Privacy Policy

1.1 Account Information

When you create an account, we collect:

• Email address (from Google or Microsoft OAuth)
• Name (from your Google or Microsoft profile)
• Profile photo (optional, from OAuth provider)
• Business information (business name, type, size, region - if provided)

1.2 Gmail Data (via Gmail API)

When you connect your Gmail account, we access the following through the Gmail API:

What We Access:

• Email subject lines - To detect invoice keywords
• Sender email addresses - To identify supplier emails
• Sender names - For supplier matching
• Email received date/time - For invoice chronology
• Attachment metadata - Filename, file type, file size of PDFs
• PDF invoice attachments - Downloaded for data extraction
• Limited email body scanning - To detect invoice numbers and amounts using keyword matching

Gmail API Permissions Explained:

We request gmail.modify permission, which includes both READ and WRITE capabilities:

Why We Need This Permission (Critical for Invoice Detection):

• Access emails in ALL folders and labels - Many users have auto-archive rules or folder organization that moves supplier emails out of the Inbox. We need to scan these folders to find your invoices.
• Read archived emails - If your email client automatically archives certain senders (common for corporate accounts), we need access beyond just the Inbox.
• Access labeled emails - Gmail users often auto-label supplier emails. We need to read emails with custom labels to detect invoices.
• Search across your entire mailbox - Invoices might be in "Finance", "Receipts", "Accounts Payable", or any custom folder you've created.

What We Also Can Do (Optional Features You Can Enable):

• Organize processed invoices - Move extracted invoices to an "OpenSupplier/Processed" label for easy tracking
• Mark invoices as processed - Optionally mark invoices as read after extraction (you control this in Settings)
• Add tracking labels - Label invoices we've successfully processed (e.g., "Extracted", "Price Compared")

What We NEVER Do (Even Though the Permission Allows It):

• Send emails on your behalf - gmail.modify technically allows this, but our code NEVER uses this capability
• Delete or trash emails - We only read and organize; we never delete your data
• Modify email content - Emails are read-only; we cannot change the text of your messages
• Access non-invoice emails - We only process emails matching invoice keywords/patterns

What We Do NOT Access:

• Full email body content (not stored - only scanned for keywords)
• Email recipients or CC/BCC fields
• Gmail settings or configurations
• Google Calendar, Drive, Contacts, or other Google services

How We Use Gmail Data:

1. Invoice Detection: Identify emails containing invoices based on keywords, sender patterns, and PDF attachments
2. Data Extraction: Extract invoice data (supplier name, invoice number, date, line items, amounts) from PDFs
3. Price Comparison: Enable you to compare your prices against anonymized market benchmarks
4. Automation: Automatically process invoices from whitelisted senders (if you enable this feature)

1.2.1 Delegated Mailboxes and Google Groups

Shared Email Access in Gmail:

Gmail's gmail.modify permission allows us to access emails in:

1. Your Personal Mailbox

Your primary Gmail address (e.g., manager@restaurant.com)

2. Delegated Mailboxes (If You Have Delegate Access)

• Mailboxes where the owner has granted you delegate permissions
• Example: Restaurant owner grants manager delegate access to owner@restaurant.com
• You can access these mailboxes because Google has already authorized you

3. Google Groups / Collaborative Inboxes (If You're a Member)

• Shared team inboxes (e.g., accounts@restaurant.com, info@yourcafe.com)
• Only if you're a member of the Google Group
• Common for businesses using Google Workspace

Why This Is Essential:

Many hospitality businesses use:

• Shared Google Group inboxes for supplier invoices (accounts@, finance@)
• Delegated access so managers can process invoices from multiple locations
• Collaborative inboxes for centralized invoice management

What We Access:

• Only mailboxes you have Google-authorized access to
• Only emails matching invoice detection criteria
• Only Google Groups you're a member of

What We Do NOT Access:

• Mailboxes you don't have delegate access to
• Other team members' personal mailboxes (unless they delegate to you)
• Google Groups you're not a member of
• Mailboxes outside your domain/organization

User Control:

• Choose which delegated mailboxes to scan in Settings → Connected Mailboxes
• Disable specific Google Group monitoring
• Revoke delegate access in Gmail settings → Google will automatically block our access

Privacy & Security:

• We only access mailboxes Google allows you to access
• Cannot bypass Google's permission system
• Extracted invoices are private to YOUR OpenSupplier account
• Other Google Group members cannot see your extracted data in OpenSupplier

1.3 Outlook/Microsoft Data (via Microsoft Graph API)

When you connect your Outlook account, we access the following through the Microsoft Graph API:

Microsoft Graph API Permissions Explained:

