Privacy Policy

This Privacy Policy explains what information My Book Pad ("we", "us", "our") collects when you use our service, how we use it, and the choices you have. We've tried to write it in plain language — if anything is unclear, email us at support@mybookpad.com.

1. The short version

• We collect only what's necessary to run the Service and bill you.
• We never sell your data, and we don't run ads inside the app.
• Your project data, expenses, notes, and photos belong to you.
• We use a small number of trusted vendors (mainly Stripe and Google) and we list them below.
• You can export or delete your workspace at any time.

2. Information we collect

Information you give us

• Account details — your name, email address, business name, and password (stored as a salted hash, never in plain text).
• Workspace content — projects, expenses, notes, photos, customer details, and any other content you add. We treat this as confidential business data.
• Billing details — when you subscribe, Stripe collects your payment method on our behalf. We don't see or store your full card number; we only receive a token and a few non-sensitive fields (card brand, last 4, country, expiry) so we can show them in your billing settings.
• Support correspondence — any emails you send us so we can reply and improve the product.

Information we collect automatically

• Log data — IP address, browser type, pages visited, and timestamps, kept in short-lived server logs for security and debugging.
• Session cookies — a single first-party cookie that keeps you signed in. See our Cookie Policy for details.
• Audit log — important actions inside your workspace (logins, destructive operations, billing events) are written to an internal audit log so you and our support team can investigate issues.

We do not use third-party analytics scripts, tracking pixels, advertising cookies, or session-replay tools.

3. How we use information

We use the information above to:

• Run the Service — host your workspace, render your data, send invitations, and run features like cross-org collaboration.
• Send transactional email — confirmations, password resets, trial-expiry warnings, payment receipts, and security notices.
• Bill you and prevent payment fraud (in partnership with Stripe).
• Provide customer support when you ask for it.
• Detect, investigate, and prevent abuse, security incidents, and Terms violations.
• Improve the product — we look at aggregate usage patterns, not individual content.
• Comply with legal obligations.

We don't use Your Content to train AI/ML models, and we don't sell, rent, or trade your personal information.

4. Service providers we use

We share information with a small number of vendors who help us run the Service. Each is bound by their own privacy commitments.

• Stripe — handles payment processing, subscription billing, and the customer portal. See stripe.com/privacy.
• Google Workspace — hosts our support inbox and sends our transactional email through Gmail SMTP.
• Google Cloud (Gemini API) — used only when you explicitly run receipt OCR. We send the receipt image to Gemini and discard the response after extracting fields into your workspace.
• DigitalOcean — provides the virtual server that hosts the Service.

5. Cross-organization sharing

When you collaborate with a partner workspace on a shared project, that workspace can view (and where applicable, contribute to) the project's data — expenses, notes, photos, and totals. You control which projects you share and with whom, and you can revoke a collaboration from the project settings at any time.

6. Data location & security

Your data is stored on servers in the United States and Canada. We protect it with HTTPS everywhere, salted password hashing, per-workspace database isolation, role-based access controls, and regular software updates. No system is perfectly secure, but we work hard to keep your data safe. If we discover a breach that affects you, we'll notify you promptly as required by law.

7. Retention

We retain Your Content for as long as your workspace is active. If you delete your workspace, we keep the data for 30 days in case you change your mind, then permanently purge it. System logs are kept for up to 90 days for security and debugging; billing records are kept longer to meet tax and accounting obligations.

8. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct or update it.
• Delete it (by deleting your workspace, or by emailing us).
• Export it in a portable format.
• Object to certain processing, or withdraw consent where consent is the basis.
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email support@mybookpad.com. We'll respond within a reasonable time and may need to verify your identity first.

9. Children

My Book Pad is built for businesses and isn't intended for anyone under 18. We don't knowingly collect information from children. If you believe a child has given us personal data, contact us and we'll delete it.

10. International users

If you access the Service from outside the country where our servers are located, you understand that your information will be transferred to, processed, and stored there. We take reasonable steps to ensure protections appropriate to such transfers.

11. Changes to this policy

We may update this Privacy Policy from time to time. If a change is material, we'll notify you by email or by an in-product notice before it takes effect. The "Last updated" date at the top of this page always shows when the policy last changed.

12. Contact

Questions or requests? Email support@mybookpad.com.