Privacy Policy
Last updated: 2026-05-04
1. Information We Collect
Inbox Ledger (the "Service") collects:
- Account data: email address, name (if provided via OAuth), authentication tokens.
- Email content: for connected mail accounts, we read messages to extract invoice/receipt attachments. We do not store full message bodies — only the attachments and minimal metadata (sender, subject, date).
- Document content: uploaded or extracted PDFs/images and the structured invoice data parsed from them (vendor, amount, date, line items).
- Integration credentials: OAuth refresh tokens for connected providers (e.g. Gmail, Outlook, Drive, OneDrive, accounting integrations) stored encrypted in our secrets management system.
- Billing data: billing customer ID, subscription status, plan. We do not store full payment-card data — payments are handled by our payment processor.
- Usage data: request logs, feature interactions, and error reports collected via our product analytics and error monitoring providers, with personal identifiers redacted.
2. Google API Services User Data Notice
Inbox Ledger's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Per-scope disclosure:
- gmail.readonly — read-only access. Used solely to find and download invoice/receipt attachments. Never used for AI model training. Never shared with third parties. Encrypted in transit (TLS 1.2+) and at rest in our secrets management system.
- drive.file — only files our app creates or that the user explicitly opens with our app.
- spreadsheets— only sheets our app writes to (the "Inbox Ledger" spreadsheet).
To extract structured invoice data, attachment contents are processed by our AI provider (OpenAI) via API. Per OpenAI's API Data Usage Policy, data submitted through the API is not used to train OpenAI's models and is retained for up to 30 days solely for abuse monitoring before deletion. We do not transfer Gmail data to any other third party.
3. Microsoft Graph Data Notice
For users connecting Outlook or OneDrive via Microsoft Graph:
- Mail.Read — read-only access used solely to extract invoice/receipt attachments.
- Files.ReadWrite.AppFolder— limited to our app's OneDrive folder ("Inbox Ledger").
The same protections apply as for Google data: encrypted at rest, never shared, and never used for advertising or AI model training. As with Gmail data, attachment contents are processed by our AI provider (OpenAI) via API solely for invoice data extraction, subject to the same data-handling terms described in section 2.
4. How We Use Information
- Provide and improve the Service (extract invoice data, run reconciliation).
- Bill subscribers and process payments through our payment processor.
- Send transactional email (login codes, invoices, account events).
- Diagnose errors and monitor performance through our analytics and error monitoring providers.
- Comply with legal obligations.
5. Sub-processors
We use vetted third-party service providers to operate the Service (for example, hosting, database, payment processing, transactional email, analytics, error monitoring, and live chat support — including Crisp). A current list of sub-processors is maintained in our internal sub-processor register and is available to Customers upon written request to privacy@inboxledger.app. We will notify Customers via email at least 30 days before adding or replacing a sub-processor.
6. Your Rights
GDPR (EU/UK users): right to access, rectify, erase, restrict processing, data portability, and object. To exercise these, email privacy@inboxledger.app.
CCPA (California users): right to know what personal information is collected, request deletion, opt out of sale (we do not sell data), and equal service.
You can also delete your account at any time from Settings → Delete account; this triggers a permanent erasure of all your data and revokes all OAuth tokens.
7. Data Retention
| Category | Retention |
|---|---|
| Account & profile | Until account deletion |
| Invoices & documents | Until user deletes them or account is deleted |
| Audit log | 1 year, then purged |
| Server logs | 30 days |
| Error reports | 90 days |
| Backups | 30 days, then permanently destroyed |
8. Security
- All data in transit is encrypted with TLS 1.2 or higher.
- OAuth tokens and other secrets are stored with column-level encryption in our secrets management system.
- Database access is restricted by Postgres Row-Level Security (RLS) — users can only access their own organisation's data.
- Service-role access is limited to webhooks and background workers.
- We follow OWASP ASVS Level 2 controls and are working toward CASA Tier 2 verification.
9. International Transfers
Data may be processed in the United States and the European Union. For EU/UK users, we rely on EU Standard Contractual Clauses (SCCs) for cross-border transfers to US-based sub-processors.
10. Children
The Service is not directed at children under 18. We do not knowingly collect data from minors. If you believe a minor has provided data, contact us and we will delete it.
11. Changes to this Policy
We may update this policy. Material changes will be announced via email and a banner on the Service at least 30 days before they take effect. The latest version is always the one published at this URL.
12. Contact
For privacy questions: privacy@inboxledger.app.
13. Last Updated
2026-05-04