Privacy Policy

• Privacy contact: [email protected]
• Security contact (incidents/vulns): [email protected]
• Support: [email protected]

2.1 Information You Provide to Us

We collect information that you provide directly to us when you use our services:

• Invoice data that you upload to our platform (which is subsequently processed by our AI model providers for data extraction)
• Customer Account Data (e.g., names, emails, authentication identifiers, organization membership/roles)
• Customer service communications
• Any other information you choose to provide

2.2 Payment Information

Payment data is processed by Paddle as Merchant of Record under its own terms. We do not receive or store card numbers. Paddle may collect information such as your name, billing address, and payment card details. Please refer to Paddle's privacy policy for more information on how they handle your payment data.

2.3 Information Automatically Collected

When you visit our website or use our services, we may automatically collect certain information, including:

• Usage details (e.g., access times, pages viewed)
• IP address
• Browser type and operating system
• Referring website addresses
• Device information

We use cookies and similar tracking technologies to collect this information. You can control cookies through your browser settings and other tools.

We do not use third-party advertising cookies and we do not sell or share personal information for cross-context behavioral advertising.

2.4 Authentication Information

We use Clerk, a third-party authentication service, to manage user accounts and logins. Clerk collects and processes authentication-related information such as email addresses, passwords (securely hashed), and other account details necessary for secure login and account management. For more information on how Clerk processes your authentication data, please refer to Clerk's privacy policy.

For Customer Content and Customer Account Data, we act as your service provider/processor under applicable U.S. state privacy laws.

2.5 HIPAA and PHI

We are not a HIPAA Business Associate; please don't upload Protected Health Information (PHI).

This Notice at Collection summarizes the categories of personal information we collect, the purposes for which we use them, and whether we “sell” or “share” (as those terms are defined by state privacy laws, including the CCPA/CPRA).

Categories we collect:

• Identifiers (e.g., name, email address, IP address).
• Customer Account Data (account/admin data such as names, emails, auth identifiers, org membership/roles)
• Customer Content (invoice files you upload, prompts you submit, and extracted fields).
• Commercial information (purchases, credit packages, transaction records via Paddle).
• Internet/technical information (device, browser, usage data such as pages viewed and access times).
• Authentication data (managed by Clerk, e.g., email, login events).

We do not intentionally collect sensitive personal information (as defined by CPRA), and we ask you not to upload PHI, cardholder data (PCI), FERPA-regulated student education records, or other sector-specific regulated data that would require us to adopt a specialized compliance framework we have not expressly agreed to in writing (for example, acting as a HIPAA Business Associate or PCI service provider).

We do not knowingly collect ‘consumer health data’ (CHD) as defined by Washington’s My Health My Data Act or materially similar laws; please do not upload CHD. If you believe you submitted CHD, contact [email protected] and we will delete it.

Purposes of use: operate and improve the Services; perform invoice data extraction you request (including transmitting Customer Content to AI model providers solely for inference); provide support; process payments via Paddle; detect/prevent abuse and security incidents; comply with law.

Retention: Source uploads and pipeline logs are deleted within 24 hours; generated outputs are retained 90 days then deleted. Other account/operational data are retained as long as needed for the Services and legal obligations. See Sections 4 and 5 and Security for details.

Disclosure for business purposes: We disclose personal information to service providers/subprocessors (e.g., hosting, storage, database, auth, payments, AI model providers) strictly to operate the Services. See Subprocessors.

Sale/Sharing: We do not sell personal information and do not share it for cross-context behavioral advertising.

Opt-out preference signals (GPC): Because we do not sell/share, GPC signals do not change your experience; if that ever changes, we will honor GPC where required.

• Provide, maintain, secure, and improve the Services, including transmitting Customer Content to vetted AI model providers solely to perform the extraction you request (no model training; provider retention disabled or minimized where settings allow). We do not transmit Customer Account Data (e.g., user identities, emails) to AI model providers.
• Generate downloadable outputs (e.g., spreadsheets) from your uploaded invoices
• Facilitate transactions processed by our payment provider, Paddle, and manage related communications
• Communicate with you about your account and our services
• Respond to your inquiries and customer service requests
• Send you technical notices, updates, security alerts, and support messages
• Detect, investigate, and prevent fraudulent transactions and other illegal activities
• Comply with legal obligations

We may create deidentified and/or aggregated data from Customer Content and usage data solely for internal analytics and service improvement. We do not sell deidentified data and do not disclose it to third parties other than our infrastructure providers for storage/processing on our behalf. We maintain and use deidentified data only in deidentified form, do not attempt to reidentify individuals, and do not retain linkage keys with the deidentified datasets.

