Privacy Policy

Effective date: June 8, 2026  ·  Operated by Cross Language LLC

This Privacy Policy explains how Cross Language LLC, doing business as InvoiceOps ("InvoiceOps," "we," "us," or "our"), collects, uses, discloses, retains, and protects personal information when you visit https://invoiceops.ai, create or use an account, submit documents, connect integrations, communicate with us, or otherwise use the Service.

This Policy distinguishes between (1) personal information InvoiceOps processes for its own business purposes, such as account, billing, website, and support information, and (2) Customer Content InvoiceOps generally processes on behalf of business customers. A customer organization may have its own privacy notice governing the documents and personal information it submits.

1. Scope

This Policy applies to InvoiceOps websites, applications, APIs, email-ingestion services, support communications, and related online services that reference it. It does not apply to third-party websites, services, or integrations governed by their own privacy policies, or to information processed solely by a customer outside InvoiceOps.

2. Our Roles

For account registration, billing, website analytics, security, marketing, and support information, InvoiceOps generally determines the purposes and means of processing and acts as a controller or business under applicable privacy law.

For personal information contained in invoices, receipts, attachments, approval records, and other Customer Content, InvoiceOps generally acts as a processor or service provider on behalf of the customer organization. The customer generally determines why the information is processed, who may access it, how long it is retained, and what actions are taken from the output. Requests concerning Customer Content may need to be directed to the relevant customer.

3. Information We Collect

3.1 Account and Organization Information

  • name, business email address, phone number, job title, and profile details;
  • organization name, business address, industry, team, and user role;
  • login identifiers, authentication events, security settings, and account-recovery information;
  • invitations, memberships, permissions, department or entity assignments, and administrator actions.

3.2 Customer Content and Invoice Data

Customer Content may include invoices, receipts, purchase orders, email messages and attachments, ZIP archives, images, financial and accounting records, approval comments, custom fields, and exports. Depending on the source document, it may contain:

  • vendor, bill-to, sold-to, and customer names;
  • postal addresses, email addresses, phone numbers, contact names, and signatures;
  • invoice numbers, purchase order numbers, dates, billing periods, service periods, paid dates, and due dates;
  • currency, subtotal, tax, tax rate, totals, quantities, unit prices, line-item descriptions, account classifications, and payment-related information;
  • banking or remittance details, tax identifiers, employee or contractor information, and other sensitive commercial information;
  • document metadata such as title, author, producer, file hash, PDF version, page count, file size, orientation, encryption status, forms, images, fonts, language, and technical properties;
  • extraction results, confidence scores, source coordinates, bounding boxes, validation states, duplicate indicators, edit history, review actions, approval actions, and synchronization status.

3.3 Billing and Transaction Information

  • subscription plan, included and purchased credits, usage, invoices, purchase history, auto-top-up settings, and transaction status;
  • billing contact and address;
  • limited payment-method details and processor tokens. Full card numbers are generally collected and stored by our payment processor, not InvoiceOps.

3.4 Integration and Email-Ingestion Information

  • OAuth tokens, account identifiers, scopes, connection status, and synchronization logs for connected services;
  • email sender, recipient, subject, timestamp, headers, attachment metadata, and message content needed to process forwarded or connected messages;
  • accounting mappings, vendor mappings, expense accounts, items, classes, locations, tax codes, error messages, and third-party record identifiers.

3.5 Device, Usage, and Log Information

  • IP address, browser, operating system, device type, language, approximate location derived from IP, and referring URLs;
  • pages viewed, features used, clicks, session events, upload and processing events, API requests, response codes, and performance data;
  • security, authentication, audit, fraud-prevention, error, crash, and diagnostic logs;
  • cookie identifiers and similar technology data.

3.6 Communications and Feedback

  • support requests, chatbot conversations, emails, survey responses, call notes, and other communications;
  • samples or documents voluntarily provided for troubleshooting or quality investigation;
  • product feedback, feature requests, and testimonials when authorized.

