Back to Home

Privacy Policy

Last updated: January 9, 2026

1. Introduction

AutoFact AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our invoice extraction and financial data processing platform (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. We process your data in compliance with the General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection laws.

2. Data Controller Information

Company Name: AutoFact AI

Service: B2B SaaS Platform for Invoice Extraction & Financial Automation

Contact Email: privacy@autofact.app

Security Contact: security@autofact.app

3. Data We Collect

We collect the following types of information:

3.1 Account Information

  • Full name
  • Email address
  • Company/workspace name
  • Authentication data (OAuth tokens, magic link verification)

3.2 Financial & Invoice Data

  • Invoice documents (PDFs, images)
  • Extracted invoice data (supplier names, amounts, dates, VAT numbers)
  • Supplier information
  • Transaction records
  • Financial analytics and reports

3.3 Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Usage data and analytics
  • Cookies and similar tracking technologies

3.4 Communication Data

  • Support requests and correspondence
  • Feedback and survey responses

4. Purpose of Processing

We use your data for the following purposes:

  • Service Delivery: To provide invoice extraction, OCR processing, and financial automation features
  • Authentication: To verify your identity and secure your account using passwordless magic link authentication
  • Analytics: To generate financial insights, reports, and compliance analytics
  • Communication: To send service-related emails, notifications, and support responses
  • Security: To detect and prevent fraud, abuse, and security threats
  • Legal Compliance: To comply with applicable laws and regulations
  • Service Improvement: To improve our Service, develop new features, and optimize user experience

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data on the following legal bases:

  • Contract Performance (Art. 6(1)(b)): Processing is necessary to provide the Service you have contracted for
  • Legitimate Interests (Art. 6(1)(f)): To improve our Service, prevent fraud, and ensure security
  • Consent (Art. 6(1)(a)): Where you have given explicit consent for specific processing activities (e.g., marketing communications)
  • Legal Obligation (Art. 6(1)(c)): To comply with legal and regulatory requirements

6. Data Storage & Security

6.1 Security Measures

We implement industry-standard security measures to protect your data:

  • End-to-end encryption for data in transit (TLS/SSL)
  • Encryption at rest for stored data
  • Passwordless authentication (magic link via email OTP)
  • Multi-factor authentication (MFA) support
  • Regular security audits and penetration testing
  • Access controls and role-based permissions
  • Secure cloud infrastructure (Supabase, Vercel)

6.2 Data Storage Location

Your data is stored on secure cloud servers. We use Supabase (PostgreSQL) for database services and Vercel for hosting. Data may be processed in the European Union, United States, and other regions where our service providers operate.

7. Data Sharing & Third Parties

We may share your data with the following third parties:

7.1 Service Providers

  • Supabase: Database and authentication services
  • Vercel: Hosting and deployment
  • OCR Providers: Invoice extraction and document processing
  • Email Service: Transactional emails and magic link delivery
  • Analytics Tools: Usage analytics and performance monitoring (anonymized where possible)

7.2 Legal Requirements

We may disclose your data if required by law, court order, or government regulation, or to protect our rights, safety, or property.

7.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new entity. We will notify you before your data is transferred and subject to a different privacy policy.

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) and United Kingdom, including the United States. We ensure that such transfers comply with applicable data protection laws by:

  • Using Standard Contractual Clauses (SCCs) approved by the European Commission
  • Ensuring adequate safeguards are in place
  • Relying on adequacy decisions where applicable

9. Your Rights (GDPR)

Under GDPR and UK GDPR, you have the following rights:

Right to Access (Art. 15)

Request a copy of your personal data we hold

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten")

Right to Restriction (Art. 18)

Limit how we use your personal data

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format

Right to Object (Art. 21)

Object to processing based on legitimate interests or direct marketing

Right to Withdraw Consent

Withdraw consent for processing at any time

To exercise any of these rights, please contact us at privacy@autofact.app. We will respond within 30 days.

10. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to improve your experience. Types of cookies we use:

  • Essential Cookies: Required for authentication and core functionality (e.g., session cookies)
  • Performance Cookies: Help us understand how you use the Service (anonymized analytics)
  • Functional Cookies: Remember your preferences and settings

You can control cookies through your browser settings. Note that disabling essential cookies may affect Service functionality.

11. Data Retention

We retain your data for as long as necessary to provide the Service and comply with legal obligations:

  • Account Data: Retained while your account is active, plus 90 days after account deletion
  • Invoice Data: Retained for 7 years to comply with financial regulations
  • Logs & Technical Data: Retained for 12 months for security and troubleshooting
  • Backups: May be retained for up to 30 days after deletion

12. Children's Privacy

AutoFact AI is a B2B service not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@autofact.app.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page with a new "Last updated" date
  • Sending an email notification to your registered email address
  • Displaying a prominent notice in the Service

Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Inquiries: privacy@autofact.app

Security Issues: security@autofact.app

Data Protection Officer: Available upon request

You also have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data appropriately.

EU/UK Supervisory Authorities

EU: Contact your national data protection authority (list available at https://edpb.europa.eu)

UK: Information Commissioner's Office (ICO) – https://ico.org.uk

© 2026 AutoFact AI. All rights reserved.

Terms of Service · Privacy Policy · Security