Invoice Vault

Privacy Policy

Last updated: February 28, 2026

Invoice Vault ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

Account Information

When you create an account, we collect your email address and basic profile information provided through your authentication provider (e.g., Google). If you register an accounting firm, we also collect your firm name and team member details.

Email Content

When you connect your email account, we access your emails in read-only mode to identify and extract invoice-related content. We process:

  • Email subject lines and body content (scanned for invoice detection)
  • Email attachments (PDFs and images that may contain invoices)
  • Sender information (to identify vendors)

We do not store the full content of your emails. We only retain extracted invoice data (vendor names, amounts, dates, line items) and references to the original email for re-access.

File Storage

When you connect your Google account, we may also store extracted invoice files (PDFs) in your Google Drive. We create a dedicated "Invoice Vault" folder organized by year, month, and vendor. We only access files created by our application — we never read, modify, or delete your other Google Drive files.

Usage Data

We collect anonymous usage data including pages visited, features used, and general interaction patterns to improve the Service.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Scan your email for invoices and extract relevant data
  • Store extracted invoice files in your Google Drive
  • Organize invoices by vendor and provide analytics
  • Send you important account-related notifications
  • Respond to your support requests
  • Detect and prevent fraud or abuse

3. Third-Party Services

We use the following third-party services to operate the platform:

  • Supabase — Database hosting and authentication. Your account data and extracted invoice records are stored in Supabase-managed PostgreSQL databases with row-level security.
  • Stripe — Payment processing for paid subscriptions. We do not store your credit card information; it is handled entirely by Stripe in compliance with PCI DSS standards.
  • AI Processing (Anthropic Claude) — We use Anthropic's Claude AI models to analyze email content and extract invoice data. Email content and PDF attachments are processed in real-time. Data is not retained by Anthropic beyond the processing window, in accordance with Anthropic's data handling policies.
  • Google OAuth — Used for secure authentication, read-only Gmail access, and storing invoice files in your Google Drive. We request only the minimum scopes required: read-only email access (gmail.readonly), file management limited to files created by this app (drive.file), and your email address (userinfo.email).

4. Data Storage & Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit (TLS) and at rest (AES-256)
  • Database access is controlled via row-level security policies
  • Email connections use OAuth 2.0 — we never store your email password
  • Access to production systems is restricted and logged

5. Data Retention

We retain your account data and extracted invoice information for as long as your account is active. When you delete your account:

  • Your account and all associated data are deleted within 30 days
  • Email connections are immediately revoked
  • Google user data (email analysis results and Drive files) is deleted along with your account data. Google OAuth tokens are revoked immediately upon disconnection or account deletion.
  • Backup copies are purged within 90 days

6. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR) and similar privacy laws, you have the right to:

  • Access — Request a copy of your personal data
  • Rectification — Request correction of inaccurate data
  • Erasure — Request deletion of your data ("right to be forgotten")
  • Portability — Request export of your data in a machine-readable format
  • Restriction — Request limitation of data processing
  • Objection — Object to processing based on legitimate interests

To exercise any of these rights, contact us at privacy@invoicevault.app.

7. Your Rights (CCPA)

If you are a California resident, under the California Consumer Privacy Act you have the right to:

  • Know what personal information we collect, use, and disclose
  • Delete your personal information
  • Opt-out of the sale of your personal information (we do not sell personal information)
  • Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@invoicevault.app.

8. Google API Services Compliance

Invoice Vault's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide the invoice management features visible in our application
  • We do not transfer Google user data to third parties except as necessary to provide our service (AI-powered invoice data extraction), with your consent
  • No human reads your Google data unless you have given explicit consent, or it is necessary for security or legal compliance purposes
  • We do not use Google user data for advertising, retargeting, credit scoring, or any purpose unrelated to the invoice management features of the Service
  • You can revoke Google access at any time through your account settings or your Google Account permissions

9. Cookies

We use the following cookies:

  • Session cookies (Supabase) — Essential for authentication. These cookies maintain your login session and cannot be disabled while using the Service.
  • Analytics cookies (PostHog) — Used to collect anonymous usage data to improve the Service. You can opt out of analytics tracking in your account settings.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and changing the "Last updated" date. Your continued use of the Service after changes take effect constitutes acceptance.

12. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us at privacy@invoicevault.app.

See also our Terms & Conditions.