Privacy Policy

Introduction

InvoiceParser Pro LLC ("InvoiceParser Pro," "we," "us," or "our") operates the InvoiceParser Pro service (the "Service"), an invoice data extraction platform for bookkeepers, accounting firms, and small businesses. This Privacy Policy explains what information we collect, how we use it, who we share it with, how long we keep it, and what rights you have with respect to it.

This policy applies to all users of the Service. By using the Service, you agree to the data practices described here. If you do not agree, do not use the Service.

Information We Collect

How We Use Your Information

We use the information described above to:

• Run the core extraction pipeline (OCR, structured data extraction, review, export).
• Create and maintain your account, authenticate you, and manage your workspace.
• Process subscription payments and keep billing records.
• Send you transactional email (magic-link sign-in, receipts, account notices) via Resend.
• Monitor service health, debug errors, investigate abuse or security incidents, and improve extraction quality.
• Provide customer support when you contact us.
• Comply with legal, tax, and regulatory obligations.

We do not use your uploaded invoices or extracted data to train machine learning models, either our own or third-party models. We do not sell, rent, or trade your personal information.

How We Share Your Information

We share information only with the service providers ("sub-processors") needed to run the Service, and only to the extent necessary for each provider to perform its role. Every sub-processor is bound by a written data processing agreement or equivalent contractual terms.

• Azure Document Intelligence (Microsoft) — primary OCR and layout extraction. Invoice images and PDFs you upload are sent to Azure for text recognition and bounding-box analysis. US region.
• OpenAI (GPT-4o) — structured enrichment. The text and layout output from Azure is passed to OpenAI's GPT-4o API for field-level extraction (vendor, totals, line items) and validation.
• Cloudflare R2 — object storage for the original files you upload. S3-compatible, US region. Files are scoped to your workspace and never shared across tenants.
• Railway (Postgres) — primary database for account, workspace, extracted invoice data, review history, and billing records. US region.
• Stripe — payment processing. Stripe collects and stores payment card and billing address data directly; we receive only subscription status and masked metadata.
• Resend — transactional email delivery (magic-link sign-in, receipts, account notices).
• Sentry — error tracking and performance monitoring. Stack traces, request metadata, and user identifiers are sent to Sentry when an error occurs so we can diagnose and fix it.
• PostHog — product analytics and session replay. See "Cookies & similar technologies" below for details on what PostHog captures.
• Vercel — frontend hosting and edge delivery. Page requests, IP addresses, and request metadata are processed by Vercel to serve the application. US region.
• Mailgun — additional transactional email delivery used for certain outbound notifications. Email addresses and message content are transmitted to Mailgun for delivery.
• Valkey / Redis — in-memory cache and job queue used for session management, rate limiting, and background task coordination. No invoice content is stored in the cache layer; only short-lived session tokens and task state.

Under our API agreements with Azure and OpenAI, neither provider uses content you submit via the Service to train their underlying models.

Authentication providers

If you choose to sign in with a third-party identity provider, that provider authenticates your identity and returns a verified email address to us. Authentication providers receive no invoice content, extracted data, or account data beyond the email address they return. We never receive your password.

• Google — optional "Sign in with Google."
• Microsoft — optional "Sign in with Microsoft."

We may also disclose information when required by law, valid legal process, or to protect the rights, safety, or property of InvoiceParser Pro, our users, or the public.

Data Retention

You choose how long we retain the original files you upload. Four options are available to every workspace owner, regardless of plan tier:

• 7 years — recommended default, aligned with the IRS requirement that financial records supporting tax returns be kept for at least 7 years. All new workspaces start on this option.
• 3 years — a middle ground for teams that reconcile and export quickly.
• 1 year — for high-volume teams that treat their accounting system (QuickBooks, Xero, Zoho) as the long-term record of truth.
• Permanent — we never auto-delete. Files remain until you delete them manually or close your account.

Workspace owners can change the retention period at any time from Dashboard → Settings → File Retention.

