Important Notice
This Privacy Policy explains how MightySmall collects, uses, stores, and protects your personal information, including data accessed from your Gmail and Outlook email accounts for invoice detection and extraction.
Gmail API Disclosure
The use of information received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address (from Google or Microsoft OAuth)
- Name (from your Google or Microsoft profile)
- Profile photo (optional, from OAuth provider)
- Business information (business name, type, size, region - if provided)
1.2 Gmail Data (via Gmail API)
When you connect your Gmail account, we access the following through the Gmail API:
What We Access:
- Sender email addresses and names - To identify supplier emails
- Email subject lines - To detect invoice keywords (read in the Gmail add-on for invoice detection)
- Email received date/time - For invoice chronology
- Attachment metadata - Filename and content type of attachments
- PDF invoice attachments - Downloaded only when you take action (clicking "Send to MightySmall" in the add-on, or selecting suppliers in bulk import) so we can extract invoice data
Gmail API Permissions Explained:
We request the gmail.readonly scope, which provides read-only access to your Gmail messages and settings. We do not request any write, send, modify, or delete permissions.
Why We Need This Permission (Critical for Invoice Detection):
- Access emails in ALL folders and labels - Many users have auto-archive rules or folder organization that moves supplier emails out of the Inbox. We need to scan these folders to find your invoices.
- Read archived emails - If your email client automatically archives certain senders (common for corporate accounts), we need access beyond just the Inbox.
- Access labeled emails - Gmail users often auto-label supplier emails. We need to read emails with custom labels to detect invoices.
- Search across your entire mailbox - Invoices might be in "Finance", "Receipts", "Accounts Payable", or any custom folder you've created.
What gmail.readonly Does NOT Allow Us To Do:
- Send emails on your behalf - gmail.readonly does not allow sending
- Delete or trash emails - gmail.readonly is strictly read-only; we cannot delete your data
- Modify email content - We cannot change the text of your messages
- Mark emails as read/unread - gmail.readonly does not allow modifying email state
- Create, apply, or remove labels - gmail.readonly does not allow any write operations on labels or folders
Technical Note
We use gmail.readonly, the most restrictive Gmail scope that still permits reading messages and downloading PDF attachments across all folders and labels. This is the principle of least privilege in action: we request only what we need to detect invoices and nothing more.
What We Do NOT Access:
- Email body content (we only read message headers and download PDF attachments)
- Email recipients or CC/BCC fields
- Gmail settings or configurations
- Google Calendar, Drive, Contacts, or other Google services
How We Use Gmail Data:
- Invoice Detection: Identify emails containing invoices based on keywords, sender patterns, and PDF attachments
- Data Extraction: Extract invoice data (supplier name, invoice number, date, line items, amounts) from PDFs
- Price Comparison: Enable you to compare your prices against anonymized market benchmarks
- Automation: Automatically process invoices from whitelisted senders (if you enable this feature)
What We Do NOT Do with Gmail Data
- Sell or share your Gmail data with third parties, advertisers, or data brokers
- Use for advertising or interest-based marketing
- Use for credit decisions or lending purposes
- Train AI models on your raw email content without explicit opt-in consent
- Allow human access to your emails except for abuse, fraud, or security investigations as required by law
- Transfer to third parties except to service providers under strict confidentiality (e.g., Railway for hosting)
1.2.1 Delegated Mailboxes and Google Groups
Shared Email Access in Gmail:
Gmail's gmail.readonly permission gives us read-only access to any mailbox you can already see in Gmail, including:
1. Your Personal Mailbox
Your primary Gmail address (e.g., [email protected])
2. Delegated Mailboxes (If You Have Delegate Access)
- Mailboxes where the owner has granted you delegate permissions
- Example: Restaurant owner grants manager delegate access to [email protected]
- You can access these mailboxes because Google has already authorized you
3. Google Groups / Collaborative Inboxes (If You're a Member)
- Shared team inboxes (e.g., [email protected], [email protected])
- Only if you're a member of the Google Group
- Common for businesses using Google Workspace
How This Works
- When you connect Gmail to MightySmall, we can access ANY mailbox you have legitimate access to
- This includes personal mailboxes you've been delegated access to
- This includes Google Groups/collaborative inboxes you're a member of
- We CANNOT access mailboxes you don't have permission to view
Why This Is Essential:
Many hospitality businesses use:
- Shared Google Group inboxes for supplier invoices (accounts@, finance@)
- Delegated access so managers can process invoices from multiple locations
- Collaborative inboxes for centralized invoice management
Example Scenario
You ([email protected]) have delegate access to:
- [email protected] (delegated mailbox)
- [email protected] (Google Group member)
- [email protected] (Google Group member)
When you connect Gmail to MightySmall:
- ✅ We can scan all 4 mailboxes for invoices
- ✅ You choose which mailboxes to monitor in Settings
- ✅ Invoices from all mailboxes appear in YOUR MightySmall account
What We Access:
- Only mailboxes you have Google-authorized access to
- Only emails matching invoice detection criteria
- Only Google Groups you're a member of
What We Do NOT Access:
- Mailboxes you don't have delegate access to
- Other team members' personal mailboxes (unless they delegate to you)
- Google Groups you're not a member of
- Mailboxes outside your domain/organization
User Control:
- Choose which delegated mailboxes to scan in Settings → Connected Mailboxes
- Disable specific Google Group monitoring
- Revoke delegate access in Gmail settings → Google will automatically block our access
Privacy & Security:
- We only access mailboxes Google allows you to access
- Cannot bypass Google's permission system
- Extracted invoices are private to YOUR MightySmall account
- Other Google Group members cannot see your extracted data in MightySmall
Technical Note
Unlike Microsoft (which requires separate Mail.Read.Shared permissions for shared mailboxes), Gmail's gmail.readonly scope automatically includes any delegated mailbox or Google Group inbox you already have access to in Gmail. This is Google's design. We cannot request "personal only" or "shared only" access separately.