3.7 Information from Other Sources

We may receive information from your employer or organization administrator, invited users, referral partners, integration providers, identity providers, payment processors, security vendors, public business sources, and service providers assisting with fraud prevention or compliance.

4. How We Use Information

  • provide, operate, maintain, and personalize the Service;
  • authenticate users, administer organizations, enforce roles, and support approval and review workflows;
  • ingest, store, parse, OCR, classify, extract, reconcile, validate, display, edit, search, export, and synchronize documents and structured data;
  • calculate confidence, provenance, duplicate indicators, usage, credits, billing, and plan eligibility;
  • process subscriptions, credit purchases, auto-top-ups, invoices, taxes, and account changes;
  • provide support, troubleshoot failures, return credits for eligible technical failures, and communicate service notices;
  • monitor availability, capacity, performance, reliability, and product usage;
  • protect users, investigate suspicious activity, prevent fraud and abuse, enforce agreements, and secure the Service;
  • comply with law, legal process, sanctions, tax, accounting, recordkeeping, and regulatory obligations;
  • develop and improve features, usability, extraction quality, and operations using feedback and de-identified or aggregated information;
  • send product, educational, or promotional communications where permitted, subject to opt-out rights; and
  • support corporate transactions such as financing, merger, acquisition, reorganization, or sale of assets.

5. AI and Automated Document Processing

InvoiceOps may use deterministic parsing, OCR, machine learning, large language models, computer vision, multimodal systems, table-recognition systems, rules, and reconciliation engines to process Customer Content. These systems may classify documents; identify parties, dates, amounts, taxes, and line items; reconstruct tables; create source references; calculate confidence; flag conflicts; and generate accounting-ready structured data.

Customer Content may be transmitted to vetted subprocessors that provide cloud infrastructure or AI processing, subject to contractual restrictions and applicable data-protection terms. Unless separately agreed or clearly disclosed, InvoiceOps does not use Customer Content to train publicly available or shared foundation models. We may use de-identified, aggregated, statistical, diagnostic, or operational information to improve the Service where it does not identify a customer or individual.

InvoiceOps does not intend the Service to make solely automated decisions that produce legal or similarly significant effects about individuals. Customers are responsible for human review and for laws governing any decisions they make using outputs.

Where the GDPR, UK GDPR, or similar law applies, our legal bases may include:

  • performance of a contract, including providing accounts, processing documents, billing, and support;
  • legitimate interests, including security, fraud prevention, service improvement, business operations, and business-to-business communications, balanced against individual rights;
  • consent, where required for certain cookies, marketing, or optional processing; and
  • compliance with legal obligations and protection of legal rights.

When processing Customer Content as a processor, we rely on the customer's instructions and data-processing agreement. The customer is responsible for selecting an appropriate lawful basis and providing required notices to individuals whose data appears in documents.

7. How We Disclose Information

7.1 Service Providers and Subprocessors

We may disclose information to vendors that provide cloud hosting, data storage, content delivery, databases, authentication, email delivery and intake, payment processing, customer support, analytics, observability, cybersecurity, fraud prevention, document processing, OCR, AI models, backups, and professional services. They may process information only to provide contracted services or as otherwise permitted by law.

7.2 Customer Organization and Authorized Users

Account and Customer Content may be visible to the customer organization's owners, administrators, reviewers, approvers, accountants, auditors, viewers, assigned departments, service accounts, and other authorized users according to configuration. Administrators may access, export, modify, restrict, or delete information and may monitor user activity.

7.3 Connected Third-Party Services

At a customer's direction, we disclose data to accounting platforms, storage providers, email services, identity providers, APIs, and other integrations. Data sent to those services is then governed by their privacy practices and the customer's agreements with them.

7.4 Legal, Safety, and Enforcement

We may preserve or disclose information when we reasonably believe it is necessary to comply with law or legal process; respond to lawful requests; protect rights, safety, and security; prevent fraud or abuse; enforce agreements; collect amounts owed; or investigate violations.