Extracted invoice data (vendor, invoice number, dates, amounts, line items, review history) is retained for the life of your account regardless of which file retention option you pick. Account and billing records are retained for the life of your account and for a reasonable period thereafter for legal, tax, and audit purposes.

For more detail see our Data Retention page.

Security

We apply standard commercial security controls to protect the data we hold. These include:

• HTTPS/TLS enforced on every API and web endpoint; no plaintext connections are accepted.
• Session cookies are marked Secure, HttpOnly, and SameSite; session revocation on logout is handled server-side.
• API keys are hashed with SHA-256 before storage; the plaintext key is shown only once, at creation.
• ERP integration tokens (QuickBooks Online, Xero, Zoho Books) are encrypted at rest using Fernet symmetric encryption with a server-held key.
• Payment data is handled entirely by Stripe. We never receive or store full card numbers.
• Per-workspace data isolation at the query layer — no cross-tenant access path exists.
• Automated backups of the primary database and object storage.

No system is perfectly secure. We cannot guarantee that unauthorized access, disclosure, or data loss will never occur. If we become aware of a security incident that affects your data, we will notify you as required by applicable law.

Cookies & Similar Technologies

We use cookies, local storage, and similar technologies for three purposes:

• Essential (authentication & session). We set a secure, HttpOnly session cookie when you sign in. Without this cookie, the Service cannot know who you are. It cannot be disabled and we do not use it for tracking.
• Product analytics & session replay (PostHog). We use PostHog to record pageviews, click events, feature usage, and session replays. Session replay captures your interactions with the product UI — button clicks, form input (with sensitive field masking), navigation — so we can debug issues and improve the product. PostHog sets cookies and uses localStorage to maintain these signals.
• Error correlation (Sentry). Sentry uses cookies and localStorage to correlate errors across a browser session so we can diagnose multi-step failures.

We do not use advertising cookies, third-party marketing trackers, or cross-site ad networks. We do not sell the information collected by these tools.

Data Transfer & Location

All core Service infrastructure — Railway Postgres, Cloudflare R2 object storage, Azure Document Intelligence, and OpenAI API endpoints — is operated in the United States. If you access the Service from outside the United States, including from the European Economic Area, the United Kingdom, or Switzerland, the information you submit will be transferred to, stored in, and processed in the United States.

By using the Service from outside the United States, you acknowledge that US data protection laws may differ from those of your country and that the information described in this policy will cross international borders in the ordinary course of providing the Service.

Your Rights (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to your personal data:

• Access — the right to know what personal data we hold about you and to obtain a copy of it.
• Rectification — the right to have inaccurate or incomplete personal data corrected.
• Erasure ("right to be forgotten") — the right to have your personal data deleted, subject to our legal retention obligations.
• Restriction of processing — the right to limit how we process your personal data in certain circumstances.
• Data portability — the right to receive your personal data in a structured, machine-readable format and to transmit it to another controller.
• Objection — the right to object to processing based on legitimate interests or direct marketing.
• Withdrawal of consent — where processing is based on consent, the right to withdraw that consent at any time.
• Lodge a complaint with a supervisory authority — the right to complain to the data protection authority in your country of residence if you believe we have violated your rights.

To exercise any of these rights, contact us at support@invoiceparserpro.com. We will verify your identity before acting on the request and will respond within the timeframe required by applicable law.

Your Rights (California / CCPA & CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know — to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we have shared it.
• Right to delete — to request deletion of the personal information we have collected from you, subject to legal retention obligations.
• Right to correct — to request correction of inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell your personal information and we do not share it for cross-context behavioral advertising. There is nothing to opt out of, but you still have the formal right.
• Right to limit use of sensitive personal information — the right to direct us to limit our use and disclosure of sensitive personal information to purposes necessary to provide the Service.
• Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of service because you exercised one of these rights.

To exercise any of these rights, contact us at support@invoiceparserpro.com.

Children's Privacy

The Service is intended for business use by adults. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and, where required, notify you by email. Your continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

Contact Us

For any question about this Privacy Policy or our data practices, contact us at:

support@invoiceparserpro.com