AR
AR2EZ
Stop chasing. Get paid.

AR2EZ Privacy Policy

Last updated: May 31, 2026. This privacy policy describes how AR2EZ collects, uses, and protects information.

AR2EZ provides invoice follow-up software. For privacy requests, contact support@ar2ez.com.

Google API Services User Data Policy

AR2EZ's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. AR2EZ requests only the gmail.send scope. We do not access, read, store, or transmit your email message contents or inbox. We use Gmail send authority only to deliver invoice follow-up emails that you have explicitly approved within AR2EZ. OAuth refresh tokens are stored encrypted at rest and can be revoked at https://myaccount.google.com/permissions. We do not sell Google user data, use Google user data for advertising, or transfer Google user data to others except as necessary to provide and secure AR2EZ.

Subprocessors

We use these third-party services to operate AR2EZ:

  • Vercel — application hosting
  • Supabase — database (Postgres)
  • Resend — transactional email
  • Stripe — payment processing
  • Cloudflare — DNS and CDN
  • Google Cloud (Document AI) — OCR on user-uploaded invoice PDFs to auto-populate invoice fields
  • OpenAI — optional marketing tagline suggestions in settings

Google User Data

Email content sent through your connected Gmail account using the gmail.send scope flows directly from AR2EZ to the Google Gmail API to your recipient. We do not share, transfer, or disclose Google user data with any third party, including the AI providers above. AI features in AR2EZ (OCR on uploaded invoice PDFs; tagline generation) operate only on data you explicitly provide outside of your Gmail account.

AI/ML Model Training

AR2EZ does not use Google user data, or any user data, to develop, improve, or train generalized or specialized AI/ML models. AI features rely on third-party pre-trained models (Google Document AI, OpenAI GPT-5.5) and do not provide your data back to those providers for training.

Data we collect

  • Account data: name, email address, workspace name, subscription tier, and support messages.
  • Invoice data: uploaded PDFs/images, parsed invoice fields, invoice amounts, due dates, customer names, and customer contact information you enter.
  • OAuth data: Gmail and Outlook OAuth tokens used to send approved follow-up emails on your behalf.
  • Payment data: Stripe customer, subscription, checkout, and payment status identifiers. AR2EZ does not store full card numbers.
  • Essential technical data: session cookies, security logs, IP-derived request metadata, and device/browser information needed to operate and secure the service.

How we use data

We use data to provide AR2EZ, create invoice records, parse invoice content, connect your email account, send only the reminders you approve, process billing, prevent abuse, maintain security, and respond to support/data requests.

GDPR lawful basis

Where GDPR applies, our lawful bases include contract performance for providing AR2EZ, legitimate interests for service security and improvement, consent for OAuth/email-account connection where required, and legal obligations for billing, tax, and compliance records.

Retention and deletion

Active account data is retained while your account is active. If you request account deletion, AR2EZ will delete or de-identify active account, workspace, invoice, upload, token, and customer records, then retain backup copies for up to 90 days before purge. Some billing/security records may be retained longer where required by law or necessary to resolve disputes.

Delete-account flow: email support@ar2ez.com from your account email with “Delete my AR2EZ account.” We will verify the request, delete active records, revoke stored OAuth tokens where possible, and confirm completion. This is the Article 17 right-to-erasure and CCPA right-to-delete path until self-serve deletion ships.

Your rights

Depending on where you live, you may request access, correction, deletion, export, restriction, objection, or withdrawal of consent. California residents may exercise CCPA/CPRA rights to know, access, correct, delete, and opt out of sale/share. AR2EZ does not sell personal information or track users across sites.

Cookies

AR2EZ currently uses essential session cookies for sign-in and security. We do not use analytics cookies or third-party advertising trackers.

International transfers and security

AR2EZ and its subprocessors may process data in the United States and other locations where they operate. We use reasonable administrative, technical, and organizational safeguards, including access controls and encrypted service providers, but no system is perfectly secure.

Changes to this policy

We will notify users of material changes via email to the workspace owner and in-app notification at least 30 days before changes take effect.

Contact

For privacy, deletion, or data-access requests: support@ar2ez.com.