Privacy Policy

1. Introduction

EndEntry ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our invoice normalization service ("Service").

This Privacy Policy applies to all users of EndEntry and complies with:

• General Data Protection Regulation (GDPR) - EU
• California Consumer Privacy Act (CCPA) - California, USA
• Other applicable data protection laws

By using our Service, you consent to the data practices described in this Privacy Policy.

2. Data Controller

EndEntry is the data controller responsible for your personal data.

Contact Information:
Email: privacy@endentry.com

For privacy inquiries, data rights requests, or concerns, please contact us at the email above.

3. Data We Collect

3.1 Account Information

When you register for an account, we collect:

• Email address - For account identification and communication
• Password - Stored as a cryptographic hash (we never store plain text passwords)
• Age verification - Confirmation that you are 18 years or older (we do not store your birthdate)
• Registration date - When you created your account
• IP address - Recorded at registration for security and consent tracking as well as abuse monitoring

3.2 Consent Records

We maintain records of your consent to our Terms of Service and Privacy Policy:

• Consent timestamp - When you agreed to our terms
• Terms version - Which version of Terms of Service you agreed to
• Privacy Policy version - Which version of Privacy Policy you agreed to
• IP address - Where consent was given
• User agent - Browser information at time of consent

3.3 Invoice Data

When you use our Service to process invoices, we collect:

• Invoice files - PDF or CSV files you upload
• File metadata - Filename, file size, upload date
• Processing results - Normalized CSV output files
• Job status - Processing status (pending, completed, failed)

3.4 Usage Data

We track your usage of the Service:

• Invoice processing count - Number of invoices processed per month
• Processing dates - When invoices were processed
• Feature usage - Which features you use

3.5 Billing Information

For paid subscriptions, we collect:

• Subscription plan - Which plan you're subscribed to (Starter, Growth, Pro)
• Subscription status - Active, cancelled, past due
• Payment information - Processed and stored by Stripe (see Subprocessors section)

3.6 Technical Data

We automatically collect:

• Authentication tokens - JWT tokens for session management
• API request logs - For debugging and security monitoring
• Error logs - To identify and fix technical issues

3.7 Data We Do NOT Collect

We do not collect:

• Social media profiles
• Browsing history outside our Service
• Location data beyond IP address
• Biometric data
• Health information
• Financial account numbers (handled by Stripe)

4. How We Use Your Data

4.1 Service Provision

We use your data to:

• Create and manage your account
• Authenticate you when you log in
• Process your invoice files
• Generate normalized CSV outputs
• Track your usage against subscription limits
• Provide customer support

4.2 Billing and Payments

We use your data to:

• Process subscription payments
• Send billing receipts
• Manage subscription status
• Handle refunds if applicable

4.3 Communication

We use your email address to:

• Send account-related notifications
• Provide password reset functionality
• Send billing receipts
• Notify you of service updates or changes
• Respond to your support requests

We do NOT use your email for marketing without explicit consent.

4.4 AI Training

We do not use your uploaded invoices, processed data, or metadata to train, tune, or improve third-party Large Language Models (LLMs). All AI-driven normalization occurs within a Zero-Egress environment, meaning your data remains within our secure perimeter and is never shared with AI providers for model development.

5. Data Storage and Security

5.1 Where We Store Your Data

Your data is stored in:

• United States - Our architecture supports localized data residency. Firm-level requests for dedicated EU-Region storage (AWS Frankfurt/Ireland) are available for Enterprise-tier customers.
• European Union - Available upon request for EU customers

5.2 How We Store Your Data

• Database - PostgreSQL database hosted on AWS RDS
• File Storage - Amazon S3 for invoice files and outputs
• Backups - Automated daily backups retained for 30 days

5.3 Security Measures

We implement industry-standard security measures:

• Encryption in transit - All data transmitted over HTTPS/TLS
• Encryption at rest - Database and S3 files encrypted
• Password security - Passwords hashed using bcrypt
• Access controls - Least-privilege access to systems
• Authentication - JWT tokens with expiration
• Monitoring - Automated security monitoring and alerts
• Regular updates - Security patches applied promptly

5.4 Security Limitations

6. Data Sharing and Subprocessors

6.1 We Do NOT Sell Your Data

6.2 Subprocessors

We use the following third-party service providers ("subprocessors") to operate our Service:

6.3 Internal Access

Access to raw invoice data by our technical staff is strictly limited to troubleshooting failed processing jobs and is governed by internal 'Least Privilege' protocols. All such access is logged and audited.

7. Data Retention

7.1 Retention Periods

We retain your data for the following periods:

7.2 Automated Deletion

We automatically delete data when retention periods expire:

• S3 lifecycle policies - Automatically delete old files
• Scheduled cleanup - Database records deleted on schedule

7.3 Account Deletion

When you delete your account:

• User account data deleted immediately
• Consent records deleted immediately
• Invoice files deleted immediately
• Processed outputs deleted immediately
• Usage records deleted immediately
• Billing records retained for 7 years (tax compliance requirement)

8. Your Data Rights

8.1 GDPR Rights (EU Users)

If you are in the European Union, you have the following rights:

8.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights:

8.3 How to Exercise Your Rights

9. Children's Privacy

Parents: If you believe your child has provided us with data, contact us at privacy@endentry.com

10. Data Breach Notification

10.1 Our Commitment

In the event of a data breach affecting your personal data:

• We will investigate the breach immediately
• We will notify affected users within 72 hours (GDPR requirement)
• We will notify relevant supervisory authorities as required
• We will provide details about the breach and remediation steps

10.2 What We Will Tell You

Breach notifications will include:

• What data was affected
• When the breach occurred
• What we are doing to address it
• What you should do to protect yourself

10.3 How We Will Notify You

• Email to your registered email address
• Notice on our website

11. Contact Us