Privacy Policy

TRO Invoice Matcher ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our invoice processing platform at tro-matcher.com (the "Service").

Built for Small and Medium Businesses: We designed our privacy practices with SMBs in mind. Unlike enterprise solutions that often require extensive data sharing across their ecosystems, TRO Matcher operates on a data-minimization principle. We collect only what is necessary to provide our Service, and you should not need a legal team to understand how we handle your data.

Quick Summary:

• We collect only data necessary to provide our Service
• Your invoice data is processed by AI and is not sold to third parties. We share data only with service providers necessary to deliver the Service as described in this Privacy Policy
• You have the ability to access, export, and request deletion of your personal data, subject to applicable legal requirements
• We comply with GDPR, CCPA, PIPEDA, and Australian Privacy Act

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.

The data controller responsible for your personal data is:

For any privacy-related inquiries or to exercise your data rights, please contact us at support@tro-matcher.com.

We collect the following categories of personal data:

Your Responsibility for Uploaded Data: You represent and warrant that you have all necessary rights, consents, and authorizations to upload and process any invoices and documents through the Service, including any personal data of third parties contained therein. You agree to indemnify and hold us harmless from any claims arising from your upload of content that you do not have the right to process.

We process your personal data for the following purposes:

• Service Delivery: To extract data from your invoices using AI, compare invoices, and generate recommendations
• Account Management: To create and manage your account, authenticate access, and provide customer support
• Subscription Management: To process payments, manage your subscription, and send billing notifications
• Service Improvement: To analyze usage patterns and improve our AI extraction accuracy and user experience
• Communication: To send service-related emails (password resets, security alerts, subscription updates)
• Legal Compliance: To comply with applicable laws and respond to legal requests
• Security: To detect, prevent, and address technical issues and security threats

Under GDPR Article 6, we rely on the following legal bases for processing:

We share your data with the following third-party processors who help us operate our Service:

Some of our service providers are located outside the European Economic Area (EEA). When we transfer your data internationally, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms that provide adequate data protection
• Data Processing Agreements: Binding agreements with all processors specifying their data protection obligations
• Adequacy Decisions: Where applicable, we rely on EU adequacy decisions for specific countries

For transfers to the United States, we ensure our providers maintain appropriate certifications and implement supplementary measures as required by the Schrems II decision.

We retain different categories of data for different periods based on legal requirements and business needs:

Depending on your location, you may have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of your personal data
• Right to Rectification (Art. 16): Correct inaccurate personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restriction (Art. 18): Limit how we process your data
• Right to Data Portability (Art. 20): Receive your data in a machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

How to Exercise Your Rights: You can exercise most rights directly through your account settings. For data export or deletion, go to Settings > Privacy. For other requests, email support@tro-matcher.com. We aim to respond within 30 days. For complex requests or high volumes of requests, we may extend this period by up to 60 additional days as permitted by applicable law, in which case we will inform you of the extension and the reasons for the delay.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

We use a minimal approach to cookies, prioritizing your privacy. For detailed information about all cookies we use, please see our Cookie Policy.

Cookie Categories:

• Essential Cookies: Required for authentication and security (session tokens, CSRF protection). These cannot be disabled as the Service would not function without them.
• Analytics Cookies: With your consent, we may use analytics cookies to understand how visitors use our Service. You can manage this preference in our Cookie Preference Center.
• Marketing Cookies: We currently do not use marketing or advertising cookies.
• Functional Cookies: With your consent, these cookies enable enhanced functionality such as remembering your preferences.

Managing Your Preferences: You can manage your cookie preferences at any time using our Cookie Preference Center. Look for the cookie settings link in the footer or on our Cookie Policy page.

Global Privacy Control (GPC): We honor the Global Privacy Control signal. If your browser sends a GPC signal, we will treat it as a valid opt-out request and will not set any non-essential cookies.

For more information about how we use cookies, including a complete list of cookies and their purposes, please visit our Cookie Policy.

Our Service uses Google Gemini AI to extract structured data from invoice images and documents. Here's what you need to know:

• What AI Does: When you upload an invoice, AI extracts text, identifies vendor names, amounts, dates, and line items, and structures this data for comparison
• No Profiling: We do not use your data to profile you or make automated decisions that affect you legally
• Human Review Available: You can always review, edit, or delete extracted data before using it
• No Training: Your invoice data is not used to train our AI models or Google's models
• Accuracy Disclaimer: AI extraction is provided as a convenience and may contain errors. You are solely responsible for verifying the accuracy of all extracted data before relying on it for any purpose. We make no representations or warranties regarding the accuracy, completeness, or reliability of AI-extracted data.

