Privacy Policy

Last Updated: 2026-02-12

1. Data Collection

We collect and process the following data:

  • Email account credentials (encrypted)
  • Email messages containing receipts/invoices
  • Extracted invoice data (merchant, amount, date, etc.)
  • Application usage logs

2. Legal Basis for Processing

We process your data based on:

  • Contract performance: To provide invoice scanning services
  • Legitimate interest: To improve service quality
  • Consent: For AI-powered extraction (optional)

3. Data Processors

3.1 OpenAI (Optional - AI Extraction)

When you enable AI-powered extraction:

  • Purpose: Accurate invoice data extraction
  • Data sent: Invoice text content only (minimized)
  • Location: OpenAI servers (US-based, GDPR-compliant via DPA)
  • Retention: 30 days maximum (then deleted)
  • Legal basis: Your explicit consent + Data Processing Addendum
  • Your rights: Disable AI processing anytime in settings

OpenAI's GDPR Commitments:

  • Acts as data processor under GDPR Article 28
  • Signed Data Processing Addendum (DPA)
  • Does NOT train models on your API data
  • Provides data deletion after 30 days

Data Minimization: We only send invoice text (no email metadata), limit to 10,000 characters, and optionally redact personal information.

3.2 Scaleway (Infrastructure)

  • Purpose: Application and database hosting
  • Location: France (Paris datacenter)
  • Compliance: EU-based, GDPR-compliant

3.3 Gmail API (Optional)

  • Purpose: Email scanning for receipts
  • Your control: You authorize access via OAuth
  • Revocation: Revoke access anytime

4. Your Rights (GDPR)

  • Right to Access: Export your data
  • Right to Rectification: Edit any receipt in the library
  • Right to Erasure: Delete your account and all data
  • Right to Data Portability: Export in CSV/JSON format
  • Right to Object: Disable AI processing in Settings
  • Right to Restrict Processing: Pause scanning in settings
  • Right to Withdraw Consent: Toggle off AI consent (immediate effect)

5. Data Retention

  • Default: 90 days (configurable in settings)
  • OpenAI API data: 30 days maximum
  • Audit logs: 1 year
  • Backups: 90 days

6. Data Security

  • Encryption in transit: HTTPS/TLS for all connections
  • Encryption at rest: PostgreSQL encryption
  • Access control: API keys + authentication
  • Audit logging: All data access logged
  • Regular backups: Daily encrypted backups

7. International Data Transfers

OpenAI (US-based): Data may transit through US servers, protected by DPA (GDPR Article 28) and Standard Contractual Clauses. You can opt-out by disabling AI processing.

All other data: Remains within EU (Scaleway France).

8. Data Breach Notification

In case of a data breach, you will be notified within 72 hours. Authorities will be notified as required by GDPR.

9. Contact

For privacy inquiries or to exercise your rights, contact the data controller at the email address configured in the application settings.