Privacy Policy — Invoice Finder

1. Introduction and Consent

Welcome to Invoice Finder (hereinafter: the "Application," "Service," "System," or "we"), a software product of AREA 51 LTD, Company Registration No. 517320958 (hereinafter: the "Company"). This Privacy Policy explains how personal, business, and technical information is collected, stored, processed, and protected in connection with the use of the website, the application, and related services.

Use of the website, downloading or installing the software, purchasing a license, connecting a Gmail account or any other account, scanning email messages, activating OCR or AI capabilities, or any other use of the Service, constitutes confirmation that you have read this Privacy Policy and agreed to its terms in their entirety.

The software operates in the user's local computer environment and is not cloud-based.

2. Data Collection Policy

Invoice Finder operates on a Local-First model. There is a fundamental distinction between the information the Application processes on your computer (which remains with you) and the information the Company receives on its servers (minimal, for license management purposes only). The complete breakdown:

Part A — Information the Application accesses and processes on your computer

After you connect your Gmail account and grant OAuth authorization, the Application accesses your emails for the purpose of identifying invoices and business expenses. From Gmail, the Application reads:

• (a) Message subject lines;
• (b) Sender and recipient addresses;
• (c) Message date;
• (d) Message body content;
• (e) Attachments — primarily PDF files and images that may contain invoices.

From identified invoices, the Application extracts the following fields to organize and display them for you:

• (1) Supplier name / invoice issuer;
• (2) Supplier Tax ID / Business Registration Number;
• (3) Invoice number;
• (4) Invoice issue date;
• (5) Transaction amount (including and excluding VAT);
• (6) VAT rate and VAT amount;
• (7) Currency;
• (8) Itemized products / services (where appearing on the invoice);
• (9) Payment method (where appearing).

All information mentioned in this Part — both from Gmail and from invoice extraction — is stored exclusively in the local database on your computer, under your complete control. This information is not transmitted to Company servers at any stage, and is not transmitted to any third party except as specified in Part B below.

Part B — Direct flow from your computer to Google servers (without passing through the Company)

(1) Gmail content → Google Gmail API. Direct communication between your computer and Google servers, pursuant to the OAuth authorization you granted. The token enabling this communication is stored locally only on your computer, encrypted via Windows DPAPI or macOS Keychain, and is never transmitted to Company servers.

(2) Invoice text → Google Gemini API. Direct communication between your computer and Google servers, using a private API key you provide (BYOK — Bring Your Own Key). You are the direct customer of Google with respect to this service.

These data flows are subject to Google's Privacy Policy and Terms of Service, not the Company's.

Part C — What the Company (AREA 51 LTD) collects on its servers

The Company collects on its servers only the minimal information essential for license management and service operation:

• (1) Purchase details — full name, email address, purchase date, amount paid;
• (2) Machine ID of the computer on which the license was activated, for enforcing the single-machine license limit;
• (3) Technical logs of license verification operations against the Company server — timestamp, software version, verification status;
• (4) Support inquiries and correspondence the user sends directly to the Company by email.

The Company does not see, does not collect, and does not store on its servers: the content of your emails, your invoices, the data extracted from them, the results of Gemini AI analysis, or your Gmail OAuth tokens. All of these are stored exclusively on your computer.

3. Service Provider Details

The Service is operated by AREA 51 LTD, Company Registration No. 517320958.

For inquiries regarding privacy, information security, or exercising rights: support@invoice-finder.com.

Mailing address: 90 Yosef Burg Street, Beer Sheva, Israel.

4. Policy Scope

This Policy applies to the Service website and use of the Service, the desktop software or any software that may replace it, the purchase and licensing process within the software, Gmail/Google and any other account connections, and all communications related to the Service directly or indirectly.

The Policy does not apply to third-party services or websites, such as Google, payment processors, hosting providers, or other infrastructure providers, which are subject to their own Terms of Service and Privacy Policies.

