Skip to content

Privacy Policy

Last updated: March 2026

We wrote this in plain English. If something is unclear, email support@invistiq.com and we will clarify.

1. What data we collect

Account information

When you sign up, we collect your name, email address, and organization name. That is it. We do not ask for payment information directly; billing goes through Stripe.

Uploaded documents

The vendor invoices, supply receipts, lab statements, and other financial documents you upload are stored on your behalf. We treat these as your property. We process them to extract data and generate reports. We do not read them for any other purpose.

Extracted data

After a document is processed, we store the structured data pulled from it: vendor names, invoice numbers, line items, amounts, dates, and payment terms. Every extracted field links back to the source document.

Usage data

We log actions on the platform: logins, logouts, uploads, document views, report exports, and manual corrections. These logs support our audit trail feature and help us troubleshoot issues. We also collect browser type and IP address for security purposes.

2. How we use it

  • Running the document extraction pipeline on files you upload
  • Generating the vendor spend, lab fee, and overhead reports you request
  • Sending transactional emails about your account (password resets, billing receipts, policy updates)
  • Responding to support requests
  • Improving extraction accuracy and platform performance using aggregate, anonymized metrics
  • Meeting legal and regulatory obligations

3. What we don't do

  • We do not sell your data to anyone, ever.
  • We do not share your documents or extracted data with advertisers.
  • We do not use your documents or extracted data to train AI models. Your data trains nothing.
  • We do not use marketing cookies or behavioral tracking.
  • We do not share data between organizations. Each account is completely isolated.

4. Data storage and security

Your files are stored on AWS S3 in the United States with Object Lock enabled, which means files cannot be modified or deleted after upload. Your account data and extracted values are stored in Supabase, also in the US.

All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.

Every table in our database has row-level security policies that restrict queries to the organization that owns the data. Even a misconfigured query cannot return data from a different organization.

We maintain an append-only audit log of all key actions. That log cannot be modified or deleted, including by us.

5. Data retention

Active accounts: we retain your data for as long as your account is active.

Cancelled accounts: we retain your data for 90 days after cancellation so you can export anything you need. After 90 days, your data is permanently and irreversibly deleted.

Uploaded documents are stored immutably. We never modify a file after it has been uploaded. This is a deliberate design decision for audit integrity.

You can request early deletion before the 90-day window by contacting support. We will process the request within 10 business days.

6. Third-party processors

We use a small number of third-party services to run the platform. Each one receives only the data it needs to do its job.

ProviderPurposeData shared
AWS S3File storageUploaded documents
Google Document AIInvoice data extractionDocument content for processing
SupabaseDatabase and authAccount data, extracted values
VercelHosting and deliveryWeb traffic (logs, IPs)
StripePayment processingBilling information (handled directly by Stripe)
ResendTransactional emailEmail address only

We do not share your data with any other third parties. All processors are contractually bound to use your data only for the services they provide to us.

7. Your rights

You have the right to:

  • Access the personal data we hold about you
  • Export your documents and extracted data at any time from the platform
  • Correct inaccurate information in your account
  • Delete your data by cancelling your account
  • Object to any processing you believe is not covered by this policy

To exercise any of these rights, email support@invistiq.com. We respond to all verified requests within 30 days.

8. HIPAA

Invistiq serves healthcare customers, including dental offices. We understand that even financial documents in a healthcare setting may touch protected health information (PHI).

We sign Business Associate Agreements (BAAs) with healthcare customers before they upload any documents that could contain PHI. We do not process PHI without a BAA in place.

If you are a healthcare organization and need a BAA, email support@invistiq.com.

Our platform includes PHI heuristic detection. If a document shows signs of containing patient records (which are outside our scope), the upload is flagged for review before processing begins.

9. Cookies

We use two categories of cookies:

  • Strictly necessary: the authentication session cookie that keeps you logged in, and a CSRF token that protects your account. These cannot be disabled without breaking the platform.
  • Functional: cookies that remember small preferences like sidebar state. These are not required.

We do not use marketing cookies, ad tracking, or any cross-site behavioral tracking. See our Cookie Policy for the full list and browser opt-out instructions.

10. Updates to this policy

If we make material changes to this policy, we will notify you by email at least 30 days before the changes take effect. Minor edits (fixing typos, adding clarity) may happen without notice, but will always show an updated date at the top of this page.

Your continued use of the platform after the effective date of a material change means you accept the updated policy. If you disagree, you can cancel your account before the change takes effect.

11. Contact

Questions about this policy or how we handle your data? Email support@invistiq.com. We aim to respond within five business days.