1 Who We Are
InvoicePro is a software-as-a-service (SaaS) product developed and operated by Yaab LLC, a company headquartered in Guatemala. Our website is invoicepro365.com and our company site is yaab.com.gt.
InvoicePro provides retail stores and businesses with an automated invoice processing platform, including AI-powered product extraction, UPC barcode resolution, and Google Sheets integration. By using our platform, you agree to the data practices described in this Privacy Policy.
For the purposes of applicable data protection laws, Yaab LLC acts as the data controller for information we collect about you when you use InvoicePro.
2 Data We Collect
Account Information
When you register for an InvoicePro account, we collect:
- Full name and email address
- Password (stored as a cryptographic hash — we never store plain-text passwords)
- Store name and business information you provide
- Google account identifier (only if you connect via Google OAuth)
- Account creation date and last activity timestamps
Billing Information
InvoicePro uses Stripe to process all subscription payments and manage billing. We do not store your credit card numbers, CVV codes, or full payment card details on our servers. Instead:
- Stripe collects and securely stores your payment method details
- We store your Stripe Customer ID, subscription plan, billing status, and invoice history on our servers
- Trial start and end dates are stored to manage your free trial period
Invoice Data and Images
When you upload an invoice through InvoicePro, we collect and store:
- The original invoice image or document you upload
- Extracted data including product names, descriptions, quantities, prices, and totals
- UPC barcode values and resolution status for each line item
- Invoice processing status, timestamps, and metadata
- Your store's product memory (confirmed UPC-to-product mappings)
Google Integration Data
If you connect your Google account to enable Google Sheets export, we collect and store:
- OAuth access token and refresh token (encrypted at rest) from Google
- Token expiry date and granted permission scopes
- Your selected Google Spreadsheet ID and sheet configuration
We request only the minimum permissions required: spreadsheets (read/write your spreadsheets) and drive.file (access files created by InvoicePro). We do not access your Gmail, contacts, calendar, or any other Google data.
Usage and Technical Logs
We automatically collect technical information when you use the platform, including:
- IP address and approximate geographic location (country/region)
- Browser type, operating system, and device type
- Pages visited, features used, and interaction timestamps
- API request logs and error reports
- Session data and authentication events (logins, logouts, token refreshes)
3 How We Use Your Data
We use the data we collect for the following purposes:
- Service delivery: Providing invoice processing, UPC resolution, and Google Sheets export functionality
- Account management: Creating and managing your account, authenticating your identity, and maintaining your session securely
- Billing and subscriptions: Managing your subscription plan, processing payments through Stripe, and sending billing receipts
- Product improvement: Analyzing usage patterns to improve accuracy, performance, and user experience
- Security and fraud prevention: Detecting and preventing unauthorized access, abuse, and fraudulent activity
- Customer support: Responding to your questions, troubleshooting issues, and providing technical assistance
- Legal compliance: Complying with applicable laws and regulations, and responding to lawful requests
- Communications: Sending you account-related emails such as email verification, password resets, and important service notifications
We do not sell your personal data. We do not use your data for advertising or share it with data brokers.
4 Data Retention
We retain your data for as long as your account is active or as needed to provide services:
- Account data: Retained for the lifetime of your account. Upon account deletion, personal identifiers are removed within 30 days.
- Invoice data and images: Retained for the duration of your active subscription. After account deletion, invoice data is purged within 60 days.
- Billing records: Retained for a minimum of 7 years to comply with financial and tax record-keeping requirements.
- Authentication logs: Session tokens expire automatically (access tokens: 15 minutes; refresh tokens: 30 days). Log records are retained for up to 90 days.
- Google OAuth tokens: Deleted immediately upon disconnecting your Google account from InvoicePro.
- Product memory (UPC mappings): Retained for the lifetime of your store. You may request deletion at any time.
5 Third-Party Services
InvoicePro integrates with the following third-party services to deliver its functionality:
Stripe (Payment Processing)
We use Stripe to securely handle all subscription billing and payment processing. Stripe is PCI-DSS compliant. Your payment card data is transmitted directly to Stripe and never passes through our servers. See Stripe's Privacy Policy for details.
Google APIs (Sheets Integration)
When you connect your Google account, we use Google's OAuth 2.0 system and the Google Sheets API to write invoice data to your spreadsheets. Your tokens are stored encrypted on our servers. See Google's Privacy Policy for details. InvoicePro's use of Google APIs complies with Google's API Services User Data Policy, including the Limited Use requirements.
AI / OCR Services (Invoice Extraction)
Invoice images you upload may be processed by AI and optical character recognition (OCR) services to extract product data. These services process your invoice images under strict data processing agreements and do not use your data to train their models beyond the scope of service delivery.
Cloud Hosting and Infrastructure
InvoicePro is hosted on cloud infrastructure. Data is stored in secured, encrypted databases. All data in transit is encrypted via TLS/HTTPS. Our infrastructure providers operate under data processing agreements with appropriate safeguards.
Automation (Make.com / Webhook Processing)
InvoicePro uses webhook-based automation to process invoice extraction results asynchronously. This integration is server-to-server only and does not expose your personal data to third parties beyond what is necessary for service delivery.
6 Data Sharing
We do not sell, trade, or rent your personal data to third parties. We may share your information only in the following limited circumstances:
- Service providers: With trusted third-party vendors (Stripe, Google, hosting providers) solely to deliver the InvoicePro service, under data processing agreements
- Legal requirements: When required by law, court order, or governmental authority in the applicable jurisdiction
- Business transfers: In connection with a merger, acquisition, or sale of all or part of our business, subject to confidentiality obligations
- Safety and security: To protect the rights, property, or safety of InvoicePro, our users, or the public
- With your explicit consent: In any other case where you have specifically authorized us to share your information
7 Cookies and Sessions
InvoicePro uses a minimal set of cookies and browser storage to maintain your session and preferences:
- Authentication cookie (
ip_refresh): An HttpOnly, Secure, SameSite=Lax cookie that stores your encrypted session refresh token. This cookie is strictly necessary for keeping you logged in and cannot be disabled without logging out. It expires after 30 days of inactivity.
- Session state (localStorage): We store your access token, store preferences, and UI state in your browser's localStorage for the duration of your session.
- No tracking or advertising cookies: We do not use Google Analytics, Facebook Pixel, or any third-party advertising or tracking cookies.
8 Data Security
We take the security of your data seriously and implement the following safeguards:
- All data in transit is encrypted using TLS 1.2 or higher (HTTPS enforced)
- Passwords are hashed using bcrypt with a cost factor of 12 — they are never stored in plain text
- Session tokens are cryptographically random, hashed before storage, and rotated on each use
- Google OAuth tokens are stored encrypted at rest
- Authentication rate limiting is applied to prevent brute-force attacks
- Database access is restricted to application-layer connections with least-privilege credentials
- Regular security reviews and dependency audits are performed
No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data using commercially reasonable means, we cannot guarantee absolute security.
9 Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your account and associated data (subject to legal retention requirements)
- Data portability: Request your data in a structured, machine-readable format
- Objection: Object to processing of your data in certain circumstances
- Google disconnection: Disconnect your Google account at any time from Settings → Integrations; this immediately revokes our access to your Google tokens
To exercise any of these rights, please contact us at the address below. We will respond within 30 days.
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA). If you are in the European Economic Area, you may have rights under the General Data Protection Regulation (GDPR).
10 Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes via email or a prominent notice on the platform. The effective date at the top of this page indicates when the policy was last updated.