1.3 Outlook/Microsoft Data (via Microsoft Graph API)
When you connect your Outlook account, we access the following through the Microsoft Graph API:
Microsoft Graph API Permissions Explained:
We request these permissions:
- openid, email, profile - For authentication
- offline_access - To maintain access when you're not actively using the app (refresh tokens for background processing)
- Mail.Read - To read email messages in all folders of your mailbox (read-only access)
What Mail.Read Allows Us To Do:
- Access emails in ALL folders - Mail.Read gives read-only access to all folders in your mailbox, including:
- Auto-filed folders (e.g., IT rules moving invoices to "Finance/Invoices")
- Archive folders (emails auto-archived after 30 days)
- Department folders (Finance, Operations, Purchasing)
- All subfolders in your mailbox structure
- Download PDF attachments - Extract invoice data from PDFs attached to messages
- Search across folder structure - Find invoices regardless of where they've been filed
- Access archived emails - Retrieve invoices that have been auto-archived
What We Access:
- Email message headers (subject, sender, date, hasAttachments flag)
- Sender email addresses and names
- Attachment file names and content types
- PDF invoice attachments
- Messages across all folders (not just Inbox)
What We Do NOT Access:
- Calendar events, appointments, or meetings
- Contacts or address books
- OneDrive files or SharePoint documents
- Teams messages or channels
- Outlook settings, rules, or configurations
- Emails outside your designated folders (based on your automation settings)
What We NEVER Do (Mail.Read is Read-Only):
- Send emails on your behalf - Mail.Read does not allow sending
- Delete or modify emails - Mail.Read is strictly read-only; we cannot change, move, or delete emails
- Mark emails as read/unread - Mail.Read does not allow modifying email state
- Create folders or organize emails - Mail.Read does not allow write operations
- Share your emails - Your email content stays private to your account
- Access personal emails - We only process business invoices matching detection criteria
Read-Only Access for Security
MightySmall uses Mail.Read (read-only permission) which provides access to all folders in your mailbox without the ability to modify, send, or delete emails. This minimizes security risk while still allowing comprehensive invoice detection.
Your Control:
- Set automation to "Manual" → only process emails you explicitly select
- Configure whitelist → only scan emails from approved suppliers
- Revoke access anytime at: https://account.microsoft.com/privacy/app-access
Microsoft Authentication
We use Microsoft Authentication Library (MSAL) for secure authentication. Your Microsoft password is never seen or stored by MightySmall. We store only:
- Your Microsoft user ID (encrypted)
- Access token (valid for approximately 1 hour, encrypted)
- Refresh token (for offline access when you're not actively using the app, encrypted)
1.3.1 Shared Mailbox Access (Business Accounts)
Many hospitality businesses use shared email addresses for supplier communications (e.g., [email protected], [email protected]).
Current Limitation: Personal Mailbox Only
MightySmall currently only accesses YOUR personal Outlook mailbox.