We request these permissions:

• openid, email, profile - For authentication
• offline_access - To maintain access when you're not actively using the app (refresh tokens for background processing)
• Mail.Read - To read email messages in your mailbox
• Mail.ReadWrite - To access folders beyond Inbox and organize processed invoices

Why We Need Mail.ReadWrite (Not Just Mail.Read):

Critical READ Capabilities:

• Access emails in ALL folders - Corporate Outlook users often have:
  • Auto-file rules (IT department moves invoices to "Finance/Invoices")
  • Shared mailbox folders (e.g., "accounts@company.com/Pending")
  • Archive folders (auto-archive after 30 days)
  • Department folders (Finance, Operations, Purchasing)
• Read from shared mailboxes - Many businesses use shared inboxes for supplier communications
• Search across folder structure - Find invoices regardless of where they've been filed
• Access archived emails - Retrieve invoices that have been auto-archived

Optional WRITE Capabilities (You Control in Settings):

• Move processed invoices - Create/use an "Invoices" folder to organize extracted invoices
• Mark as processed - Optionally mark invoices as read after extraction
• Create subfolders - Organize by supplier or date (e.g., "Invoices/Sysco", "Invoices/2025")

What We Access:

• Email message headers (subject, sender, date)
• Sender and recipient email addresses
• Email body content (keyword scanning only for invoice detection)
• Attachment file names and metadata
• PDF invoice attachments
• Emails across all folders (not just Inbox)

What We Do NOT Access:

• Calendar events, appointments, or meetings
• Contacts or address books
• OneDrive files or SharePoint documents
• Teams messages or channels
• Outlook settings, rules, or configurations
• Emails outside your designated folders (based on your automation settings)

What We NEVER Do (Even Though the Permission Allows It):

• Send emails on your behalf - Our code does not use send capabilities
• Delete emails permanently - We only read and organize; never delete
• Share your emails - Your email content stays private to your account
• Access personal emails - We only process business invoices matching detection criteria

Your Control:

• Disable folder organization in Settings → keep emails in original folders
• Set automation to "Manual" → only process emails you explicitly select
• Revoke access anytime at: https://account.microsoft.com/privacy/app-access

1.3.1 Shared Mailbox Access (Business Accounts)

Why We Request Shared Mailbox Permissions:

Many hospitality businesses use shared email addresses for supplier communications:

• accounts@yourrestaurant.com - For invoices and payments
• finance@yourrestaurant.com - For financial documents
• info@yourcafe.com - General business inquiries (includes supplier emails)
• orders@yourrestaurant.com - For order confirmations and invoices

Permissions Required:

• Mail.Read.Shared - Read emails in shared/delegated mailboxes
• Mail.ReadWrite.Shared - Organize emails in shared mailboxes (move to folders, mark as read)

What This Means:

• If you grant OpenSupplier access to your personal Outlook account (e.g., manager@restaurant.com)
• AND you have delegated access to shared mailboxes (e.g., accounts@restaurant.com)
• We can detect invoices in BOTH your personal mailbox AND shared mailboxes you have permission to access

What We Access:

• Shared mailboxes you explicitly delegate to us
• Only emails matching invoice detection criteria (subject keywords, PDF attachments)
• Team inboxes where suppliers send invoices

What We Do NOT Access:

• Shared mailboxes you haven't given us permission to access
• Other team members' personal mailboxes
• Shared calendars, contacts, or OneDrive files
• Mailboxes outside your organization

User Control:

• You choose which shared mailboxes to connect (select during OAuth flow)
• Disable shared mailbox scanning in Settings → Automation
• Revoke access to specific mailboxes at any time

Why This Is Essential:

Most hospitality businesses receive supplier invoices at shared email addresses, not personal ones. Without shared mailbox access, OpenSupplier would miss 60-80% of your invoices.

1.4 Extracted Invoice Data

From detected invoices (Gmail or Outlook), we extract and store:

• Supplier/vendor name
• Invoice number
• Invoice date and due date
• Line items (product descriptions, quantities, unit prices)
• Subtotals, tax amounts, and total amount
• Currency (default: AUD)
• PDF file (stored encrypted in Supabase Storage)

1.5 Usage and Analytics Data

We collect:

• IP address and browser type (for security and fraud prevention)
• Pages visited and features used (aggregated analytics only)
• Automation preferences (manual, semi-automatic, automatic)
• Whitelisted/blacklisted sender preferences

1.6 Cookies and Tracking

We use essential cookies for:

• Session management - To keep you logged in
• Authentication - OAuth state management
• Preferences - Remember your automation settings

We do NOT use third-party advertising cookies or tracking pixels.

