GetMyBills24

Privacy Policy

Last updated: April 2026

← Back to home

1. Controller

Data controller within the meaning of the GDPR:

Gennaro Frenken

gennaro.frenken@gmail.com

Operating under German law (DSGVO/GDPR)

2. What data we collect

  • β€’Email address β€” entered by you for the IMAP connection or provided via OAuth.
  • β€’Email password / App password β€” IMAP only. Processed in memory only, never stored.
  • β€’OAuth access tokens β€” temporary, cookie-based, expire after 1 hour.
  • β€’Email content β€” subjects, headers, and attachments of emails identified as invoices.
  • β€’IP address β€” in server logs, standard web hosting.
  • β€’Language preference β€” stored in localStorage, browser-side only.

3. How we use your data

  • β€’To connect to your email server and scan for invoices.
  • β€’To generate a downloadable ZIP file of your invoices.
  • β€’To process payments via Stripe.

What we do NOT do:

βœ— Use your data for marketing, analytics, or profiling

βœ— Sell or share your data with third parties

4. Data processing and storage

Email credentials

Processed in server memory ONLY during the active scan session. Never written to disk, database, or logs. Immediately deleted from memory after the scan completes.

OAuth tokens

Stored in encrypted httpOnly cookies. Expire after 1 hour. Not stored server-side.

Extracted invoices

Temporarily stored on the server for download. Automatically deleted within 2 hours or 5 minutes after download, whichever comes first.

No persistent database

No persistent database. No user accounts. No tracking.

5. Third-party services

β€’Google OAuth (Gmail API) β€” For Gmail authentication. Google's privacy policy applies.
β€’Microsoft OAuth (Microsoft Graph API) β€” For Outlook authentication. Microsoft's privacy policy applies.
β€’Stripe β€” For payment processing. See Stripe's privacy policy.
β€’Render.com β€” Hosting provider, servers in US/EU. See Render's privacy policy.
No analytics tools. No Google Analytics, no tracking pixels, no cookies except functional ones.

6. Your rights (GDPR Art. 15–21)

  • β€’Right of access (Art. 15 GDPR)
  • β€’Right to rectification (Art. 16 GDPR)
  • β€’Right to erasure β€” data is auto-deleted, but you can request immediate deletion (Art. 17 GDPR)
  • β€’Right to restriction of processing (Art. 18 GDPR)
  • β€’Right to data portability (Art. 20 GDPR)
  • β€’Right to object (Art. 21 GDPR)
  • β€’Right to withdraw consent at any time
  • β€’Right to lodge a complaint with a supervisory authority

To exercise your rights, please contact: gennaro.frenken@gmail.com

7. Cookies

We use only strictly necessary cookies:

OAuth session tokenhttpOnly, expires after 1h
Admin authentication tokenhttpOnly

No tracking cookies, no third-party cookies. Language preference is stored in localStorage (not a cookie).

8. Data retention

Email credentials

0 seconds (memory only during scan)

OAuth tokens

Max 1 hour

Extracted files

Max 2 hours, deleted after download

Server logs

30 days (standard hosting)

Payment records

As required by law (Stripe handles this)

9. Security

  • β€’All connections encrypted via TLS/HTTPS
  • β€’IMAP connections use SSL/TLS (port 993)
  • β€’OAuth tokens signed with HMAC-SHA256
  • β€’No persistent storage of sensitive data

10. Changes to this policy

We may update this privacy policy from time to time. Last updated: April 2026.

11. Contact

For privacy-related questions, please contact:

Gennaro Frenken

gennaro.frenken@gmail.com

← Back to home