5. Local Use of Information

All data, including:

• Documents
• Invoices
• Files
• Financial data

are stored and processed locally, under the user's exclusive control. The Company is not exposed to such information and does not store it (except as specified in Section 2 Part C above).

6. User Responsibility

Since the information is stored locally, full responsibility for its security rests with the user.

Recommended:

• Protect the computer with a password
• Perform backups
• Use appropriate security measures

The Company shall bear no liability for loss of data, unauthorized access, or damage arising from the local environment, whether directly or indirectly.

7. Information Security

The Company does not hold user information on its servers (except as specified in Section 2 Part C above), and therefore the risk of data leakage from the Company side is substantially reduced.

Notwithstanding the foregoing, there is no guarantee of complete immunity from risks related to the user's computer.

8. Service Nature and Local-First Architecture

Invoice Finder is software intended to assist in locating, collecting, extracting, classifying, and organizing invoices, receipts, expenses, and business documents from Gmail accounts and/or any other accounts that can be connected to the Service.

The system operates in a Local-First structure, meaning that the primary database, scanning output, classifications, reports, and operational metadata are generally stored on the user's computer. That said, some functions may utilize external processing and/or third parties as detailed in this policy — for example, use of Google's artificial intelligence (AI) model for invoice identification and analysis.

9. Limitation of Liability

The Service is provided "AS IS."

The Company shall not be liable for any damage, direct or indirect, including:

• Data loss
• Errors in data processing
• Improper use of the software

10. Sensitive Information

The Service may process highly sensitive information, including financial, business, commercial, and accounting documents. For this reason, it is recommended to use the Service only on a secure computer, password-protected, with limited access, and subject to the security recommendations detailed below.

11. Processing Purposes

We use the information solely for the purpose of providing and operating the Service, including: creating a license or account, connecting and authenticating a Gmail account, locating relevant messages, identifying and classifying invoices, extracting fields from documents, searching, filtering, organizing, and displaying data within the software, providing support, troubleshooting, protecting the system, preventing misuse, and compliance with legal requirements.

12. Legal Bases for Processing

To the extent required by applicable law, processing of information is based on one or more of the following: your explicit consent; the necessity of performing the contract with you and operating the Service you requested; legitimate interest such as information security, fraud prevention, troubleshooting, and protection of our rights; and compliance with legal obligations applicable to us.

13. Gmail and Google APIs Permissions

Gmail account connection is performed through Google's OAuth authorization mechanism. We request only the permissions necessary for Service operation (primarily gmail.readonly — read-only access), and use information received through Google APIs only for providing the product's functionality.

You may revoke or disconnect the authorization at any time through the Application, where this function is available, and/or through your Google account settings (myaccount.google.com/permissions). Disconnecting the authorization may affect Service availability or some of its features.

14. What is Stored Locally and What May Be Sent to Processing Providers

Generally stored locally on the user's computer: search results, identified invoices and receipts, extracted field data, categories, tags, reports, summaries, and internal application databases.

To provide certain functions — for example OCR, document analysis, automatic field extraction, or classification — some information may be sent to external processing, such as text from a document, a PDF file, an image, relevant email content, or portions thereof.

Therefore, although the Service operates in a Local-First structure, not all processing is necessarily performed locally only.

15. Use of Artificial Intelligence (AI) and OCR

The Service may use third-party OCR and/or AI services, including Google Gemini or similar services, for text reading, field extraction from documents, document identification, classification, and conversion into structured information.

AI tools may produce partial or erroneous results, including recognition errors, omission of details, incorrect interpretation of a document, or incorrect attribution of amounts, dates, supplier names, or tax rates. Any data produced by the system requires human review before use for business, accounting, tax, or legal purposes.

16. Third Parties and Subprocessors

We may engage third parties to operate the Service, including Google OAuth, Gmail API, AI/OCR services, payment processors, website hosting providers, support providers, troubleshooting tools, and security or infrastructure services.

