Privacy Policy

Short version (for humans)

The detailed policy below is what legally counts. If anything conflicts, the detailed policy wins — and please tell us at hello@extractinvoice.app.

  • We collect what’s needed to run the service (account, billing via Stripe, docs you upload, usage logs).
  • We use Firebase (auth/db/storage), Stripe (payments), and AI providers to extract data.
  • We don’t sell your data. Providers don’t train on your data.
  • You can access/export/delete your data; email hello@extractinvoice.app or use in‑app tools.

We take your privacy seriously. This Privacy Policy explains what we collect, how we use it, who we share it with, and the choices you have. We stick to the minimum necessary to provide a fast, reliable service.

Data Controller

ExtractInvoice (Jon & Ali) is the controller of personal data processed through the Service.

What We Collect

  • Account data: email, hashed password, plan, profile settings.
  • Billing data: via Stripe (we don’t store full card numbers).
  • Documents: files you upload (PDF/images) and the extracted data we generate.
  • Usage & logs: feature use, request metadata, error logs (sanitized), device/OS, IP.
  • Diagnostics: health checks, rate‑limit counters, performance metrics.

How We Use Data

  • Provide, secure, and maintain the Service (auth, extraction, storage, billing).
  • Communicate about account, billing, and product updates (you can opt‑out of non‑essential emails).
  • Monitor health, prevent abuse, and troubleshoot incidents.
  • Improve accuracy and reliability (aggregate/anonymous metrics only).
  • Comply with legal obligations (records, security, taxation).

AI Providers & Processing

  • Your documents (or derived images) may be sent to an AI provider (OpenAI) to perform extraction.
  • We restrict sent data to what’s needed and avoid sensitive data where possible.
  • We do not permit providers to train on your data.

Sharing

  • Firebase (Auth, Firestore, Storage) for identity and data storage.
  • Stripe for payments (PCI‑DSS compliant).
  • AI providers for extraction as described above.
  • We do not sell personal data. We share only to operate the Service or when required by law.

DPA (Data Processing Addendum) & Subprocessors

If you need a DPA for your compliance records, it is available upon request — email hello@extractinvoice.app. We also maintain an up‑to‑date list of our core subprocessors (Firebase, Stripe, and AI providers used for document extraction) and will provide details on request.

Current core subprocessors

  • Google Firebase (Auth, Firestore, Storage)
  • Stripe (payments)
  • OpenAI (extraction processing)

We will update this list when we add or change core subprocessors.

Data Retention

  • Account data: retained while your account is active. Deleted upon account deletion (subject to legal retention).
  • Documents: for Professional/Premium, stored to enable history; otherwise may be deleted after processing.
  • Files: stored copies follow plan retention — Starter: 7 days, Professional: 90 days, Premium: 365 days. Trials do not include file storage.
  • Logs/metrics: kept for a limited period for security and reliability, then aggregated or deleted.

Security

  • Transport security (HTTPS) and access controls.
  • Firebase Security Rules for data isolation per user.
  • Stripe handles payment data; we never store full card numbers.
  • App Check & rate‑limits to deter abuse.

Your Rights

  • Access, correction, deletion: email hello@extractinvoice.app or use in‑app tools.
  • Portability: export extracted data (CSV) from the dashboard.
  • Opt‑out: unsubscribe from non‑essential emails.

International & Children’s Data

  • Data may be processed in the U.S. and other regions where our providers operate.
  • The Service is not intended for children under 13, and we do not knowingly collect their data.

California & GDPR

If you’re in California or the EU/UK, you may have additional rights (access, deletion, correction, portability, objection). Contact us to exercise these rights. We do not sell personal information.

Cookies

  • Essential cookies: login sessions, security, and preferences (required).
  • Analytics: limited, privacy‑respecting metrics (no retargeting).

Changes to This Policy

We may update this policy. Material changes will be communicated by email or in‑app. The “Last updated” date reflects the latest version.

Contact

Questions or requests? Email hello@extractinvoice.app.