Privacy Policy

We take your privacy seriously. This Privacy Policy explains what we collect, how we use it, who we share it with, and the choices you have. We stick to the minimum necessary to provide a fast, reliable service.

Data Controller

ExtractInvoice (Jon & Ali) is the controller of personal data processed through the Service.

What We Collect

• Account data: email, hashed password, plan, profile settings.
• Billing data: via Stripe (we don’t store full card numbers).
• Documents: files you upload (PDF/images) and the extracted data we generate.
• Usage & logs: feature use, request metadata, error logs (sanitized), device/OS, IP.
• Diagnostics: health checks, rate‑limit counters, performance metrics.

How We Use Data

• Provide, secure, and maintain the Service (auth, extraction, storage, billing).
• Communicate about account, billing, and product updates (you can opt‑out of non‑essential emails).
• Monitor health, prevent abuse, and troubleshoot incidents.
• Improve accuracy and reliability (aggregate/anonymous metrics only).
• Comply with legal obligations (records, security, taxation).

AI Providers & Processing

• Your documents (or derived images) may be sent to AI providers (Google) to perform extraction.
• We restrict sent data to what’s needed and avoid sensitive data where possible.
• We do not permit providers to train on your data.

Sharing

• Firebase (Auth, Firestore, Storage) for identity and data storage.
• Stripe for payments (PCI‑DSS compliant).
• AI providers for extraction as described above.
• We do not sell personal data. We share only to operate the Service or when required by law.

DPA (Data Processing Addendum) & Subprocessors

If you need a DPA for your compliance records, it is available upon request — email hello@extractinvoice.app. We also maintain an up‑to‑date list of our core subprocessors (Firebase, Stripe, and AI providers used for document extraction) and will provide details on request.

Data Retention

• Account data: retained while your account is active. Deleted upon account deletion (subject to legal retention).
• Documents: for Professional/Premium, stored to enable history; otherwise may be deleted after processing.
• Files: stored copies follow plan retention — Starter: 7 days, Professional: 90 days, Premium: 365 days. Trials do not include file storage.
• Logs/metrics: kept for a limited period for security and reliability, then aggregated or deleted.

Security

• Transport security (HTTPS) and access controls.
• Firebase Security Rules for data isolation per user.
• Stripe handles payment data; we never store full card numbers.
• App Check & rate‑limits to deter abuse.

Your Rights

You have several rights regarding your personal data:

• Access: request a copy of your personal data by emailing hello@extractinvoice.app or using in‑app export tools.
• Correction: update your account information directly in your profile settings or contact us for corrections.
• Deletion: delete your account and associated data through account settings or by emailing us. We'll delete your data within 30 days, except where required to retain for legal purposes.
• Portability: export your extracted data in CSV format from the dashboard at any time.
• Opt‑out: unsubscribe from marketing emails via the unsubscribe link or by emailing us.
• Response time: we'll respond to data rights requests within 30 days for GDPR-covered requests, typically much sooner.

Verification: to protect your privacy, we may need to verify your identity before fulfilling certain requests.

International & Children's Data

• Data may be processed in the U.S. and other regions where our providers operate.
• The Service is not intended for children under 13, and we do not knowingly collect their data.

International Data Transfers

We protect international data transfers in accordance with applicable privacy laws:

• EU/UK data transfers: we rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/EEA and UK to other countries.
• Adequacy decisions: where applicable, we utilize EU-recognized adequacy decisions for countries with adequate privacy protections.
• Supplementary measures: we implement technical and organizational measures to protect data in line with European Data Protection Board recommendations.
• Data residency options: for customers with specific data residency requirements, contact us to discuss available options.

You can request a copy of our SCCs and data transfer documentation by emailing hello@extractinvoice.app.

California & GDPR

If you’re in California or the EU/UK, you may have additional rights (access, deletion, correction, portability, objection). Contact us to exercise these rights. We do not sell personal information.

Cookies

We use cookies and similar technologies to provide, secure, and improve our Service. Here's what we use and why:

• Essential cookies (required): login sessions, security tokens, and preferences. These cookies are necessary for the Service to function and cannot be disabled.
• Analytics cookies: limited, privacy‑respecting metrics about usage patterns, errors, and performance. No personal data collection, no retargeting, no cross-site tracking.
• Functional cookies: remember your preferences and settings to improve your experience on return visits.

Third-party cookies: we don't use third-party advertising or tracking cookies. Our analytics are privacy-first and don't share data with ad networks.

Cookie controls: essential cookies are required for the Service to work. You can control other cookies through your browser settings, but this may affect functionality.

Changes to This Policy

We may update this policy. Material changes will be communicated by email or in‑app. The “Last updated” date reflects the latest version.