7.5 Corporate Transactions

Information may be disclosed or transferred in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or due diligence, subject to appropriate confidentiality protections.

7.6 Aggregated and De-identified Information

We may disclose aggregated or de-identified information that does not reasonably identify an individual or customer. We will not attempt to reidentify information that is maintained as de-identified except to test our de-identification processes or as permitted by law.

8. Selling and Sharing of Personal Information

InvoiceOps does not sell Customer Content or personal information for money. InvoiceOps does not share Customer Content for cross-context behavioral advertising. Our use of analytics or advertising cookies on public website pages, if any, may be considered "sharing" under certain state privacy laws. Where applicable, we provide required choices, honor legally recognized opt-out preference signals, and describe cookie controls in the cookie notice or consent interface.

9. Cookies and Similar Technologies

We may use essential cookies for authentication, security, session continuity, load balancing, preferences, and fraud prevention. With consent where required, we may use analytics or marketing technologies to understand website usage and measure campaigns. You can manage non-essential cookies through our consent tool, if available, and browser settings. Blocking essential cookies may prevent account use.

10. Data Retention

We retain information only as long as reasonably necessary for the purposes described, including providing the Service, fulfilling customer configuration, maintaining security and audit records, resolving disputes, enforcing agreements, and meeting legal obligations.

Data categoryTypical retention approach
Free-plan Customer ContentMay be retained for a short plan-specific period, currently described as 7 days, unless deleted earlier or required longer for security or law.
Paid-plan Customer ContentRetained during the subscription and according to plan, configuration, order form, or customer deletion instructions.
Purchased credit and billing recordsRetained as needed for transaction history, accounting, tax, fraud prevention, and legal compliance.
Security, audit, and diagnostic logsRetained for periods appropriate to security, troubleshooting, compliance, and abuse prevention.
BackupsDeleted or overwritten on a rolling schedule; isolated copies may persist temporarily after primary deletion.
Support communicationsRetained as needed to resolve issues, improve support, document commitments, and protect legal rights.

Deletion from active systems may not immediately remove information from backups, legal holds, fraud-prevention records, or third-party systems to which a customer exported or synchronized it. Customers are responsible for exporting records they need to keep before retention expires or an account closes.

11. Security

We use administrative, technical, and organizational safeguards designed for the nature of the data and risks, which may include encryption in transit and at rest, tenant isolation, access controls, role-based authorization, authentication, logging, secure software development, monitoring, backups, vulnerability management, and incident-response procedures. We limit employee and provider access based on need.

No method of transmission, storage, or processing is completely secure. Customers should use strong unique passwords, enable available authentication controls, restrict user permissions, secure email-forwarding rules and API keys, review audit events, and promptly notify us of suspected compromise.

12. International Data Transfers

InvoiceOps is based in the United States, and information may be processed in the United States and other countries where we or our providers operate. These countries may have different data-protection laws. Where required, we use appropriate safeguards such as contractual protections, data-processing terms, standard contractual clauses, or other lawful transfer mechanisms.

13. Your Privacy Rights

Depending on location and applicable law, you may have rights to request access, correction, deletion, portability, restriction, or objection; opt out of certain sales, sharing, targeted advertising, or profiling; withdraw consent; and appeal a denied request. Rights are subject to exceptions and verification.

To submit a request concerning InvoiceOps-controlled data, contact privacy@invoiceops.ai. We may request information to verify identity and authority. You may use an authorized agent where permitted, but we may require proof of authorization. We will not unlawfully discriminate against you for exercising privacy rights.

For personal information contained in Customer Content, contact the organization that uploaded or controls the document. We will assist that customer as required by applicable law and our agreement.

14. California Privacy Notice

This section supplements the Policy for California residents and applies to the extent InvoiceOps is subject to the California Consumer Privacy Act, as amended. Terms such as "personal information," "sell," "share," "business," and "service provider" have the meanings provided by California law.