These parties are permitted to process information only to the extent required for providing the relevant technical service.

17. International Data Transfer

Some service providers we use may operate, process, or store information outside Israel, including in the United States, Europe, or other countries. To the extent required for Service operation, you consent that information may be transferred outside Israel, subject to reasonable protective measures and applicable law.

18. Information Security

We take reasonable and accepted measures to protect the information and the Service, including encryption where needed, secure storage of access tokens, principles of minimum privileges, authentication mechanisms, and reasonable technical and operational controls.

No computer, communications, or storage system guarantees absolute security, and therefore we cannot guarantee complete immunity from breach, intrusion, failure, disruption, or data loss.

19. User Responsibility for Local Environment Security

Since the main portion of the information is stored on your computer, the responsibility to maintain a secure work environment also rests with you. It is recommended to protect your computer with a password, update the operating system, use appropriate security software, encrypt the disk where possible, restrict physical access, and perform backups.

We are not responsible for damages caused by unauthorized access to your computer, computer theft, hacking of your user account, malware, local deletion, hardware failure, or backup failure.

20. Information Retention

Business and financial information stored locally will be retained according to your usage, initiated deletion, software removal, and local backups you manage.

We may retain with us, for the reasonable time required, licensing data, order details, support data, technical logs, error or crash data, and operational documentation needed for Service provision, security, legal compliance, and legal defense.

It is clarified that should the Company in the future expand the scope of information collected and process sensitive information beyond that specified in this Policy, the Terms of Service and Privacy Policy will be updated accordingly. In the event of a security incident, the Company will act in accordance with the reporting obligations prescribed by law.

21. Information Deletion and User Rights

You may delete information from within the Application, remove the software, disconnect your Gmail account, and delete the local database, to the extent technically supported.

To the extent we hold any personal information beyond local information, you may contact us with a request for inspection, correction, or deletion, subject to legal requirements and our ability to verify the identity of the requestor.

22. Marketing, Commercial Use, and Sale of Information

We do not sell personal information to third parties, and we do not use your email content for behavioral advertising. If we offer marketing communications in the future, this will be done separately and in accordance with the law.

23. Cookies and Similar Technologies

If the Service website uses cookies or similar technologies, they will be used for proper operation, security, traffic analysis, forms, purchase, or user experience improvement.

The desktop software itself does not generally operate using cookies like a regular website, but may use configuration files, local identifiers, or local session data.

24. Minors

The Service is not intended for children or minors under 18 years of age, and is not intended for those lacking legal capacity to enter a binding contract, except subject to parental or guardian consent and supervision and in accordance with the law.

25. Security Events

In the event of a material information security incident affecting information we hold or process directly, we will act in accordance with applicable law and reasonable professional judgment, including investigating the incident, mitigating damage, technical handling, and notifying relevant users as may be required.

26. Use of Information Received from Google APIs

Invoice Finder's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Specifically, information received from Google APIs will not be sold, will not be used for personalized advertising, will not be transferred to third parties except as necessary to provide the Service, and will not be used to train general AI models. Human reading of the information will occur only in defined cases: explicit user consent, security investigation, or legal obligation.

It is clarified that the Company does not make any use of information received from the customer beyond what is defined in this Privacy Policy and the Terms of Service. By using the product, the customer declares and commits that they approve the privacy policies of relevant third parties (particularly Google).

27. Policy Changes

We reserve the right to update this Privacy Policy from time to time, among other reasons due to technological, business, legal, or regulatory changes. In case of a material change, we may publish notice on the website, in the application, or by email. Continued use of the Service after publication of the update will constitute agreement to the updated version.

28. Contact

For questions, requests, or inquiries regarding privacy, personal information, and information security, you may contact us at:

Email: support@invoice-finder.com

Mailing address: 90 Yosef Burg Street, Beer Sheva, Israel.