Privacy Notice (GDPR)
WinnerInvoice — Mobile Invoicing & Estimates For Users in the European Economic Area and United Kingdom
Effective date: June 02, 2025 Last updated: June 02, 2025
1. Introduction
ICI Tech Teknoloji A.Ş. processes your personal data in compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and, where applicable, the UK GDPR.
| Data Controller | ICI Tech Teknoloji A.Ş. |
| Website | /en/ |
| app@icitech.com.tr | |
| Country of establishment | Republic of Turkey |
EU Representative (Article 27 GDPR): As a company established outside the EEA offering services to EEA residents, we are in the process of designating an EU representative per Article 27 GDPR. Updated contact details will be published at /en/privacy once appointed.
Data Protection Officer: We do not currently meet the threshold for mandatory DPO appointment under Article 37 GDPR. Contact: app@icitech.com.tr.
2. Our Role — Controller and Processor
WinnerInvoice operates in two distinct legal roles under GDPR:
As Data Controller (Article 4(7))
We are the data controller for:
- Your account and authentication data
- Your business profile and branding settings
- Your subscription and billing data
- App usage analytics (anonymized)
- Support communications
As Data Processor (Article 4(8) and Article 28)
We are a data processor acting on your behalf for:
- Your customers' personal data that you enter into the app (names, contact details, addresses, tax IDs)
- Invoice and estimate content you create
You are the data controller for your customers' data. You are responsible for ensuring you have a lawful basis under GDPR Article 6 to process your customers' data, and that you have fulfilled your own information obligations toward them.
Data Processing Agreement (Article 28): Our Terms of Service include data processing clauses that satisfy Article 28 GDPR requirements. By accepting our Terms of Service, you enter into a data processing agreement with us for the processing of your customers' data. You may request a standalone DPA document by contacting app@icitech.com.tr.
3. Data We Process
3.1 Account Information (Controller)
Email address, password (hashed), optional display name and company name.
3.2 Business Profile Data (Controller)
Trading name, business address, tax/VAT number, logo, brand colours, language and currency preferences.
3.3 Invoice and Document Data (Controller + Processor)
Invoice content (line items, prices, tax rates), document status, reference numbers. Customer-facing fields contain end-client data (processed as Processor).
3.4 End-Client Data (Processor — you are the Controller)
Customer names, company names, contact details (phone, email), billing addresses, tax/VAT identification numbers, job history.
3.5 Subscription Data (Controller)
Subscription tier, purchase date, renewal date, transaction ID, App Store / Google Play platform identifier.
3.6 App Usage Data (Controller)
Anonymized/aggregated feature usage statistics, session data.
3.7 Device and Technical Data (Controller)
Device type, OS version, app version, IP address (truncated), time zone, crash logs.
4. Legal Bases for Processing (GDPR)
| Purpose | GDPR Legal Basis |
|---|---|
| Account creation and management | Art. 6(1)(b) — Performance of contract |
| Providing invoicing features | Art. 6(1)(b) — Performance of contract |
| Cloud sync and backup | Art. 6(1)(b) — Performance of contract |
| Processing end-client data on your behalf | Art. 6(1)(b) — Performance of contract (Art. 28 relationship) |
| App quality, crash analysis | Art. 6(1)(f) — Legitimate interests |
| Security monitoring | Art. 6(1)(f) — Legitimate interests |
| Subscription management | Art. 6(1)(b) — Performance of contract |
| Support requests | Art. 6(1)(b) — Performance of contract |
| Legal obligations | Art. 6(1)(c) — Legal obligation |
| Marketing communications | Art. 6(1)(a) — Consent |
5. Your Obligations as Data Controller for End-Client Data
When you use WinnerInvoice to process your customers' personal data, you must:
- Have a valid legal basis under GDPR Article 6 for processing each customer's data (typically: performance of a contract with that customer)
- Fulfil your own transparency obligations (Article 13/14) toward your customers, informing them that their data may be processed using WinnerInvoice
- Respond to your customers' data subject requests (Articles 15–22) regarding the data you hold about them in WinnerInvoice
- Ensure that sharing customer data via PDF (WhatsApp, email) is consistent with your own privacy obligations
We will assist you with technical measures to fulfill these obligations where possible — for example, by enabling data export and deletion. Contact app@icitech.com.tr for data subject request support.
