Who's responsible
Joio is the trading name of Rhys O'Shea, a sole trader operating in the UK. I'm the data controller for any personal information you share through the invoicing app. I am registered with the ICO - registration number available on request.
This notice covers invoicing.byjoio.co.uk only. The main marketing site has its own notice at byjoio.co.uk/privacy.
What I collect, and when
- +When you sign up: your email address and a password. The password is hashed by Supabase before it touches my database — I never see it in the clear.
- +When you pay: a Stripe customer ID and the time the payment cleared. I do not see or store your card number, expiry, or CVC — Stripe handles all of that on their own infrastructure.
- +When I provision your dedicated invoicing database after payment: the connection URL and anon key for your project are encrypted at rest before being stored in my main database.
- +To prevent abuse: your IP address is read briefly on password-reset requests for rate limiting, then thrown away. It is never written to a log or a database.
- +I do not run analytics. I do not set advertising or tracking cookies. I do not embed third-party scripts on the dashboard.
Cookies I do set
The app sets two cookies, both strictly necessary to keep you signed in:
- +
sb-…-auth-token— your Supabase session. - +
sb-…-auth-token-code-verifier— a short-lived value used during sign-in (PKCE).
Strictly-necessary cookies don't require a consent banner under PECR, which is why you don't see one. No analytics, marketing, or tracking cookies are set by me or by any third party on this site.
Your business data
Your clients, time entries, and invoices live in a dedicatedSupabase database I provision for you on payment — one database per paying customer. Your data is never co-mingled with any other customer's; the isolation boundary is the database itself, not just a row-level filter.
For the personal data inside that database (your clients' names, addresses, etc.), you are the data controller and I act as your processor — I only access that data when the app needs to, in order to fulfil a request you've made (loading a dashboard page, generating a PDF). I don't read it outside of those direct requests, and I don't share it with anyone.
The credentials needed to connect to your database are encrypted at rest with a key kept off-platform. Even if my main database were compromised, your invoicing data would remain unreadable.
When you delete your byjoio account, your stored credentials are wiped and I tear down your dedicated database so the data is fully removed. If you'd like a CSV export of your data first, ask before deleting and I'll send one over.
Where it goes
Three services process data on my behalf so the app can do its job:
- +Supabase handles authentication, the profiles database, sign-up confirmation and password-reset emails, and the payment webhook. Supabase's privacy policy →
- +Stripe handles payment. I send them your user ID as a reference and a price ID; they send me back whether you paid. Stripe's privacy policy →
- +Vercel hosts the app, which means it processes request metadata (IP, user agent) in transit to serve pages. Vercel's privacy policy →
- +Resenddelivers payment reminder emails on your behalf. When you trigger a reminder, your client's name and email address are passed to Resend solely to send that email — they are not stored or used for any other purpose. Resend's privacy policy →
These services may process data on servers outside the UK. Where they do, transfers are covered by UK Standard Contractual Clauses or the UK's International Data Transfer Addendum — each of the policies above explains the specifics. None of them use your details for their own marketing.
Why I'm allowed to hold it
My lawful bases under UK GDPR are:
- +Contract — delivering the invoicing service you've paid for.
- +Legitimate interests — running the sign-up flow before payment, and rate-limiting requests to prevent abuse.
- +Legal obligation — keeping payment records for HMRC (six years).
How long I keep it
- +Account data — until you delete your account, or you ask me to.
- +Stripe payment records — six years, to meet HMRC requirements.
- +Unpaid sign-ups that sit inactive for 24 months — deleted automatically.
Your rights
Under UK GDPR you can ask me to: see what I hold about you, correct anything wrong, delete it, receive a copy in a portable format, restrict how I use it, or object to me using it. Email byjoio.dev@gmail.com and I'll handle it within 30 days.
Complaints
If you're not happy with how I've handled your data, you can complain to the UK Information Commissioner's Office at ico.org.uk →.
Changes
If anything material changes, I'll update this page and bump the “last updated” date at the top. This is the first version.