Privacy Policy

ExtractInvoice is the data controller for personal data processed through the Service.

• Contact: hello@extractinvoice.app
• Website: extractinvoice.app
• Location: United States

As a solo operation, ExtractInvoice does not have a designated Data Protection Officer. For all privacy inquiries, reach out directly at the email above. ExtractInvoice aims to respond within 48 hours.

• Account data: email, OAuth tokens (Google sign-in), plan, profile settings.
• Billing data: via Stripe (ExtractInvoice doesn't store full card numbers).
• Documents: files you upload (PDF/images) and the extracted data the service generates.
• Usage & logs: feature use, request metadata, error logs (sanitized), device/OS, IP.
• Diagnostics: health checks, rate-limit counters, performance metrics.
• Email submissions: if you send invoices via email for processing, the service receives the email content, attachments, and sender address.

• Provide, secure, and maintain the Service (auth, extraction, storage, billing).
• Communicate about account, billing, and product updates (opt-out available).
• Monitor health, prevent abuse, and troubleshoot incidents.
• Improve accuracy and reliability (aggregate/anonymous metrics only).
• Comply with legal obligations (records, security, taxation).

If you're in the EU/UK, here's the legal basis ExtractInvoice relies on to process your data:

• Contract performance: everything needed to deliver the Service you signed up for (extraction, storage, billing).
• Legitimate interest: security, abuse prevention, and service improvement (using anonymized data).
• Legal obligation: when required by law (tax records, data retention).
• Consent: optional stuff like marketing emails (you can withdraw anytime).

• Your documents (or derived images) may be sent to AI providers to perform extraction.
• ExtractInvoice restricts sent data to what's needed and avoids sensitive data where possible.
• ExtractInvoice does not permit providers to train on your data.

ExtractInvoice uses AI to extract data from your uploaded documents. This is automated processing, but it does not produce decisions with legal or similarly significant effects on you.

• What it does: extracts invoice fields (vendor, amount, date, line items) from your documents.
• What it doesn't do: make financial decisions, approve payments, or take actions on your behalf.
• Human review: you always review and approve extracted data before use. Low-confidence extractions are flagged for manual verification.

If you have concerns about automated processing, reach out at hello@extractinvoice.app.

• Neon: Postgres database for data storage.
• Vercel: Hosting, edge functions, and blob storage.
• Stripe: Payments (PCI-DSS compliant).
• Google AI: Document extraction processing.
• Sentry: Error monitoring and performance tracking.
• Upstash: Rate limiting via Redis.
• Resend: Transactional email delivery.

ExtractInvoice does not sell personal data and only shares to operate the Service or when required by law.

ExtractInvoice offers export formats compatible with popular accounting software. These are file downloads — there's no direct connection to these services:

• QuickBooks: IIF (Desktop) and CSV (Online) formats. You download the file and import it into QuickBooks yourself.
• Other formats: CSV, Excel, JSON, and PDF for general use.

If you connect QuickBooks Online, invoice data is sent directly to your QuickBooks account via OAuth. All other exports are files you download to your device.

If you need a Data Processing Addendum for compliance, email hello@extractinvoice.app. ExtractInvoice maintains an up-to-date list of core subprocessors:

• Neon (Postgres database)
• Vercel (hosting, storage)
• Stripe (payments)
• Google AI (extraction processing)
• Sentry (error monitoring)
• Upstash (rate limiting)
• Resend (email delivery)

• Account data: retained while active, deleted on account deletion (subject to legal retention).
• Original files: stored per plan — Trial: 14 days, Starter: 90 days, Professional: 180 days, Premium: 365 days.
• Extracted data: retained indefinitely while subscribed; trial users: 14 days.
• After cancellation: original files deleted after 90 days, extracted data deleted after 180 days. You can export anytime before deletion.
• Logs/metrics: kept for security/reliability, then aggregated or deleted.

• Encryption: data encrypted in transit (HTTPS/TLS) and at rest (via hosting and database providers).
• Access controls: database row-level security ensures each user can only access their own data.
• Payment data: Stripe handles card data directly; ExtractInvoice never sees or stores full card numbers.
• Attack prevention: rate limits and abuse detection to deter brute force and scraping.
• Monitoring: error tracking and health checks to catch issues fast.

