Privacy Policy
Last updated: January 29, 2025
TL;DR: Your email credentials are encrypted and stored locally. Invoice detection and AI classification happen entirely on your device. The only data sent to our servers is when you explicitly forward an invoice to a recipient.
1. Introduction
Invoice Orchestra ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our Chrome extension.
2. Data We Collect
2.1 Authentication Credentials
- Gmail App Password: When you connect Gmail, you provide an App Password (not your main Google password). This is encrypted using AES-256-GCM with a key derived from your email address and stored locally in your browser using Chrome's storage API. The encrypted credentials are transmitted to our secure IMAP proxy server only during active email scanning sessions.
- Microsoft Outlook: We use OAuth 2.0 authentication. Tokens are stored locally in your browser and refreshed as needed.
Important: When you sign out, all stored credentials are immediately and permanently destroyed from your device.
2.2 Email Data Processed
- Email Metadata: Subject lines, sender addresses, and dates are scanned to identify potential invoices. This data is processed locally and stored in your browser's IndexedDB.
- PDF Attachments: PDF files are downloaded and analyzed locally using on-device AI to determine if they are invoices. The PDF content and extracted text are stored locally.
- Invoice Content: Detected invoices (including amounts, vendor names, dates) are stored locally in your browser for display in the extension.
2.3 Data Stored in the Cloud
- User Settings: Your preferences (recipient email addresses, language, scan frequency) are synced to Firebase to enable cross-device access.
- Invoice Metadata: Basic invoice information (sender, date, amount, status) is synced to Firebase for cross-device access. Full PDF content remains local.
- Anonymous User ID: A hashed identifier derived from your email for account management.
2.4 Data Transmitted When Forwarding
When you explicitly click "Forward" on an invoice:
- The PDF file is transmitted to our Cloudflare Worker
- The recipient email address you configured
- The email is sent via Resend API and the PDF is immediately deleted from our servers
3. Summary of Data Types
| Data Type | Collected | Purpose |
|---|---|---|
| Email address | Yes | Account identification, recipient configuration |
| App Password (Gmail) | Yes (encrypted, local) | IMAP access for email scanning |
| Email content | Yes (local only) | Invoice detection and display |
| PDF attachments | Yes (local only) | Invoice analysis and forwarding |
| Financial data (invoice amounts) | Yes (local + synced metadata) | Display detected invoice information |
4. How We Process Your Data
4.1 On-Device Processing
The following happens entirely within your browser:
- AI Invoice Classification: We use a quantized ONNX model (~50MB) that runs locally using WebAssembly. No email or invoice content is sent to external AI services.
- PDF Text Extraction: PDF parsing happens locally using pdf.js.
- Invoice Detection: Pattern matching and classification occur on your device.
4.2 Server-Side Processing
Our servers are involved only for:
- IMAP Proxy: Your encrypted credentials are decrypted server-side to establish IMAP connections with Gmail (required because browsers cannot connect to IMAP directly). Email content is streamed and never stored on our servers.
- Email Forwarding: When you forward an invoice, the PDF passes through our server to be sent via email.
- Settings Sync: Your preferences are stored in Firebase.
5. Data Security
- Encryption at Rest: Gmail App Passwords are encrypted with AES-256-GCM before storage
- Encryption in Transit: All network communication uses TLS 1.3
- Credential Destruction: When you sign out, credentials are immediately and permanently deleted
- No Credential Logging: Our IMAP proxy server never logs credentials or email content
- Secure Infrastructure: Firebase (Google Cloud) for data storage, Cloudflare Workers for email forwarding
6. Data Sharing
We do NOT:
- Sell or transfer your data to third parties
- Use your data for advertising
- Share your email content with anyone
- Use your data for purposes unrelated to the extension's functionality
- Use your data to determine creditworthiness or for lending purposes
7. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Google Firebase | Authentication, settings storage | User ID, settings, invoice metadata |
| Resend | Email delivery for forwarding | Recipient email, PDF attachment (deleted after sending) |
| Railway/Render | IMAP proxy hosting | Encrypted credentials (in memory only, never stored) |
8. Your Rights
You have the right to:
- Access: View all data stored about you in the extension
- Deletion: Sign out to destroy credentials instantly; contact us to delete cloud data
- Portability: Export your invoice data from the extension
- Revoke Access: Delete your Gmail App Password from Google Account settings at any time
To exercise these rights, contact us at privacy@orchestra.works.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Credentials | Until you sign out (then immediately destroyed) |
| Local invoice data | Until you clear browser data or uninstall |
| Cloud settings | Until you request account deletion |
| Forwarded PDFs | Deleted immediately after sending |
10. Children's Privacy
Invoice Orchestra is designed for business use and is not intended for children under 16. We do not knowingly collect information from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice in the extension and updating the "Last updated" date above.
12. Contact Us
If you have questions about this Privacy Policy or want to exercise your data rights:
- Email: privacy@orchestra.works
- Website: https://orchestra.works