Privacy Policy

Last updated: May 2026

1. Who we are

Incomr ("we", "our", "us") is a software-as-a-service product that provides cash flow forecasting for businesses. Our registered contact email is hello@incomr.com. Our service is available at www.incomr.com.

2. What data we collect

We collect the following categories of personal data:

  • Account data: your email address and encrypted password, collected when you create an account.
  • QuickBooks data: invoice data (invoice numbers, amounts, customer names, issue dates, due dates, payment dates) accessed via the Intuit QuickBooks API with your explicit authorisation.
  • Payment data: billing information processed by Stripe. We do not store card details — these are handled exclusively by Stripe.
  • Usage data: basic technical logs (IP address, browser type, pages visited) for security and performance purposes.

3. Legal basis for processing (GDPR)

We process your personal data on the following legal bases under Article 6 of the GDPR:

  • Contract performance (Art. 6(1)(b)): processing your account data and QuickBooks data is necessary to provide the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)): we process usage data to maintain the security and performance of our platform.
  • Legal obligation (Art. 6(1)(c)): we may process data to comply with applicable laws and regulations.
  • Consent (Art. 6(1)(a)): where we send you optional marketing communications, we rely on your consent, which you may withdraw at any time.

4. How we use your data

  • To provide cash flow predictions based on your invoice history.
  • To send you weekly cash flow summaries and payment alerts (service emails).
  • To process your subscription payments.
  • To respond to your support requests.
  • To improve our prediction algorithms using aggregated, anonymised data.

We never sell your data to third parties. We never use your data for advertising purposes.

5. Sub-processors

We use the following third-party services to operate Incomr:

  • Supabase (EU region) — database and authentication infrastructure.
  • Vercel (EU region) — application hosting and deployment.
  • Intuit QuickBooks — accounting data source, accessed only with your explicit OAuth authorisation.
  • Stripe — payment processing. Stripe is PCI-DSS compliant.
  • Resend — transactional email delivery.

All sub-processors are bound by appropriate data processing agreements and comply with GDPR requirements.

6. International data transfers

Our primary infrastructure is hosted in the EU (Ireland region). Some sub-processors (including Stripe and Intuit) may process data outside the EU. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission under Article 46 GDPR.

7. Data retention

  • Account data: retained for the duration of your account. Deleted within 30 days of account deletion.
  • Invoice data: retained for the duration of your account. Deleted within 30 days of account deletion.
  • Payment records: retained for 7 years to comply with financial regulations.
  • Usage logs: retained for 90 days for security purposes.

8. Your rights under GDPR

If you are located in the European Economic Area, you have the following rights:

  • Right of access (Art. 15): you can request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): you can request correction of inaccurate data.
  • Right to erasure (Art. 17): you can request deletion of your data. You can do this directly from Account Settings.
  • Right to data portability (Art. 20): you can export all your data in JSON format from Account Settings.
  • Right to restriction of processing (Art. 18): you can request that we limit how we use your data in certain circumstances.
  • Right to object (Art. 21): you can object to processing based on legitimate interests.
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

We will respond to all requests within 30 days. To exercise any of these rights, contact us at hello@incomr.com.

9. Right to lodge a complaint

You have the right to lodge a complaint with your local data protection authority. In Italy, this is the Garante per la protezione dei dati personali. In Ireland (where our EU infrastructure is hosted), this is the Data Protection Commission.

10. Cookies

We use a single cookie to remember your cookie consent preference. We do not use tracking cookies or advertising cookies. If you use third-party integrations (such as QuickBooks), those services may set their own cookies subject to their own privacy policies.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email and by updating the "Last updated" date above. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions or to exercise your rights, contact us at hello@incomr.com.