- Shared mailboxes are NOT supported - We do not request Mail.Read.Shared permissions
- Delegated mailboxes are NOT accessible - Even if you have delegate access to [email protected], MightySmall cannot read it
- Future feature - Shared mailbox support may be added in a future update with appropriate consent and additional permissions
What We Access (Personal Mailbox Only):
- YOUR personal Outlook mailbox only (e.g., [email protected])
- All folders within your personal mailbox (Inbox, Archive, custom folders, subfolders)
- Emails matching invoice detection criteria (subject keywords, PDF attachments)
What We Do NOT Access:
- ❌ Shared mailboxes (accounts@, finance@, info@, etc.)
- ❌ Delegated mailboxes (even if you have "Send As" or "Full Access" permissions)
- ❌ Other team members' personal mailboxes
- ❌ Shared calendars, contacts, or OneDrive files
- ❌ Mailboxes outside your organization
Workaround for Shared Mailbox Invoices:
If your supplier invoices are sent to a shared mailbox:
- Option 1: Set up an Outlook rule to auto-forward invoices from the shared mailbox to your personal mailbox
- Option 2: Ask your IT admin to add your personal email as a CC recipient for invoice emails
- Option 3: Manually forward invoices from the shared mailbox to your personal mailbox
Example: Current Personal Mailbox Support
Restaurant setup:
- You log in as: [email protected] (your personal account)
- Sysco sends invoices to: [email protected] (your personal mailbox)
When you connect Outlook to MightySmall:
- ✅ We can detect Sysco invoices in YOUR personal mailbox
- ✅ Invoices appear in your MightySmall dashboard
- ✅ Works with ALL folders in your personal mailbox (Inbox, Archive, custom folders)
What does NOT work:
- ❌ If Sysco sends to [email protected] (shared mailbox), MightySmall cannot see it
- ❌ Even if you have delegate access to [email protected], MightySmall cannot read it
1.4 Extracted Invoice Data
From detected invoices (Gmail or Outlook), we extract and store:
- Supplier/vendor name
- Invoice number
- Invoice date and due date
- Line items (product descriptions, quantities, unit prices)
- Subtotals, tax amounts, and total amount
- Currency (default: AUD)
- PDF file (stored encrypted in Railway Buckets, S3-compatible object storage)
1.5 Usage and Analytics Data
We collect:
- IP address and browser type (for security and fraud prevention)
- Pages visited and features used (aggregated analytics only)
- Automation preferences (manual, semi-automatic, automatic)
- Whitelisted/blacklisted sender preferences
1.6 Cookies and Tracking
We use essential cookies for:
- Session management - To keep you logged in
- Authentication - OAuth state management
- Preferences - Remember your automation settings
We do NOT use third-party advertising cookies or tracking pixels.
2. How We Use Your Information
2.1 Primary Purposes
- Invoice Processing: Detect, extract, and organize your invoice data
- Price Comparison: Enable you to compare your pricing against anonymized market benchmarks (aggregated from minimum 5 venues)
- Savings Opportunities: Identify potential cost savings based on market data
- Group Buying: Facilitate group buying opportunities (requires separate opt-in consent)
- Account Management: Maintain your account, preferences, and settings
- Customer Support: Respond to your inquiries and provide technical support
2.2 Legal Basis for Processing (GDPR)
We process your data based on:
- Consent: You explicitly authorize us to access your Gmail/Outlook data during OAuth flow
- Contract Performance: Processing is necessary to provide the invoice extraction service you requested
- Legitimate Interests: Fraud prevention, security monitoring, platform improvement (where not overridden by your rights)
2.3 What We Do NOT Do
- Sell your data to advertisers, marketers, or data brokers
- Share individual invoices with competitors or other users (aggregated only, minimum 5 venues)
- Use for marketing without your separate opt-in consent
- Share with third parties except service providers under confidentiality agreements
- Train AI models on your raw invoice data without explicit consent
3. Data Sharing and Disclosure
3.1 We Do NOT Share Individual Data
Your individual invoice data, email metadata, and pricing information are NEVER shared with:
- Competitors or other hospitality businesses
- Third-party marketers or advertisers
- Data brokers
- Suppliers (unless you explicitly join a group buying program)
3.2 Anonymized Aggregated Data
We DO share anonymized, aggregated data for benchmarks:
- Minimum 5 venues required for any aggregate statistic
- Broad regions only (e.g., "Southwest WA", not specific addresses)
- No identifying information (business names removed)
- Price ranges (e.g., "$22-$32 for coffee beans") not individual prices
Example
"Cafes in Southwest WA (5-10 staff) pay $22-$32 for coffee beans (sample size: 12 venues)". No individual cafe is identifiable.