• Uploaded invoices are deleted within 24 hours after processing. The 24-hour window allows us to investigate and remedy any reported extraction issues.
• Processing logs are deleted within 24 hours.
• Generated spreadsheets are retained for 90 days and stored securely on our servers. After 90 days, they are permanently deleted.
• You can access your spreadsheets anytime within the 90-day retention period through your account on our platform
• You can delete uploaded invoices, processing logs, and generated outputs earlier by deleting the task in your dashboard
• We retain other personal information for as long as necessary to provide our services and comply with our legal obligations

We rely on provider-managed database snapshots (encrypted) with a typical rotation of ~7 days. We do not maintain separate backups of object storage; lifecycle deletion enforces the 24-hour and 90-day periods above.

Errant CHD: If CHD is submitted contrary to our Terms, we promptly delete it on discovery (generally within ≤24 hours, consistent with our upload/log deletion windows).

6.1 Service Providers (processors/subprocessors)

We use trusted service providers to operate the Services. We disclose personal information to these providers only for our business purposes and under contracts that limit their use to providing services to us. Our current list of subprocessors is maintained atSubprocessorsand we post 15 days’ advance notice of material changes there.

Examples of our service providers include:

• AI model providers (inference only): OpenAI, Anthropic, Google Gemini, and models available via OpenRouter - used solely to perform invoice data extraction you request; no model training; retention disabled or minimized where settings allow.
• Core infrastructure (may process Customer Content):
  • Render (application hosting)
  • Supabase (managed Postgres; account & task metadata; Row-Level Security)
  • Cloudflare R2 (object storage for uploads/outputs)
• Authentication (no Customer Content): Clerk (account/login).
• Payments / Merchant of Record (separate buyer data): Paddle (handles checkout, taxes, invoicing).
• Business communications (no Customer Content): Google Workspace (email/support).

SeeSubprocessorsfor the live, complete list and regions.

6.2 Other Circumstances for Data Sharing

We may also share your information in the following limited circumstances:

• With your explicit consent
• To comply with legal obligations
• To protect and defend our rights and property
• To prevent or investigate possible wrongdoing in connection with our service
• With other service providers who assist us in operating our website, conducting our business, or servicing you
• In the event of a merger, acquisition, or sale of all or a portion of our assets, with the acquiring company

6.3 Third-Party Privacy Practices

While we carefully select our service providers, we do not control and are not responsible for their privacy practices. We recommend reviewing their policies to understand how they handle your personal information.

6.4 Subprocessors and change notice

We publish our current subprocessor list at Subprocessors and post at least 15 days’ advance notice of material changes there. If you have reasonable data-protection objections, contact [email protected].

7.1 U.S. State Privacy Rights (e.g., CA, CO, CT, VA, UT and similar laws)

Depending on your state, you may have the right to know/access, delete, correct, data portability, and to opt-out of sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising. We also do not use or disclose sensitive personal information for purposes that require a right to limit.

How to exercise your rights: Email [email protected] with your request and the state you reside in. We will verify your identity using information associated with your account. We will respond within 45 days (extendable where permitted). You may use an authorized agent in California; we may require proof of authorization. We do not discriminate against you for exercising your rights. Appeals: If we deny your request, you may appeal by replying to our decision email with “Appeal” in the subject. We will respond to appeals within 45 days (or as required by your state law).

7.2 EEA/UK users (GDPR/UK GDPR)

If you are in the EEA/UK, you have rights of access, rectification, erasure, restriction, objection, and portability, and the right to lodge a complaint with your supervisory authority. To exercise rights, email [email protected]. We typically respond within one month as required by GDPR.

7.3 Contact for rights requests

[email protected]

Our services are designed for business use and are not intended for children under the age of 13. We do not knowingly collect or solicit personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will promptly take steps to delete that information.

If you are a parent or guardian and believe we may have inadvertently collected personal information from a child under 13, please contact us at [email protected]. We will work with you to address any concerns and remove any inappropriately collected information.

Your information may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those in your jurisdiction. If you are located outside the United States and choose to provide information to us, please note that we transfer the data to the United States and process it there.

Our primary hosting and storage are in the United States. AI model providers used solely for extraction may process Customer Content on global infrastructure. In all cases, we enforce our no-training and restricted-retention posture.

In the event of a data breach affecting Customer Content or personal information, we will notify affected customers without undue delay and no later than 48 hours after becoming aware of a confirmed incident, and we will notify authorities where required by law.

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy here and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.