Privacy Policy

Last updated: May 26, 2026.

Summary

Catchbills reads only the email metadata and attachments needed to identify and extract invoices. Email bodies are never persisted to our database. OAuth tokens are encrypted at rest using XChaCha20-Poly1305. PDFs are stored in Cloudflare R2 behind short-lived signed URLs.

What we collect

• Account info from Clerk (email, name, profile image)
• OAuth tokens from Google / Microsoft (encrypted)
• Invoice PDFs and the extracted fields (vendor, amount, date, GST number, etc.)
• Audit logs for security-sensitive actions

What we do NOT collect

• Email body content (we discard after extraction)
• Non-invoice emails
• Contacts, calendar, or other Google services beyond Gmail read-only

Your rights

• Export all data: Settings → Export all data
• Disconnect an account: data deleted within 30 days
• Delete account: soft-deleted immediately, purged within 30 days

Contact

Email privacy@catchbills.app for any requests.