6. WhatsApp and Email Sharing — GDPR Note
When you share a PDF containing your customer's personal data via WhatsApp or email, this constitutes a disclosure of personal data for which you are responsible as data controller. Ensure that:
- You have the right to share that data with the recipient
- The sharing is consistent with your customer's reasonable expectations
- You understand that once shared, the data is subject to the recipient's own data protection practices
7. Your Rights Under GDPR
| Right | Article | Description |
|---|---|---|
| Right of access | Art. 15 | Obtain a copy of your personal data we hold |
| Right to rectification | Art. 16 | Correct inaccurate data |
| Right to erasure | Art. 17 | Request deletion |
| Right to restriction | Art. 18 | Limit processing |
| Right to data portability | Art. 20 | Receive your data in machine-readable format |
| Right to object | Art. 21 | Object to legitimate interest processing or direct marketing |
| Right to withdraw consent | Art. 7(3) | Withdraw marketing consent at any time |
| Right to lodge a complaint | Art. 77 | Contact your national supervisory authority |
How to exercise
Email app@icitech.com.tr — subject "GDPR Data Subject Request — WinnerInvoice". We respond within one month, free of charge.
In-app controls
| Action | Where |
|---|---|
| Delete account | Settings → Account → Delete Account |
| Export your data | Settings → Data → Export (where available) |
| Withdraw marketing consent | Settings → Privacy → Marketing Preferences |
8. Right to Lodge a Complaint
| Country | Authority | Website |
|---|---|---|
| 🇫🇷 France | CNIL | https://www.cnil.fr |
| 🇩🇪 Germany | BfDI + state DPAs | https://www.bfdi.bund.de |
| 🇪🇸 Spain | AEPD | https://www.aepd.es |
| 🇬🇧 United Kingdom | ICO | https://ico.org.uk |
| 🇳🇱 Netherlands | AP | https://autoriteitpersoonsgegevens.nl |
| Other EEA | Your national DPA | https://edpb.europa.eu/about-edpb/about-edpb/members_en |
9. International Data Transfers
ICI Tech Teknoloji A.Ş. is established in Turkey. The European Commission has not issued an adequacy decision for Turkey under GDPR Article 45.
For all transfers from the EEA or UK, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK IDTAs for UK transfers
- GDPR Article 49 derogations where applicable
Request a copy of applicable transfer mechanisms: app@icitech.com.tr.
10. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration + 3 years after deletion |
| Invoice and document data | Duration + 3 years after deletion |
| End-client data (processed as Processor) | Duration + 3 years after deletion or your deletion request |
| Subscription records | 10 years (Turkish commercial law) |
| Support communications | 3 years |
| Crash logs | 12 months |
| Demo mode data | Device-local only |
Your own archiving obligations: You may have independent legal obligations to retain invoice records under applicable tax and commercial law. WinnerInvoice's data deletion does not satisfy those obligations — you should maintain independent records.
11. Security
- TLS 1.2+ in transit; encryption at rest
- Cloud sync over encrypted connections
- Access controls for invoice and customer data
- Breach notification: Within 72 hours to supervisory authority (Art. 33); users notified without undue delay for high-risk breaches (Art. 34)
12. Automated Decision-Making
We do not make automated decisions with legal or similarly significant effects based on your data or your customers' data (Art. 22 GDPR).
13. Children's Privacy
WinnerInvoice is a business tool for users 18 and older. Contact app@icitech.com.tr for immediate deletion if a child has submitted data.
14. Cookies
Our website uses cookies with a consent banner on first visit.
| Type | Legal Basis | Opt-Out |
|---|---|---|
| Strictly necessary | Art. 6(1)(f) | Not possible |
| Analytics | Art. 6(1)(a) — Consent | Via banner |
| Marketing | Art. 6(1)(a) — Consent | Via banner |
15. Changes
Material changes notified 14 days in advance. Current version: /en/privacy/gdpr.
16. Contact Us
| app@icitech.com.tr | |
| Subject | "GDPR Data Subject Request — WinnerInvoice" |
| Website | /en/ |
Acknowledge within 5 business days, resolve within one month.