3.3 Service Providers
We share data with trusted service providers under strict confidentiality agreements:
- Railway (Hosting, Database & Object Storage): Hosts our Next.js application and stores encrypted user data, invoices, and PDFs in Railway Buckets (S3-compatible)
- Google & Microsoft: Authentication providers (they already have your email data)
Sub-processor List: Available upon request at [email protected]
3.4 Legal Requirements
We may disclose your information if required by law:
- Court orders or subpoenas
- Government investigations or regulatory requests
- To protect our legal rights or defend against claims
- To prevent fraud, abuse, or security incidents
3.5 Business Transfers
If MightySmall is acquired or merged with another company, your data may be transferred. We will notify you via email and provide an option to delete your data before the transfer.
4. Data Retention and Deletion
4.1 How Long We Keep Your Data
| Data Type | Retention Period | Reason |
|---|---|---|
| Account information | Until account deletion | Service provision |
| Email metadata (subject, sender, date) | 90 days | Invoice detection history |
| Invoice PDFs and extracted data | 7 years | Australian tax law compliance |
| Anonymized benchmarks | Indefinite | No user linkage (anonymized) |
| Audit logs (access, security) | 90 days | Security and compliance |
| OAuth tokens (Gmail, Outlook) | Until revoked or account deleted | Automated invoice processing |
4.2 Your Right to Delete Data
Individual Invoice Deletion:
- Delete any invoice at any time from your Dashboard
- Deleted invoices are removed from your account within 24 hours
- PDFs are permanently deleted from Railway Buckets within 7 days
Full Account Deletion:
To request complete account deletion:
- Email [email protected] with subject "Account Deletion Request"
- We will verify your identity (for security)
- Within 30 days, we will:
- Delete all your invoices and invoice data
- Delete all email metadata
- Remove your account and profile information
- Revoke OAuth tokens (Gmail and Outlook access)
- Delete PDFs from Railway Buckets
- Anonymize any aggregated benchmarks (remove user linkage)
- We will send you a confirmation email when deletion is complete
Note
Some data may be retained for legal compliance:
- Audit logs for security investigations (up to 90 days)
- Financial records if required by Australian tax law (7 years)
- Anonymized aggregated benchmarks (no longer linked to you)
4.3 Inactive Account Deletion
If your account is inactive for 2 years:
- We will send you an email warning 30 days before deletion
- If you do not log in within 30 days, your account will be automatically deleted
- To prevent deletion, simply log in during the 30-day grace period
5. Your Rights
5.1 Australian Privacy Act Rights
Under the Australian Privacy Act 1988, you have the right to:
- Access: Request a copy of your personal information (free of charge)
- Correction: Request correction of inaccurate or outdated information
- Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at 1300 363 992 or www.oaic.gov.au
5.2 GDPR Rights (EU Residents)
If you are in the European Union, you have additional rights under GDPR:
- Right to Access (Article 15): Request a copy of your data
- Right to Rectification (Article 16): Request correction of inaccurate data
- Right to Erasure (Article 17): Request deletion ("right to be forgotten")
- Right to Data Portability (Article 20): Receive your data in machine-readable format (JSON/CSV)
- Right to Object (Article 21): Object to automated decision-making or profiling
- Right to Restrict Processing (Article 18): Request temporary suspension of data processing
- Right to Withdraw Consent: Revoke Gmail/Outlook access at any time
How to Exercise GDPR Rights
Email [email protected] with your request. We will respond within 30 days.
5.3 CCPA Rights (California Residents)
If you are a California resident, you have rights under CCPA:
- Right to Know: Request disclosure of data collected in the last 12 months
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out of Sale: We do NOT sell your data, but you can opt-out via the "Do Not Sell My Personal Information" link in our footer
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
California Disclosure Categories:
| Category | Examples | Shared? |
|---|---|---|
| Identifiers | Email, name | No |
| Commercial information | Invoices, purchase history | Aggregated only (min 5) |
| Internet activity | Pages visited, IP address | No |
5.4 Revoking Email Access
Revoke Gmail Access:
- Go to Google Account Permissions
- Find "MightySmall" in the list
- Click "Remove Access"
This will immediately stop our app from accessing your Gmail. Extracted invoices will remain in your MightySmall account unless you delete them.
Revoke Outlook Access:
- Go to Microsoft Apps & Services
- Find "MightySmall" in the list
- Click "Remove" or "Revoke permissions"
6. Security Measures
6.1 How We Protect Your Data
Encryption:
- In Transit: All data transmitted using HTTPS/TLS 1.3 encryption (SSL certificates)
- At Rest: All data stored in Railway PostgreSQL with AES-256 encryption
- OAuth Tokens: Access tokens and refresh tokens stored encrypted
- Invoice PDFs: Stored encrypted in Railway Buckets (S3-compatible) with access controls
Access Controls:
- Row Level Security (RLS): Database policies ensure users can only access their own data
- Role-Based Access: Staff access limited to necessary functions only
- Audit Logging: All data access logged for security monitoring
Infrastructure Security:
- Railway-managed PostgreSQL with built-in security features
- Railway deployment with DDoS protection and private networking
- Regular security updates and patching
- Annual security assessments (Google CASA Tier 2 required for Gmail API)
No Absolute Security Guarantee
While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security against all potential threats (e.g., sophisticated nation-state attacks, zero-day exploits). You use the service at your own risk.