2.1 Primary Purposes

• Invoice Processing: Detect, extract, and organize your invoice data
• Price Comparison: Enable you to compare your pricing against anonymized market benchmarks (aggregated from minimum 5 venues)
• Savings Opportunities: Identify potential cost savings based on market data
• Group Buying: Facilitate group buying opportunities (requires separate opt-in consent)
• Account Management: Maintain your account, preferences, and settings
• Customer Support: Respond to your inquiries and provide technical support

2.2 Legal Basis for Processing (GDPR)

We process your data based on:

• Consent: You explicitly authorize us to access your Gmail/Outlook data during OAuth flow
• Contract Performance: Processing is necessary to provide the invoice extraction service you requested
• Legitimate Interests: Fraud prevention, security monitoring, platform improvement (where not overridden by your rights)

2.3 What We Do NOT Do

• Sell your data to advertisers, marketers, or data brokers
• Share individual invoices with competitors or other users (aggregated only, minimum 5 venues)
• Use for marketing without your separate opt-in consent
• Share with third parties except service providers under confidentiality agreements
• Train AI models on your raw invoice data without explicit consent

3.1 We Do NOT Share Individual Data

Your individual invoice data, email metadata, and pricing information are NEVER shared with:

• Competitors or other hospitality businesses
• Third-party marketers or advertisers
• Data brokers
• Suppliers (unless you explicitly join a group buying program)

3.2 Anonymized Aggregated Data

We DO share anonymized, aggregated data for benchmarks:

• Minimum 5 venues required for any aggregate statistic
• Broad regions only (e.g., "Southwest WA", not specific addresses)
• No identifying information (business names removed)
• Price ranges (e.g., "$22-$32 for coffee beans") not individual prices

3.3 Service Providers

We share data with trusted service providers under strict confidentiality agreements:

• Supabase (Hosting & Database): Stores encrypted user data and invoices (US/EU regions, GDPR-compliant)
• Vercel (Web Hosting): Hosts our Next.js application (GDPR-compliant)
• Google & Microsoft: Authentication providers (they already have your email data)

Sub-processor List: Available upon request at privacy@opensupplier.app

3.4 Legal Requirements

We may disclose your information if required by law:

• Court orders or subpoenas
• Government investigations or regulatory requests
• To protect our legal rights or defend against claims
• To prevent fraud, abuse, or security incidents

3.5 Business Transfers

If Open Supplier is acquired or merged with another company, your data may be transferred. We will notify you via email and provide an option to delete your data before the transfer.

4.1 How Long We Keep Your Data

4.2 Your Right to Delete Data

Individual Invoice Deletion:

• Delete any invoice at any time from your Dashboard
• Deleted invoices are removed from your account within 24 hours
• PDFs are permanently deleted from Supabase Storage within 7 days

Full Account Deletion:

To request complete account deletion:

1. Email privacy@opensupplier.app with subject "Account Deletion Request"
2. We will verify your identity (for security)
3. Within 30 days, we will:
   • Delete all your invoices and invoice data
   • Delete all email metadata
   • Remove your account and profile information
   • Revoke OAuth tokens (Gmail and Outlook access)
   • Delete PDFs from Supabase Storage
   • Anonymize any aggregated benchmarks (remove user linkage)
4. We will send you a confirmation email when deletion is complete

4.3 Inactive Account Deletion

If your account is inactive for 2 years:

1. We will send you an email warning 30 days before deletion
2. If you do not log in within 30 days, your account will be automatically deleted
3. To prevent deletion, simply log in during the 30-day grace period

5.1 Australian Privacy Act Rights

Under the Australian Privacy Act 1988, you have the right to:

• Access: Request a copy of your personal information (free of charge)
• Correction: Request correction of inaccurate or outdated information
• Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at 1300 363 992 or www.oaic.gov.au

5.2 GDPR Rights (EU Residents)

If you are in the European Union, you have additional rights under GDPR:

• Right to Access (Article 15): Request a copy of your data
• Right to Rectification (Article 16): Request correction of inaccurate data
• Right to Erasure (Article 17): Request deletion ("right to be forgotten")
• Right to Data Portability (Article 20): Receive your data in machine-readable format (JSON/CSV)
• Right to Object (Article 21): Object to automated decision-making or profiling
• Right to Restrict Processing (Article 18): Request temporary suspension of data processing
• Right to Withdraw Consent: Revoke Gmail/Outlook access at any time

5.3 CCPA Rights (California Residents)

If you are a California resident, you have rights under CCPA:

• Right to Know: Request disclosure of data collected in the last 12 months
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out of Sale: We do NOT sell your data, but you can opt-out via the "Do Not Sell My Personal Information" link in our footer
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

California Disclosure Categories:

5.4 Revoking Email Access

Revoke Gmail Access:

1. Go to Google Account Permissions
2. Find "Open Supplier" in the list
3. Click "Remove Access"

This will immediately stop our app from accessing your Gmail. Extracted invoices will remain in your Open Supplier account unless you delete them.

