›Nothing, in our database. Anonymous use writes zero records to our servers.
›Your business profile, if you fill one in. Lives in your browser's sessionStorage only — per-tab and ephemeral. Close the tab and it's gone.
›Identifiers in your browser's localStorage. A random device ID (reserved for future abuse prevention — not currently linked to any data), plus a PostHog analytics ID used to de-duplicate usage events.
›Anonymous product analytics. We use PostHog for product analytics — pageviews, button clicks, and feature usage. No session recording. No data we collect can be sold or shared with advertisers.
What we collect — when you sign in
›Your business profile info (name, contact, license, tax defaults) — to put on your invoices. Stored against your account, not your device.
›Your invoice data (customer names, amounts, transcripts) — so we can show your history.
›Your email, via Clerk (our authentication provider).
›An activity log. We log which invoices you generated, when, and the invoice total — for usage analytics. Customer names and line items are never in this log.
What we don't keep
›Audio recordings. Audio is held in memory only during your live recording session and is permanently deleted when you finalize the invoice. It never reaches our database.
›Session recordings or screen replays. We don't record or replay your screen, so the customer names and amounts on your invoices are never captured by our analytics.
›IP addresses in our application database. Our hosting and authentication providers may log them briefly for normal network operation and abuse prevention.
›Your data, sold or shared for ads/marketing. Ever.
Who has access
›You. Your invoices are private to your account — other users can't see them.
›Us. Database administrators (the team building HandInvoice) have access for support and operational purposes. Standard for any SaaS — we'd rather say so.
›OpenAI. We send your audio to OpenAI's Whisper API for transcription. Audio passes through their service briefly during processing.
›MongoDB. Stores your invoice data and business profile when you're signed in. Anonymous sessions never write to our database.
›Clerk. Handles authentication (email + password, sign-in with Google).
›PostHog. Our product-analytics provider. Receives anonymized usage events — pageviews and clicks — never your invoice data.
Your rights
›Delete any invoice anytime from /invoices.
›Delete your account — email us at hello@handinvoice.com and we'll wipe your data. (Self-serve account deletion is on the roadmap.)
›Export your data — coming soon. Email us in the meantime.