Category collectedRepresentative examplesBusiness/commercial purposesRecipients
IdentifiersName, email, IP address, account IDs, vendor/customer identifiersAccount administration, security, document processing, supportService providers; customer organization; integrations
Customer records and commercial informationBusiness contact data, invoices, subscriptions, purchase history, credit usageProvide Service, billing, workflow, recordsService providers; customer organization; integrations
Internet or electronic activityBrowser, device, logs, feature usage, API activitySecurity, analytics, troubleshooting, improvementHosting, analytics, security providers
Professional informationEmployer, role, department, job titleUser administration and workflow routingCustomer organization; service providers
GeolocationApproximate location from IPSecurity, fraud prevention, localizationSecurity and infrastructure providers
Inferences and extracted dataDocument classification, confidence, structured invoice fieldsDocument processing and workflowCustomer organization; AI/OCR subprocessors; integrations
Sensitive personal information, when present in Customer ContentAccount credentials, financial/remittance information, tax identifiers or other data in documentsProvide requested document processing; security; complianceCustomer-authorized users and contracted subprocessors

We collect these categories from users, customers, documents, administrators, integrations, devices, and service providers. We retain them as described in Section 10. We do not sell personal information for money. We do not use or disclose sensitive personal information to infer characteristics about individuals beyond purposes permitted by law. Where website technology constitutes sharing for cross-context behavioral advertising, California residents may opt out through available cookie controls or recognized preference signals.

California residents may request to know, access, correct, delete, and obtain information about categories, sources, purposes, and recipients, and may opt out of sale or sharing where applicable. InvoiceOps may need to deny or limit a request when information is processed solely as a service provider for a customer, or when an exception applies. We will provide required metrics or additional disclosures if and when legally applicable.

15. EEA, UK, and Switzerland

Individuals in the EEA, United Kingdom, and Switzerland may have rights under applicable data-protection law, including access, correction, deletion, restriction, objection, portability, withdrawal of consent, and complaint to a supervisory authority. Where processing is based on legitimate interests, you may object based on your particular situation. Where processing is based on consent, withdrawal does not affect prior lawful processing.

InvoiceOps generally acts as a processor for Customer Content and as a controller for account, website, billing, security, and direct support data. If required, customers may request a Data Processing Addendum addressing processor obligations, confidentiality, security, subprocessors, assistance, deletion, audits, and international-transfer terms.

16. U.S. State Privacy Rights

Residents of other U.S. states may have similar rights, including access, correction, deletion, portability, opt-out, and appeal rights. We will honor applicable rights based on your residence and our legal obligations. We may process requests directly or redirect requests concerning Customer Content to the relevant customer organization.

17. Marketing Communications

You may unsubscribe from promotional emails using the link in the message or by contacting us. You may continue receiving transactional, security, billing, account, and service communications. Organization administrators may also configure operational notifications for processing, review, approval, export, or synchronization events.

18. Children

The Service is intended for business users and is not directed to children under 13, or under the higher minimum age required by local law. We do not knowingly collect personal information directly from children for account creation. Customer documents may incidentally contain information about minors; the customer is responsible for ensuring lawful processing. Contact us if you believe a child created an account or provided information directly without authorization.

19. Do Not Track

Some browsers provide a "Do Not Track" signal for which there is no uniform industry response. We respond to legally recognized opt-out preference signals where required, but otherwise may not respond to browser Do Not Track settings. Cookie choices remain available as described above.

20. Changes to This Policy

We may update this Policy to reflect changes in the Service, law, or practices. We will post the revised version with a new effective date and provide additional notice of material changes where appropriate. Material changes generally apply prospectively.

21. Contact and Complaints

Privacy questions and rights requests may be sent to privacy@invoiceops.ai. General support requests may be sent to support@invoiceops.ai. Legal notices may be sent to legal@invoiceops.ai. InvoiceOps is operated by Cross Language LLC. Website: https://invoiceops.ai.

If you are in the EEA, UK, or Switzerland, you may also complain to your local data-protection authority. We encourage you to contact us first so we can try to address your concern.