Retrievr← Back to home

Privacy Policy

Effective date: 2026-06-17 · Last updated: 2026-06-17

Retrievr ("Retrievr", "we", "our", "us") is an online invoicing service operated by GTM Guy, with registered office at 105, Sreenivasam Apartments, Hosur, Tamil Nadu — 635109, India. This Privacy Policy explains what information we collect, how we use and protect it, and the choices you have. It also describes — in line with the Google API Services User Data Policy — how Retrievr handles Google user data when you connect a Gmail account.

If you have questions, write to support@retrievr.xyz.

1. Information we collect

Account information you provide

  • Email address and password (or your Google sign-in identity).
  • Business profile: business name, contact email, phone, address, GSTIN, PAN, logo, default currency, invoice template + colors.
  • Clients you add: name, email, phone, billing address, GSTIN, notes.
  • Invoices and line items you create.
  • Bank account details you save for display on invoices (account holder, bank, account number, IFSC, SWIFT/ACH/Fedwire codes).

Information generated by using the service

  • Authentication metadata (session tokens, sign-in timestamps).
  • Application logs needed to operate and secure the service (IP address, user agent, request timestamps, error traces) — retained for 90 days.

Google account data (only if you choose to connect Gmail) — see Section 3.

Payment information — handled by our payment processor (Polar, Polar Software, Inc.); we do not store full payment-card numbers.

We do not use third-party advertising or marketing-analytics cookies.

2. How we use your information

  • Provide the core service: create, store, render and export invoices; manage clients; generate recurring invoices.
  • Authenticate you and protect your account.
  • Send essential account email (signup confirmation, password reset, security notices).
  • Send invoice and reminder emails on your behalf via Gmail only when you explicitly send one or schedule one (see Section 3).
  • Respond to support requests.
  • Comply with legal obligations (e.g. tax invoice retention).

3. Google user data (Gmail integration)

This section is the disclosure required by the Google API Services User Data Policy. It applies only if you choose to connect a Google account in Retrievr.

3.1 Why we ask for Gmail access

When you connect a Gmail account, Retrievr can send invoices and scheduled payment reminders from your own Gmail mailbox, so your client sees the email as coming directly from you. No emails are sent without your explicit action — you either click "Send" on an invoice or set a specific date for a reminder you have composed.

3.2 Exact scopes we request and what they're used for

OAuth scopePurpose in RetrievrGoogle data accessed
https://www.googleapis.com/auth/gmail.sendSend a single invoice or reminder email that you composed inside RetrievrNone read. Permission to send only.
openid, email, profileIdentify which Gmail address you authorized so we can show it back to you and use it as the "From" addressYour Google account email address, display name, and Google account ID (sub)

We deliberately use the send-only Gmail scope. Retrievr does not read your inbox, drafts, sent items, labels, contacts, calendars, attachments, or any other Gmail data.

3.3 How we store and protect Google data

  • The Google refresh token (used to obtain short-lived access tokens for sending scheduled reminders) is encrypted at rest with AES-256-GCM in our database. Only the backend's service role can decrypt it; it is never sent to your browser.
  • The connected mailbox's email address and display name are stored in plaintext so we can show them in the UI and use them as the "From" header.
  • Access tokens are short-lived and held only in memory while a send is in progress.

3.4 What we send

We send only the email content you composed or scheduled inside Retrievr (the invoice or reminder you authored, plus the invoice PDF you generated). Retrievr never composes or sends anything you did not explicitly create.

3.5 What we never do with Google data

  • We do not read your inbox, drafts, or any other mailbox content.
  • We do not transfer Google user data to third parties, except to Google itself as required to send the email, or as required by law.
  • We do not use Google user data to serve advertisements.
  • We do not use Google user data to train AI or machine-learning models.
  • We do not allow humans to read Google user data, except where (a) you have given specific consent, (b) it is necessary for security investigations of abuse of our own service, (c) it is necessary to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.

3.6 Disconnecting and revoking access

You can disconnect Gmail at any time from Settings → Sending email account. When you disconnect:

  1. We call Google's token-revocation endpoint to revoke the refresh token.
  2. We delete the encrypted refresh token and stored email address / Google account ID from our database immediately.

You can also revoke Retrievr's access directly at https://myaccount.google.com/permissions.

3.7 Limited Use disclosure (verbatim)

Retrievr's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

4. Legal bases for processing (EEA / UK users)

Where applicable: performance of a contract (running the service for you); your consent (specifically for the Gmail integration); legitimate interests (securing the service, preventing abuse); legal obligations (e.g. tax record-keeping).

For users in India, processing is carried out in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act).

5. Sharing of information

We use the following sub-processors to operate Retrievr. Each is bound by data-processing terms and processes data only on our instructions.

Sub-processorPurposeRegion
SupabaseDatabase (Postgres), authentication, storageSeoul, South Korea (AWS ap-northeast-2)
VercelApplication hostingGlobal edge
Lovable CloudBuild / deploy infrastructure and transactional auth email (signup, password reset, etc.)Asia Pacific
Google LLCGmail API — sending mail when you connect GmailGlobal
Polar (Polar Software, Inc.)Subscription billingGlobal; entity in the United States (Delaware), processes payments via Stripe

We do not sell your personal information. We do not share it with advertisers or data brokers.

We may disclose information when required by law, valid legal process, or to protect the rights, safety, or property of Retrievr, our users, or the public.

6. International data transfers

Your data may be processed in countries other than your own (notably India, South Korea, the United States, and other Asia-Pacific regions where our infrastructure providers operate). Where transfers occur from regions with cross-border data rules (EEA, UK, etc.), we rely on appropriate safeguards such as Standard Contractual Clauses.

7. Data retention

  • Account, business profile, clients, invoices, bank details: kept while your account is active, then for 8 years (to meet India's GST record-retention requirement of 72 months from the end of the relevant financial year, with a buffer) to meet tax and legal record-keeping obligations, after which they are deleted or anonymized.
  • Google credentials (refresh tokens, connected mailbox identifiers): kept until you disconnect Gmail or delete your account. Deleted within 7 days thereafter.
  • Application logs: 90 days, then deleted.
  • Backups: rotated every 30 days.

8. Your rights

Depending on your jurisdiction, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data ("right to erasure").
  • Export your data in a portable format.
  • Withdraw consent — including disconnecting Gmail at any time (Section 3.6).
  • Object to or restrict certain processing.
  • Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email support@retrievr.xyz. We aim to respond within 30 days.

Grievance / Data Protection Officer (India, DPDP Act): Kaavian Sivam (proprietor) — support@retrievr.xyz.

9. Security

  • All data is transmitted over HTTPS (TLS).
  • Google refresh tokens are encrypted at rest using AES-256-GCM.
  • Database row-level security ensures each user can only read and modify their own records.
  • Access to production systems is restricted to authorized personnel and logged.

No internet-based service can be guaranteed 100% secure. If we ever experience a personal-data breach that creates a risk to you, we will notify you and the relevant authorities as required by law.

10. Children's privacy

Retrievr is intended for use by businesses and adults. We do not knowingly collect personal data from children under 18. If you believe a child has provided us information, please contact us so we can delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced on this page and, where appropriate, by email. The "Last updated" date at the top reflects the most recent revision.

12. Contact us

Retrievr (GTM Guy)
105, Sreenivasam Apartments, Hosur, Tamil Nadu — 635109, India
Privacy & data requests: support@retrievr.xyz
Website: https://retrievr.xyz