Privacy Policy

Account Information: When you create an account, we collect:

• Email address
• Password (encrypted and never stored in plain text)
• Account creation date

Extracted Order Data: When you connect your email account (Gmail or Outlook) to our service, we extract and store order information from your order confirmation emails, including:

• Retailer names and contact information
• Order numbers and order dates
• Item descriptions, quantities, and categories
• Prices, subtotals, taxes, shipping costs, and total amounts
• Return window dates and return policies
• Product identifiers (SKUs, ASINs) when available

Usage Information: We automatically collect certain information about how you use our service:

• Login times and frequency of use
• Features accessed and actions taken within the service
• Browser type, device type, and operating system
• IP address and general geographic location

We use the information we collect for the following purposes:

• Service Delivery: To provide you with a unified order history, return window tracking, spending analytics, and reordering assistance
• Email Processing: To scan your connected email accounts for order confirmations and extract relevant order information
• Account Management: To authenticate your identity, maintain your account, and communicate with you about your service
• Service Improvement: To understand how you use our service and improve features, performance, and user experience
• Security: To detect and prevent fraud, abuse, and security incidents
• Legal Compliance: To comply with applicable laws, regulations, and legal processes

We are committed to protecting your privacy. We do NOT:

• Sell, rent, or trade your personal information (information that identifies you individually) to third parties
• Share your order data or email content with advertisers or marketing companies in a way that identifies you
• Read, store, or process personal correspondence or non-order-related emails
• Share your information with third parties except as described in this policy
• Send you marketing emails unless you explicitly opt in

Note on Aggregated Data: We may create, use, and share aggregated, depersonalized data derived from order information. This data is fully anonymized, cannot be used to identify you, and may be used for market research, analytics, or other commercial purposes. See Section 4 for more details.

We share your information only in the following limited circumstances:

Service Providers: We work with third-party service providers who help us operate our service:

• Cloud Hosting: Our servers and databases are hosted by trusted cloud infrastructure providers
• AI Processing: We use third-party AI services (Google Gemini) to process emails and extract order information. These providers are bound by strict data processing agreements
• Email Providers: We connect to Gmail (Google) and Outlook (Microsoft) through their official APIs

All service providers are contractually obligated to maintain the confidentiality and security of your data and are prohibited from using your data for any purpose other than providing services to us.

Legal Requirements: We may disclose your information if required by law, such as:

• In response to a subpoena, court order, or other legal process
• To protect the rights, property, or safety of OrderStash, our users, or the public
• To enforce our Terms of Service or investigate potential violations

Business Transfers: If OrderStash is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website of any change in ownership or use of your personal information.

With Your Consent: We may share your information for other purposes with your explicit consent.

Aggregated and Depersonalized Data: We may share or sell aggregated, depersonalized consumer spending data with third parties for market research, analytics, trend analysis, and other commercial purposes. This data:

• Is fully anonymized and cannot be used to identify you or any individual user
• Does not include your name, email address, or any personal identifiers
• May include aggregate statistics such as spending trends by category, retailer popularity, average order values, and regional purchasing patterns
• Helps businesses understand consumer behavior and market trends

This aggregated data is not considered "personal information" under privacy laws because it cannot reasonably be linked back to you. Your individual order details, purchase history, and personal information are never sold or shared in identifiable form.

We implement industry-standard security measures to protect your data:

• Encryption: All data transmitted between your device and our servers is encrypted using TLS/SSL. Sensitive data at rest is encrypted in our database
• Access Controls: We use OAuth 2.0 for secure email account connections. Access tokens and passwords are encrypted before storage
• Authentication: Your account is protected by secure password-based authentication with encrypted password storage
• Infrastructure Security: Our servers are hosted on secure, SOC 2 compliant infrastructure with regular security audits
• Monitoring: We continuously monitor our systems for security vulnerabilities and suspicious activity
• Limited Access: Employee access to user data is strictly limited on a need-to-know basis