Revoke Outlook Access:

1. Go to Microsoft Apps & Services
2. Find "Open Supplier" in the list
3. Click "Remove" or "Revoke permissions"

6.1 How We Protect Your Data

Encryption:

• In Transit: All data transmitted using HTTPS/TLS 1.3 encryption (SSL certificates)
• At Rest: All data stored in Supabase with AES-256 encryption
• OAuth Tokens: Access tokens and refresh tokens stored encrypted
• Invoice PDFs: Stored encrypted in Supabase Storage with access controls

Access Controls:

• Row Level Security (RLS): Database policies ensure users can only access their own data
• Role-Based Access: Staff access limited to necessary functions only
• Audit Logging: All data access logged for security monitoring

Infrastructure Security:

• Supabase PostgreSQL with built-in security features
• Vercel deployment with DDoS protection
• Regular security updates and patching
• Annual security assessments (Google CASA Tier 2 required for Gmail API)

6.3 Data Breach Notification

In the event of a data breach affecting your personal information:

• We will notify you within 72 hours (GDPR requirement)
• We will notify the OAIC and relevant authorities as required by law
• We will provide details of the breach, data affected, and remediation steps
• We will offer credit monitoring or other assistance if appropriate

Report security vulnerabilities to: security@opensupplier.app

7.1 Automation Levels

You control how Open Supplier processes your emails through three automation modes:

1. Manual Mode (Default):
   • You must manually click "Send to Open Supplier" for each invoice
   • No automatic processing
   • Maximum control, lowest automation
2. Semi-Automatic Mode:
   • App detects invoices and asks "Send this invoice?"
   • You approve or reject each one
   • Balance of automation and control
3. Automatic Mode:
   • App automatically processes invoices from whitelisted senders only
   • You manage your whitelist of trusted suppliers
   • Highest automation, least manual intervention

You can change your automation level at any time in Settings.

7.2 Whitelist/Blacklist Management

• Whitelist: Suppliers you trust for automatic processing (only in Automatic mode)
• Blacklist: Senders to never process (ignored even if keywords match)
• You have full control over these lists

7.3 Disabling the Add-on

To stop invoice detection entirely:

• Gmail: Remove the add-on from Gmail settings
• Outlook: Disable the add-in from Outlook settings
• Web App: Revoke OAuth access (see Section 5.4)

8.1 Where Your Data is Stored

Open Supplier is based in Australia. Your data is stored in:

• Supabase: Cloud infrastructure (US or EU regions depending on configuration)
• Vercel: Web hosting (globally distributed CDN)

8.2 Data Transfers Outside Australia

If you are in Australia, your data may be transferred to:

• United States (Supabase, Vercel)
• European Union (Supabase EU region if configured)

8.3 GDPR Compliance for EU Transfers

If you are in the EU:

• We rely on Standard Contractual Clauses (SCCs) for transfers to the US
• We ensure service providers implement appropriate technical and organizational measures
• You have the right to object to transfers (contact privacy@opensupplier.app)

Open Supplier is not intended for children under 18. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@opensupplier.app and we will delete it promptly.

10.1 How We Notify You

We may update this Privacy Policy from time to time. If we make material changes:

• We will update the "Last Updated" date at the top
• We will notify you via email at least 30 days before changes take effect
• For Gmail/Outlook data usage changes, we will request new consent

10.2 Your Options When We Update

If you do not agree with the updated policy:

• You may delete your account before the effective date
• You may revoke Gmail/Outlook access
• Continued use after the effective date constitutes acceptance

Our website may contain links to third-party websites (e.g., Google, Microsoft, Supabase). This Privacy Policy does not apply to those websites. We are not responsible for their privacy practices. Please review their privacy policies before providing any data.

Privacy Inquiries:

Email: privacy@opensupplier.app
Mail: Open Supplier, [Your Business Address], Australia

Data Protection Officer (DPO):

If required under GDPR, our DPO can be reached at dpo@opensupplier.app

Regulatory Authorities:

• Australia: Office of the Australian Information Commissioner (OAIC) - 1300 363 992 - www.oaic.gov.au
• EU: Contact your local Data Protection Authority - List of EU DPAs
• California: California Attorney General - oag.ca.gov/privacy