Last reviewed May 13, 2026
invioTrack lives entirely inside Telegram. You log in with the same Telegram account you already use — there is no invioTrack password to leak, no installer to trust, and no second app collecting your contacts or location.
The secret that lets our server talk to Telegram (the "bot token") is never committed to source code or stored in plain-text config files on developer machines. In development it is held in macOS Keychain (keyring service money-helper); in production it lives in a restricted environment file readable only by the bot service user.
Send /delete_account in the bot. We cascade-wipe your invoices, line items, clients, invoice counters, and access codes from the database in foreign-key-safe order. The only thing we retain is the minimal subscription-billing record required by tax law (see Privacy Policy §8).
Every page on inviotrack.com — including the legal pages, the Stripe checkout redirect, and the billing portal — is served over HTTPS with certificates issued by Let's Encrypt and auto-renewed by Caddy. The bot itself talks to Telegram over Telegram's own HTTPS API.
The landing page has no Google Analytics, no Facebook pixel, no Hotjar, no Intercom widget, no Segment, no advertising SDKs. View the page source if you want to verify — there's nothing to verify because there's nothing there. We don't even set tracking cookies.
When you tap Upgrade, the link goes to inviotrack.com/c?... first — not directly to a third-party redirect. Our server verifies the link is signed by us and not yet expired (10-minute TTL, HMAC-SHA256), and only then redirects you to Stripe Checkout. This means a bad actor cannot trick the bot into pointing you at an attacker's checkout page.
When you upgrade to Pro or Business, the card form is hosted by Stripe on checkout.stripe.com, not on our servers. Stripe is certified as PCI-DSS Service Provider Level 1 (the highest tier). invioTrack only ever receives a Stripe customer ID and a subscription status — never a card number, never a CVV, never a bank account number.
When Stripe tells us “this user just paid” or “this subscription was cancelled,” our server verifies the request came from Stripe and not from a forger. Each webhook carries an HMAC-SHA256 signature computed against a secret only Stripe and invioTrack know. If the signature does not match, we reject the event with HTTP 400. This blocks an attacker who can guess our webhook URL but does not know the signing secret.
This is the most important sentence on this page. invioTrack generates the PDF invoice and tracks paid/unpaid status. You collect payment from your clients on whatever rail you already use (bank transfer, Zelle, PIX, cash, your own Stripe account, whatever). Stripe is used only for the $20 / $40 monthly invioTrack subscription. We are not a money transmitter and we do not hold your clients’ funds.
The "Manage billing" link in the bot opens the official Stripe Customer Portal. From there you can update your card, view all past invoices, download receipts, or cancel — all on Stripe’s infrastructure. We do not gatekeep or intercept cancellations.
Your invoices, clients, and subscription state live in a private SQLite database on a dedicated Hetzner CPX21 virtual server in Hillsboro, Oregon, USA. The server runs Ubuntu 24.04 LTS with only two ports open to the public internet: 443 (HTTPS) and 22 (SSH, key-only — passwords are disabled). No public database port, no shared infrastructure with other businesses, no managed-database service in the loop.
Every row in every table is keyed by your Telegram user ID (owner_id). Every query the bot runs filters by your ID. There is no scenario in normal operation where another user’s invoice can surface in your account, because the database is structurally incapable of returning rows that are not yours.
Litestream streams every database write, in real time, to an off-server backup destination. Backups are encrypted at rest. If the production server dies, we can rebuild the database state from the backup with a recovery point objective (RPO) measured in seconds, not hours.
Your invoices, your clients’ names, your business email — none of it is sold, rented, traded, fed to ad networks, fed to AI training datasets, or shared with a "partner ecosystem." Our business model is the $20 / $40 subscription. There is no second revenue stream and no plan to add one.
If you find a vulnerability, please email hello@inviotrack.com with the subject line "Security." We read every report personally and aim to acknowledge within 48 hours.
Honesty footer: this page describes what invioTrack does today and is reviewed on every release where security-relevant changes ship. It is not a contract — for that, see our Terms. It is not a privacy disclosure — for that, see our Privacy Policy. It is a plain-English summary of the safeguards we believe matter for a freelancer trusting us with their client list.