CASA Tier 2 Security Assessment

OrderStash has completed Google's Cloud Application Security Assessment (CASA) Tier 2, which is required for apps that access certain sensitive Google Workspace data such as Gmail content. Our assessment was performed by TAC Security, an App Defense Alliance–authorized lab and Google-preferred CASA partner. As part of this process, TAC Security ran an in-depth application security scan based on the CASA Tier 2 controls and verified our remediation of all identified high-severity issues. Upon completion, we received a Letter of Validation (LoV) confirming that OrderStash meets CASA Tier 2 requirements.

While we implement strong security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data.

We are committed to protecting your personal information and responding swiftly to any security incidents that may affect your data. This section describes our procedures for detecting, responding to, and notifying you of security incidents or data breaches.

Detection and Monitoring

We employ multiple layers of security monitoring to detect potential incidents:

• Automated Monitoring: 24/7 automated systems monitor for unauthorized access, suspicious activity, and security anomalies
• Intrusion Detection: Real-time intrusion detection systems alert our security team to potential threats
• Log Analysis: Security logs are continuously analyzed for indicators of compromise
• Vulnerability Scanning: Regular automated scans identify potential security vulnerabilities
• Third-Party Security Services: We work with external security monitoring services to identify emerging threats

Incident Response Procedures

When a potential security incident is detected, we follow a structured incident response process:

1. Initial Assessment (0-1 hour)

• Security team is immediately notified of the potential incident
• Incident severity is assessed based on scope, data types affected, and number of users impacted
• Incident response team is assembled based on severity level

2. Containment (1-4 hours)

• Immediate action is taken to contain the incident and prevent further unauthorized access
• Affected systems are isolated if necessary to prevent spread
• Access credentials and tokens are revoked if compromised
• Security controls are strengthened to prevent exploitation

3. Investigation (4-24 hours)

• Forensic analysis is conducted to determine the root cause and scope of the breach
• All affected systems, data, and users are identified
• Timeline of the incident is established
• Evidence is collected and preserved for potential legal or regulatory requirements

4. Eradication and Recovery (24-72 hours)

• Root cause is addressed and security vulnerabilities are patched
• Compromised systems are cleaned, restored, or rebuilt
• Systems are brought back online with enhanced security measures
• Additional monitoring is implemented to detect any residual threats

5. Post-Incident Review (within 7 days)

• Comprehensive incident report is prepared documenting timeline, impact, and response actions
• Root cause analysis identifies how the incident occurred and what controls failed
• Lessons learned are documented and security improvements are implemented
• Incident response procedures are updated based on findings

Data Breach Notification Requirements

In the event of a data breach that affects your personal information, we will notify you and relevant authorities in accordance with applicable laws:

GDPR Compliance (EEA Residents)

• Supervisory Authority Notification: Within 72 hours of becoming aware of a breach, we will notify the relevant data protection authority (as required by GDPR Article 33)
• User Notification: If the breach poses a high risk to your rights and freedoms, we will notify you without undue delay (as required by GDPR Article 34)
• Notification Content: Our notification will include the nature of the breach, likely consequences, measures taken or proposed, and contact information

CCPA Compliance (California Residents)

• User Notification: We will notify California residents without unreasonable delay if their personal information was or is reasonably believed to have been acquired by an unauthorized person
• Notification Method: Email notification to the address associated with your account, or substitute notice if email contact is infeasible
• California Attorney General: We will notify the California Attorney General if the breach affects more than 500 California residents

All Users

• Timely Notification: We will notify all affected users as soon as reasonably possible after determining a breach has occurred
• Clear Communication: Our notification will be in plain language and explain what happened, what data was affected, and what steps you should take
• Support Resources: We will provide dedicated support to help you protect your account and personal information

What We Will Tell You

If we notify you of a data breach, our notification will include:

