Data Security statement

Last update: 27/01/2021


Technology with security at its core

Protecting your data is our core priority. Your data belongs to you, not to us, and we will treat it that way. In order to provide you with best in class security, privacy, and compliance controls, we undergo independent third-party audits regularly. Third party auditors assess our platform, infrastructure, and operations and conduct penetration tests on a regular basis. We also review new features for security and privacy impact before release to improve privacy by design.

We do not run our own routers, load balancers, DNS servers, or physical servers. We chose to partner with Google as a provider of their Platform as a Service: Google Cloud Platform (GCP). Our application uses GCP as its back end using mainly the following services:

  • Firebase Hosting (web content hosting service)
  • Firebase Realtime database (NoSQL cloud-hosted database)
  • Google AppScript (Rapid application development platform)
  • App Engine (serverless application engine)
  • Cloud Datastore (NoSQL document database built for automatic scaling, high performance)
  • Cloud Storage (worldwide, extendable, highly durable object storage)
  • BigQuery (serverless, highly scalable cloud data warehouse)
  • StackDriver (logging, monitoring and alerting)
  • Google API (Drive and Document AI)

Google Cloud Platform provides state of the art services with Security at Its Core. All servers are updated on a regular basis to ensure we have the latest security patches installed.

Our team has a strong security culture

Each team member undergoes an extensive background check as well as comprehensive training on data security and privacy protocols and receives yearly training on the topics of data privacy and security. Our staff does not access any of your data unless you request assistance for support purposes and provide your explicit consent. All information, data and documents exchanged with our support staff in this context is subject to strict confidentiality procedures and will not be disclosed.

Your data belongs to you

Invoice to Sheet will not use your documents or your extracted data for any purpose other than providing you the service you subscribed for. We don't sell or re-use your data. Invoice to Sheet stores very limited customer information related to user and usage, as detailed in the table below. These are stored in Google Cloud Platform. We store nothing else, particularly not the extracted content of your invoiced.

Type of dataWe storeWe do not store
User identification
  • Username
  • Google email address
  • User password
Email info and content
  • Content of the email from which the invoice is extracted. We don’t even process this content.
Invoice info and content
  • Identifiers of your invoice. Invoice identifier does not contain any personal information.
  • Identifiers and title of your Google Sheet
  • Content of the invoice which data is extracted. This content is processed for the purpose of extraction but never stored.
Subscription data
  • Current plan details
  • Transaction details (amount, invoice ID, payment date)
  • The transaction handler
  • The invoiced person or company name
  • Credit cards data

We store data only to the extent that is necessary for Invoice to Sheet to operate and meet its legal obligations. Pursuant to GDPR article 17, you can send us a request to remove some or all of your personal data from our database, and we will permanently do so if one of the grounds set out in GDPR Article 17 applies (e.g. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed). Note however that deleting some or all of this data may interrupt Invoice to Sheet functionality.

Data Encryption

We use bank level encryption from A - Z. Whenever you send or retrieve data from the app, the communication is always secured through HTTPS encryption.

Next to encrypting data in transit, we also encrypt all data at rest. Our databases as well as all stored documents are encrypted, from the moment we receive your data until we delete it.

Your login details are one-way hashed using a strong hashing algorithm. Not even our staff can see or access your password.

Compliance with GDPR, CCPA and FERPA

Privacy and security have always been the foundation of Invoice to Sheet approach to product development and business, and we continuously evaluate all our practices in an effort to safeguard your information as effectively as possible. In any case, as more detailed below in relation to each specific regulation, you always remain in full control of any data we process.


We have taken necessary steps to be within the compliance standards of the European Union’s General Data Protection Regulation (GDPR). Invoice to Sheet acts as a data controller for usage and user personal data, which we collect, process and use in a fair, transparent and secure way in accordance with our Privacy Policy. Invoice to Sheet acts as a data processor for your imported documents and parsed data, which we process on your behalf and for which you remain the data controller. This processing is limited exclusively to the automatic processing carried out by the application and does not include any manual processing by our staff members. In accordance with article 28 GDPR, Invoice to Sheet processes this data only according to your instructions, for the purpose of providing you the Invoice to Sheet application and related technical support upon your request. It is processed according to our Data Processing Agreement. Our Data Processing Agreement enacts standard contractual clauses set forth by the European Commission to establish a legal basis for cross-border data transfers from the EU.


The California Consumer Privacy Act (CCPA) is a data privacy law that provides California consumers with a number of privacy protections, including right to access, delete, and opt-out of the “sale” of their personal information. If the CCPA applies to the collection, retention, use, and disclosure by Invoice to Sheet of your personal information, then we ensure through our Data Processing Agreement that we shall not (a) have, derive or exercise any rights or benefits regarding your personal information , (b) sell your personal information, or (c) collect, retain, share or use your personal information except as necessary for the sole purpose of providing you the Invoice to Sheet application and related technical support upon your request.


We can also support education data related use-cases. The Family Educational Rights and Privacy Act (FERPA) is a US Federal privacy law that protects personally identifiable information in students’ education records from unauthorized disclosure. If you intend to use Invoice to Sheet for any purpose or in any manner involving personally identifiable information in students’ education records, please request a Data Sharing Agreement to our group legal team by writing to

PCI Obligations

Invoice to Sheet is not subject to PCI obligations. All payment instrument processing is outsourced to Stripe.

If you believe you have discovered a problem or have any questions, please contact us at

Your cart