1. Who We Are
DocuMesh is a document intelligence platform that extracts structured data from invoices, purchase orders, bills of lading, and other business documents for retail AP teams.
This Privacy Policy explains how DocuMesh handles information in connection with your use of the DocuMesh software, website, API, and related services.
By creating an account or using DocuMesh, you agree to the practices described in this policy.
2. What Information We Collect
Account Information
When you create a DocuMesh account, we collect your name, email address, and company. These profile fields are encrypted at rest using AES-256-GCM — they are never stored as plain text in our database.
Payment Information
Subscription payments are processed by Stripe. We receive only a payment confirmation and your subscription status. We never see or store your credit card number.
Documents and Extracted Data
PDF files you upload are stored temporarily during processing. They are deleted immediately after OCR extraction is complete. Only extracted structured fields are retained in your account.
Software Version and License Status
When DocuMesh checks for updates or validates your subscription, it may send your software version number and a license token to our servers. No document content is included.
Support Communications
If you contact us for help, we receive your message and email address.
What We Never Collect
We do not sell your data. We do not use behavioral analytics, advertising trackers, device fingerprints, or browsing history. We do not retain copies of your original PDFs after extraction.
3. How We Use Your Information
We use the limited information we collect exclusively to:
- Manage your account and validate your subscription
- Process subscription billing through Stripe
- Respond to support requests
- Notify you of software updates
- Comply with legal obligations
- Detect and prevent fraud and unauthorized access
We do not use your information for any other purpose without your explicit consent.
4. What We Do Not Do
We make the following firm commitments:
- We do not sell your personal information to any third party, ever
- We do not share your data with advertisers or data brokers
- We do not use your document content for advertising, model training, or any commercial purpose
- We do not send your invoices, POs, or extracted data to any external OCR service, AI provider, or cloud processor
- We do not use your QuickBooks financial data for any purpose other than the specific action you requested
- We do not retain copies of your documents after extraction
- We do not track your behavior within the DocuMesh application
- We do not share data across customer accounts for any purpose
5. QuickBooks Integration
When you connect DocuMesh to QuickBooks Online, you are redirected to Intuit's authorization page and log in directly on Intuit's servers. DocuMesh never sees your Intuit username or password.
After you grant permission, Intuit provides DocuMesh with an OAuth 2.0 access token. This token is stored encrypted in your DocuMesh database.
Permissions We Request
DocuMesh requests only the minimum permissions necessary: write access to create bills, invoices, and purchase orders in your QB account. We do not request access to your existing transactions, bank accounts, payroll, or any other QB data.
How We Use Your QuickBooks Access
We use your QB access token solely to execute the specific action you initiate — pushing an extracted document to QuickBooks. We do not access your QuickBooks account in the background or without your direct action.
Revoking Access
You can disconnect QuickBooks at any time from Settings → Integrations → QuickBooks → Disconnect. Your tokens are immediately and permanently deleted. You can also revoke access from your Intuit account at accounts.intuit.com → Connected Apps.
QuickBooks Desktop
QB Desktop integration works via IIF file export — no OAuth connection is required. DocuMesh generates a local .IIF file you import manually. No network connection to Intuit is involved.
6. Data Storage and Security
All DocuMesh data — your account, extracted document fields, job history, API keys, and QuickBooks tokens — is stored in a PostgreSQL database. User profile data (name, email, company) is encrypted at rest. You can export or delete this data at any time.
Security measures built into DocuMesh:
- User profile data encrypted at rest using AES-256-GCM (email, name, and company)
- QuickBooks and integration tokens encrypted at rest using AES-256
- API keys stored as SHA-256 hashes — the raw key is shown only once and never stored
- Passwords hashed using a salted one-way hash — we cannot recover your password
- Sessions use cryptographically random tokens with configurable expiration
- Uploaded PDFs deleted from disk immediately after processing
We recommend using HTTPS for network-accessible deployments and taking regular encrypted backups.
7. Data Retention
- Uploaded PDFs: Deleted immediately after extraction — not stored
- Extracted job results: Retained in your account until you delete them
- Account information: Retained until you delete your account
- API keys: Retained until you revoke them from Settings → API Keys
- QuickBooks tokens: Deleted immediately upon disconnection
- Support emails: Retained up to 3 years
- Payment records: Stripe retains billing records as required by law; DocuMesh retains only your subscription status
You can delete all your DocuMesh data at any time from Settings → Privacy → Delete All Data.
8. Third-Party Services
DocuMesh uses the following third-party services. None of these receive your document content or extracted data:
- Stripe — Payment processing (stripe.com/privacy)
- Intuit / QuickBooks — OAuth provider (intuit.com/privacy)
- Email provider — Transactional emails only. Only your email address is shared.
DocuMesh does not use Google Analytics, Facebook Pixel, advertising networks, or any behavioral tracking service.
No third-party OCR or AI services: All document processing runs on DocuMesh servers using our proprietary extraction stack. Your document content is never sent to OpenAI, Google Cloud Vision, AWS Textract, Azure, or any other external service.
9. Your Rights and Choices
Depending on your location, you may have the right to:
- Access — Request a copy of the personal information we hold about you
- Correction — Request correction of inaccurate personal information
- Deletion — Request deletion of your account and associated personal information
- Portability — Export your data at any time from your account
- Opt out of error reporting — Disable anonymized crash reporting from Settings → Privacy
- Disconnect integrations — Revoke any connected integration at any time from Settings → Integrations
California residents (CCPA): We do not sell personal information. You have the right to know what we have collected and request deletion.
EEA/UK residents (GDPR): Our lawful basis for processing is performance of contract, legitimate interests, and legal obligation. You have the right to lodge a complaint with your supervisory authority.
To exercise any of these rights, contact us at privacy@documesh.ai. We will respond within 30 days.
11. Children's Privacy
DocuMesh is a business tool not directed at children under 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@documesh.ai and we will delete it.
12. International Users
DocuMesh is operated in the United States. The limited personal information we collect (name, email, subscription status) may be transferred to and processed in the United States. For EEA and UK users, we rely on Standard Contractual Clauses as the legal transfer mechanism.
Extracted document data is stored in your DocuMesh account and can be exported or deleted at any time.
13. Changes to This Policy
When we make material changes, we will:
- Post the updated policy with a new "Last Updated" date
- Send email notice to your registered address at least 30 days before changes take effect
- Show an in-app notification when you next open DocuMesh
Continued use of DocuMesh after the effective date constitutes acceptance. You may cancel your subscription before the effective date if you do not agree.
14. Contact Us
- Privacy inquiries: privacy@documesh.ai
- Data deletion requests: privacy@documesh.ai — Subject: "Data Deletion Request"
- General support: support@documesh.ai
- Website: documesh.ai
- Mailing address: DocuMesh, United States
- Response time: Within 30 days for all privacy requests
- For QuickBooks-related data concerns, you may also contact Intuit at intuit.com/privacy.