• Description of the Incident: What happened, when it occurred, and when we discovered it
• Types of Data Affected: What categories of personal information were involved (e.g., email addresses, order data, account credentials)
• Number of Users Affected: Approximately how many users were impacted
• Potential Risks: What the breach could mean for you and your data
• Steps We Have Taken: What we did to contain the breach, investigate it, and prevent recurrence
• Steps You Should Take: Recommended actions to protect yourself (e.g., change passwords, monitor accounts, enable MFA)
• Contact Information: How to reach our security team with questions or concerns
• Regulatory Notifications: What authorities have been notified and their contact information

Your Rights After a Breach

If your personal information is affected by a data breach, you have the right to:

• Request Detailed Information: Ask us for more details about the breach and how it affected your data
• Access Your Data: Request a copy of all data we hold about you
• Delete Your Account: Immediately delete your account and all associated data
• Revoke OAuth Access: Disconnect your email accounts to stop all email access
• File a Complaint: Lodge a complaint with a data protection authority if you believe your rights have been violated
• Seek Remedies: Pursue legal remedies if you have suffered damages as a result of the breach

Preventive Measures

To minimize the risk and impact of security incidents, we maintain:

• Incident Response Plan: Documented procedures for responding to different types of security incidents
• Trained Response Team: Dedicated security personnel trained in incident detection, response, and recovery
• Regular Security Audits: Periodic third-party security assessments to identify vulnerabilities
• Penetration Testing: Regular authorized testing of our systems to find security weaknesses
• Employee Training: Ongoing security awareness training for all personnel with access to user data
• Business Continuity Plan: Procedures to maintain service availability during and after incidents
• Backup and Recovery: Regular encrypted backups to enable rapid recovery from incidents

Reporting Security Concerns

If you believe you have discovered a security vulnerability or potential incident, please report it immediately:

• Email: [email protected] (monitored 24/7)
• Response Time: We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours
• Responsible Disclosure: We request that you do not publicly disclose the vulnerability until we have had a reasonable time to address it
• Recognition: We appreciate responsible disclosure and may recognize security researchers who help us improve our security

Third-Party Service Incidents

If a security incident occurs at one of our third-party service providers (Google, Microsoft, etc.):

• We will monitor the situation closely and assess the potential impact on our users
• We will work with the provider to understand the scope and impact of the incident
• We will notify affected users if the incident exposed your data or credentials
• We will take additional protective measures such as rotating access tokens or credentials

Contact for Incident-Related Questions

For questions about our incident response procedures or to report a security concern:

• Security Team: [email protected]
• Privacy Team: [email protected]
• Response Time: Within 24 hours for security reports, within 30 days for general questions

We retain your personal data only as long as necessary to provide our services and comply with legal obligations.

Retention Periods

Email Messages

• Duration: 365 days from receipt
• Automatic Deletion: Messages older than 365 days are automatically deleted
• Purpose: Allows re-extraction of order data if needed and maintains order history

Extracted Order Information

• Duration: Retained until you delete your account
• Purpose: Provides ongoing access to your purchase history and analytics

Account Information

• Duration: Retained while your account is active
• Data Includes: Email address, encrypted password, account preferences
• Deletion: Permanently removed within 30 days of account deletion
• Purpose: Enables account access and service functionality

OAuth Access Tokens

• Duration: Valid for 60 days or until you disconnect your Gmail account
• Storage: Encrypted at rest using PBKDF2 with 480,000 iterations
• Deletion: Immediately revoked when you disconnect your Gmail account, delete your account, or revoke access through Google Account settings

Security and Audit Logs

• Duration: 90 days
• Purpose: Security monitoring, fraud prevention, compliance requirements
• Data Includes: Login attempts, authentication events, admin actions
• Note: May be retained longer if required by law or ongoing security investigation

Analytics Data

• Duration: 24 months
• Purpose: Improve service performance and user experience
• Data Includes: Aggregated usage statistics, error reports (no personal identifiers)

Automatic Cleanup Process

Our system automatically runs cleanup tasks daily at 2:00 AM UTC to delete email messages older than 365 days, remove expired OAuth states (older than 24 hours), purge security logs older than 90 days, and clean up orphaned data from deleted accounts.

