browser data. The Pixel is not present on any other page of the service. (b) The server-side Conversions API sends Meta a Subscribe event when a subscription becomes active, with the subscription amount and currency and your email address in cryptographically hashed (SHA-256) form — Meta does not receive your email in plain text. We do not use either integration for retargeting, custom audiences, or any tracking beyond conversion measurement. Privacy Policy
Cookies & Sessions
We use a single, strictly necessary session cookie to keep you logged in. We do not use analytics or general tracking cookies across the service.
The one exception is the registration page (/auth/register): when we are running paid advertising campaigns, the Meta (Facebook) Pixel may set its own cookies on that page only, for the sole purpose of measuring signup conversions from those campaigns. These cookies are not present on any other page of the service. See the Meta entry under "Third-Party Services" above for details.
Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by updating the "Last updated" date above and, where appropriate, by email notification.
Contact
Code3
Železnička 14, 22320 Inđija, Serbia
[email protected]