Privacy Policy
Last updated: April 3, 2026
Wovexa (“Wovexa,” “we,” “us,” “our”) operates a cloud-based accounts payable automation platform. This Privacy Policy describes how we collect, use, store, and protect information when you access wovexa.com and app.wovexa.com (the “Services”).
1. Information We Collect
1.1 Account and Organization Information. When you create an account, we collect: organization name, your name, work email address, job title, and billing information.
1.2 Usage Data. We collect data about how you use the Services, including log data (IP addresses, browser type, pages visited, timestamps), feature usage patterns, and error reports.
1.3 Customer Data. As part of using the Services, your organization may upload invoice documents (PDFs, images), vendor information, GL codes and chart of accounts data, and extracted financial fields (vendor name, invoice number, amounts, dates, and line items). We process this data solely to provide the Services.
1.4 Communications. If you contact us, we collect the information you provide in that communication.
1.5 Cookies. We use essential cookies for authentication and session management. We may use analytics cookies to understand Service usage. You may disable non-essential cookies in your browser settings.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and improve the Services
- Authenticate your identity and manage your organization’s access
- Process payments and manage subscriptions
- Send transactional emails (invoices, account notifications, usage alerts)
- Respond to support requests
- Monitor service performance and security
- Comply with legal obligations
We do not sell your personal information to third parties. We do not use Customer Data for advertising.
3. AI Processing of Invoice Documents
3.1 How It Works. When you upload an invoice, we transmit the document to AI processing APIs to extract structured data fields — including vendor name, invoice number, date, amounts, and line items. This extraction is the core function of the Service.
3.2 AI Providers. We currently use:
- OpenAI, LLC — large language model extraction
- Microsoft Azure Cognitive Services (Document Intelligence) — OCR and document structure analysis
These providers process documents as our subprocessors under their respective data processing agreements, which prohibit them from using API inputs to train their models.
3.3 No Training on Your Data. Wovexa does not use your invoice data to train machine learning models. Documents submitted through our Service are processed at inference time only and are not retained by AI providers beyond the processing request.
3.4 Accuracy. AI extraction is not perfect. Extracted fields may contain errors. You are responsible for reviewing all extracted data before taking financial action.
4. Subprocessors
We share information with the following third-party service providers to operate the Services. All subprocessors are contractually required to protect your data and process it only as directed.
| Provider | Purpose | Location |
|---|---|---|
| OpenAI, LLC | AI invoice extraction (LLM) | United States |
| Microsoft Azure | Document Intelligence — OCR and structure analysis | United States / EU |
| Cloudflare R2 | Invoice file storage | United States |
| Railway | API and worker hosting | United States |
| Vercel | Frontend hosting | United States |
| Clerk | User authentication and session management | United States |
| Stripe | Payment processing and billing | United States |
| Resend | Transactional email delivery | United States |
| Sentry | Error monitoring and performance | United States |
We will notify you at least 30 days before adding or replacing a subprocessor that processes Customer Data. You may object by contacting legal@wovexa.com within 14 days of notification.
We do not share your information with third parties for their own marketing purposes.
5. Data Retention
5.1 Account Data. We retain account and organization information for as long as your account is active.
5.2 Customer Data. We retain Customer Data (invoice documents, extracted fields, audit logs) for the duration of your subscription.
5.3 Post-Termination. Following termination, we retain Customer Data for 30 days to allow you to export it. After 30 days, Customer Data is deleted or de-identified, except data required by applicable financial recordkeeping laws (generally up to 7 years), billing records, and data subject to a legal hold.
5.4 System Logs. System and security logs are retained for 90 days unless a longer period is required by law or an active security investigation.
6. Security
We implement and maintain commercially reasonable technical and organizational measures to protect your information, including:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Role-based access control and row-level database security
- Authentication via Clerk with support for SSO
- Automated security monitoring and error tracking
- Regular security reviews and vendor assessments
No security system is impenetrable. In the event of a data breach affecting your personal data, we will notify you as required by applicable law.
7. International Data Transfers
The Services are operated primarily from the United States. If you are accessing the Services from outside the United States, your information may be transferred to, stored, and processed in the United States.
7.1 EU/EEA and UK Users. Where cross-border transfers of EU, EEA, or UK personal data are required, we rely on Standard Contractual Clauses (SCCs) as the lawful transfer mechanism. A copy of the applicable SCCs is available upon request.
7.2 GDPR Roles. Where EU or UK personal data is involved, Wovexa acts as a data processor on behalf of Customer (the data controller) for Customer Data, and as a data controller for account and contact information.
7.3 Data Processing Agreement. If you require a Data Processing Agreement (DPA) for GDPR compliance, contact legal@wovexa.com.
8. Your Privacy Rights
8.1 All Users. You may request access to, correction of, or deletion of your personal data by contacting legal@wovexa.com.
8.2 EU/EEA/UK Residents (GDPR/UK GDPR). You have the right to: access your personal data, correct inaccurate data, request erasure, restrict or object to processing, data portability, and lodge a complaint with your supervisory authority.
8.3 California Residents (CCPA/CPRA). As a B2B service, most data we process is business contact information. To the extent CCPA applies, California residents have the right to know, delete, and opt out of sale of personal information. We do not sell personal information.
8.4 Response Time. We will respond to privacy rights requests within 30 days, or within the timeframe required by applicable law.
9. Children’s Privacy
The Services are not directed to individuals under 18. We do not knowingly collect personal information from minors.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the Services at least 30 days before the change takes effect. Continued use after the effective date constitutes acceptance.
11. Contact
For privacy questions, data subject requests, or to request a Data Processing Agreement:
By using Wovexa, you acknowledge that you have read and understood this Privacy Policy.