6.3 Data Breach Notification
In the event of a data breach affecting your personal information:
- We will notify you within 72 hours (GDPR requirement)
- We will notify the OAIC and relevant authorities as required by law
- We will provide details of the breach, data affected, and remediation steps
- We will offer credit monitoring or other assistance if appropriate
Report security vulnerabilities to: [email protected]
7. Automation and User Control
7.1 Automation Levels
You control how MightySmall processes your emails through three automation modes:
- Manual Mode (Default):
- You must manually click "Send to MightySmall" for each invoice
- No automatic processing
- Maximum control, lowest automation
- Semi-Automatic Mode:
- App detects invoices and asks "Send this invoice?"
- You approve or reject each one
- Balance of automation and control
- Automatic Mode:
- App automatically processes invoices from whitelisted senders only
- You manage your whitelist of trusted suppliers
- Highest automation, least manual intervention
You can change your automation level at any time in Settings.
7.2 Whitelist/Blacklist Management
- Whitelist: Suppliers you trust for automatic processing (only in Automatic mode)
- Blacklist: Senders to never process (ignored even if keywords match)
- You have full control over these lists
7.3 Disabling the Add-on
To stop invoice detection entirely:
- Gmail: Remove the add-on from Gmail settings
- Outlook: Disable the add-in from Outlook settings
- Web App: Revoke OAuth access (see Section 5.4)
8. International Data Transfers
8.1 Where Your Data is Stored
MightySmall is based in Australia. Your data is stored in:
- Railway: Cloud infrastructure (hosting, PostgreSQL database, and object storage, US regions)
8.2 Data Transfers Outside Australia
If you are in Australia, your data may be transferred to:
- United States (Railway)
Safeguards
- Railway is GDPR-compliant and uses Standard Contractual Clauses (SCCs)
- All data encrypted in transit and at rest
- We do not transfer data to countries without adequate data protection laws
8.3 GDPR Compliance for EU Transfers
If you are in the EU:
- We rely on Standard Contractual Clauses (SCCs) for transfers to the US
- We ensure service providers implement appropriate technical and organizational measures
- You have the right to object to transfers (contact [email protected])
9. Children's Privacy
MightySmall is not intended for children under 18. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at [email protected] and we will delete it promptly.
10. Changes to This Privacy Policy
10.1 How We Notify You
We may update this Privacy Policy from time to time. If we make material changes:
- We will update the "Last Updated" date at the top
- We will notify you via email at least 30 days before changes take effect
- For Gmail/Outlook data usage changes, we will request new consent
10.2 Your Options When We Update
If you do not agree with the updated policy:
- You may delete your account before the effective date
- You may revoke Gmail/Outlook access
- Continued use after the effective date constitutes acceptance
11. Third-Party Links
Our website may contain links to third-party websites (e.g., Google, Microsoft, Railway). This Privacy Policy does not apply to those websites. We are not responsible for their privacy practices. Please review their privacy policies before providing any data.
12. Contact Us
Privacy Inquiries:
Email: [email protected]
Mail: MightySmall, [Your Business Address], Australia
Data Protection Officer (DPO):
If required under GDPR, our DPO can be reached at [email protected]
Regulatory Authorities:
- Australia: Office of the Australian Information Commissioner (OAIC) - 1300 363 992 - www.oaic.gov.au
- EU: Contact your local Data Protection Authority - List of EU DPAs
- California: California Attorney General - oag.ca.gov/privacy
13. Policy Versions and History
| Version | Date | Changes |
|---|---|---|
| 1.0 | December 28, 2025 | Initial Privacy Policy |
Summary (Not Legal Advice)
- We access your Gmail/Outlook only to detect and extract invoice data
- We do not read your personal emails or non-invoice content
- We do not sell your data to anyone
- You can delete your data or revoke access at any time
- We comply with Australian Privacy Act, GDPR, CCPA, and Google/Microsoft policies
- Questions? Email [email protected]
This Privacy Policy was last reviewed and approved on December 28, 2025. For the most current version, visit https://mightysmall.io/privacy