If ExtractInvoice discovers a security breach affecting your personal data:

• Timeline: affected users will be notified within 72 hours of confirming a breach, as required by GDPR.
• How: email to your registered address plus in-app notification.
• What you'll be told: what happened, what data was affected, what's being done about it, and what you should do.
• Response: ExtractInvoice investigates, contains, assesses impact, and takes steps to prevent recurrence.

You have several rights regarding your personal data:

• Access: request a copy by email or downloading your data in Settings → Data.
• Correction: update your info in profile settings or get in touch.
• Deletion: delete your account through settings or email. Deletion happens within 30 days.
• Portability: export your extracted data in multiple formats (CSV, Excel, JSON, PDF, QuickBooks) anytime. For a complete copy of all your data, use Settings → Data → Download My Data.
• Opt-out: unsubscribe from marketing via the email link.

ExtractInvoice may need to verify your identity before fulfilling certain requests.

ExtractInvoice doesn't sell your personal information. Period.

ExtractInvoice also doesn't share your personal information with third parties for their advertising or marketing purposes. Data is only shared with the service providers listed above (Neon, Vercel, Stripe, Google AI, Sentry, Upstash, Resend) to operate the Service.

If you're a California resident, you have the right to request ExtractInvoice disclose what personal information has been shared with third parties for their direct marketing purposes. Email hello@extractinvoice.app to make this request. ExtractInvoice will respond within 45 days.

ExtractInvoice protects international data transfers per applicable privacy laws:

• EU/UK transfers: ExtractInvoice relies on Standard Contractual Clauses (SCCs).
• Adequacy decisions: where applicable, ExtractInvoice uses EU-recognized adequacy decisions.
• Supplementary measures: technical and organizational protections per EDPB recommendations.

Request SCCs and transfer documentation at hello@extractinvoice.app.

If you're a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) give you additional rights:

• Right to know: what categories of personal information ExtractInvoice collects, uses, and shares.
• Right to delete: request deletion of your personal information (with some exceptions).
• Right to correct: request correction of inaccurate personal information.
• Right to opt-out: ExtractInvoice doesn't sell personal information, so nothing to opt-out from.
• Right to non-discrimination: ExtractInvoice won't discriminate against you for exercising your privacy rights.

To exercise these rights, email hello@extractinvoice.app or use your account settings. ExtractInvoice will verify your identity and respond within 45 days.

If you're in the EU or UK, GDPR gives you additional rights:

• Right to access: request a copy of your personal data.
• Right to rectification: correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): request deletion of your personal data.
• Right to restrict processing: limit how ExtractInvoice uses your data.
• Right to data portability: receive your data in a structured, machine-readable format. Use Settings → Data → Download My Data to export everything as JSON.
• Right to object: object to processing based on legitimate interest.
• Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting prior processing.
• Right to lodge a complaint: you can file a complaint with your local data protection supervisory authority if you believe your rights have been violated.

Contact hello@extractinvoice.app to exercise these rights. ExtractInvoice will respond without undue delay and within one month.

A list of EU supervisory authorities is available at edpb.europa.eu. UK residents can contact the Information Commissioner's Office (ICO).

• Essential cookies: login sessions, security tokens, preferences. Required for the service to function.
• Analytics cookies: privacy-respecting usage metrics. No retargeting, no cross-site tracking.
• Functional cookies: remember your preferences for return visits.

ExtractInvoice doesn't use third-party advertising cookies. Control non-essential cookies via your browser.

The Service is intended for users 18 and older who can form a binding contract. ExtractInvoice does not knowingly collect personal data from anyone under 18. If it's discovered that data from someone under 18 has been collected, it will be deleted promptly. Contact hello@extractinvoice.app if you believe ExtractInvoice has data from a minor.

ExtractInvoice may update this policy. Material changes will be communicated by email or in-app. The “Updated” date reflects the latest version.

Questions or requests? Email hello@extractinvoice.app.