Account Deletion

When you delete your account, we permanently remove:

• All email messages (immediate)
• All extracted order data (immediate)
• Account credentials and settings (immediate)
• OAuth tokens (immediate, access revoked)
• Personally identifiable information (within 30 days)

We may retain:

• Aggregated analytics (anonymized, no personal identifiers)
• Security logs required by law (90 days maximum)
• Transaction records for tax/accounting purposes (as required by law)

Legal Retention Requirements

We may retain certain data longer than specified above when required by law (tax records, financial reporting), necessary for legal proceedings, required to prevent fraud or abuse, or when you have provided explicit consent for longer retention.

Your Control Over Data Retention

You have the following options:

• Manual Message Deletion: Delete specific emails at any time
• Disconnect Gmail: Stops new messages and revokes OAuth access
• Export Your Data: Download all your data before deletion (Settings → Export Data)
• Delete Account: Permanently remove all data (Settings → Delete Account)
• Adjust Preferences: Contact [email protected] for custom retention preferences

Changes to Retention Policies

If we change our data retention policies, we will update this Privacy Policy with the new date, notify you via email if changes are material, provide 30 days notice before implementing changes, and allow you to delete your account if you disagree.

Questions About Data Retention

For questions about how long we keep your data or to request early deletion, email [email protected] (response time: within 30 days per GDPR/CCPA requirement).

You have the following rights regarding your personal information:

• Access: You can view all extracted order data through your dashboard at any time
• Correction: You can edit or correct any inaccurate order information through the web interface
• Deletion: You can delete individual orders or your entire account, which permanently removes all your data
• Portability: You can request a copy of your data in a machine-readable format
• Revocation: You can disconnect your email account at any time, immediately stopping all email access
• Opt-Out: You can opt out of non-essential communications

To exercise these rights, use your account settings or contact us through your account dashboard.

California Residents: If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your information, and the right to opt-out of the sale of your personal information. Note: We do not sell personal information that identifies you. We may share aggregated, depersonalized data as described in Section 4, which is not considered a "sale" of personal information under CCPA.

European Economic Area (EEA) Residents: If you are in the EEA, you have rights under the General Data Protection Regulation (GDPR), including the right to access, rectification, erasure, restriction of processing, data portability, and objection.

We use cookies and similar technologies to provide and improve our service:

• Essential Cookies: Required for authentication and basic service functionality
• Session Cookies: Used to maintain your login session
• Security Cookies: Used to prevent fraud and enhance security

We do not use third-party advertising cookies or tracking pixels. You can control cookies through your browser settings, but disabling essential cookies may affect service functionality.

Our service integrates with the following third-party services:

Email Providers:

• Gmail (Google): We use Gmail API to access your Gmail account. Google's use of your information is governed by the Google Privacy Policy
• Outlook (Microsoft): We use Microsoft Graph API to access your Outlook account. Microsoft's use of your information is governed by the Microsoft Privacy Statement

AI Processing Services:

• Google Gemini: Used for AI-powered order extraction. Subject to Google Cloud's data processing terms

These third-party services are bound by data processing agreements that require them to protect your data and use it only for providing services to us.

OrderStash is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately and we will delete the information.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from the laws of your country. We ensure that such transfers comply with applicable data protection laws and implement appropriate safeguards.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you by email or through a prominent notice on our website
• Provide you with an opportunity to review the changes before they take effect

Your continued use of OrderStash after the effective date of the updated Privacy Policy constitutes acceptance of the changes.

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us through your account settings or visit our website.

For privacy-related inquiries, you can also reach us at:

OrderStash
Privacy Department
Via website contact form