GDPR Article 22: Our AI processing does not constitute automated individual decision-making under Art. 22 because the extracted data is always subject to your review and does not produce legal effects on you.

Your Rights Under GDPR Article 22:

• Review all AI-extracted data before using it
• Modify or correct any extracted information
• Request manual processing by contacting support@tro-matcher.com
• Obtain human intervention for concerns about AI output

To request human review, email support@tro-matcher.com with "Human Review Request" in the subject line. Response within 30 days.

We employ commercially reasonable administrative, technical, and physical safeguards designed to protect your personal data. The following describes our current security practices, which may be updated from time to time to address evolving security threats:

Our Service is not intended for users under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@tro-matcher.com. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request information about what personal data we collect, use, and share
• Right to Delete: Request deletion of your personal data
• Right to Correct: Request correction of inaccurate personal data
• Right to Opt-Out: Opt out of the sale or sharing of personal data
• Right to Non-Discrimination: Not be discriminated against for exercising your rights

We Do Not Sell Your Data: We do not sell your personal information to third parties as defined by CCPA. We do not share your data for cross-context behavioral advertising.

To exercise your California rights, email support@tro-matcher.com with subject "CCPA Request" or use the in-app privacy controls.

If you are located in the United Kingdom, you are protected by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Your rights under UK GDPR are substantially similar to those under EU GDPR as described in Section 9. You have the right to lodge a complaint with the Information Commissioner's Office (ICO):

If you are located in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

Under PIPEDA, you have the right to:

• Access your personal information held by us
• Challenge the accuracy and completeness of your information
• Request correction of inaccurate information
• Know how your information is being used
• Withdraw consent (subject to legal or contractual restrictions)

You may file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

If you are located in Australia, your personal information is protected under the Privacy Act 1988 and the Australian Privacy Principles (APPs).

Under Australian privacy law, you have the right to:

• Know what personal information we hold about you
• Access your personal information
• Request correction of inaccurate information
• Complain about a breach of the APPs

You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the Privacy Act:

Contact Information:

For any questions about this Privacy Policy or to exercise your privacy rights, please contact us:

Changes to This Policy:

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification for significant changes that affect your rights

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

SERVICE PROVIDED "AS IS": The Service and all data processing activities described in this Privacy Policy are provided on an "AS IS" and "AS AVAILABLE" basis. To the maximum extent permitted by applicable law, we disclaim all warranties, express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

NO GUARANTEE OF SECURITY: While we implement commercially reasonable security measures as described in Section 12, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee the absolute security of your data and make no warranty, express or implied, regarding the security of data transmitted to or from the Service.

LIMITATION OF LIABILITY: To the maximum extent permitted by applicable law, we shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, use, or goodwill, arising out of or related to any data breach, unauthorized access, or failure of security measures, regardless of the theory of liability. Our total liability for any claims arising under this Privacy Policy shall not exceed the greater of (a) the amount you paid to us in the twelve (12) months preceding the claim, or (b) fifty US dollars ($50).

THIRD-PARTY SERVICES: Our Service relies on third-party providers as described in Section 6. We are not responsible for the acts or omissions of these third parties, including any security incidents, service disruptions, or changes to their data practices. Your use of the Service constitutes acknowledgment of these dependencies.

JURISDICTIONAL LIMITATIONS: Some jurisdictions do not allow the exclusion of certain warranties or the limitation of liability for certain damages. In such jurisdictions, our liability shall be limited to the maximum extent permitted by law. Nothing in this Privacy Policy excludes or limits our liability for death or personal injury caused by our negligence, fraud, or fraudulent misrepresentation, or any other liability that cannot be excluded by law.

This Privacy Policy shall be governed by and construed in accordance with the laws of Georgia, without regard to its conflict of law provisions, except where mandatory local data protection laws apply (such as GDPR for EU residents or CCPA for California residents).

Any disputes arising from or relating to this Privacy Policy shall be resolved through good-faith negotiation. If negotiation fails, disputes shall be submitted to the competent courts of Georgia, except where applicable law grants you the right to bring proceedings in your local courts.

Nothing in this section shall limit your right to lodge a complaint with your local data protection supervisory authority.