Aptosi Services Privacy Policy
Document Creation July 1, 2025
Last Updated: June 26, 2026
Introduction
This Privacy Policy describes how We Are Aptly, Inc. (doing business as “Aptosi”) (“Aptosi,” “we,” “us,” or “our”) collects, uses, discloses, and retains information when you or your organization (“Customer”) use the Aptosi Agent & Platform, including the Dashboard, API Integrations, and Chrome Browser Extension (collectively, the “Service”).
Aptosi is a business-to-business (B2B) platform. The Service is made available to organizations; individual end-users interact with the Service under their employer’s or organization’s agreement with Aptosi. If you are an end-user, please also review your organization’s own privacy policies. By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use and contact privacy@aptosi.com.
Data Controller and Data Processor Roles
Aptosi acts in the following capacities depending on context:
- Data Controller: Aptosi determines the purposes and means of processing data collected for account management, billing, and product analytics.
- Data Processor: When processing your organization’s email content, invoice data, and vendor records on your instructions, Aptosi acts as a data processor on behalf of your organization (the data controller). In this capacity, Aptosi processes personal data only as directed by your organization and as set forth in the applicable Data Processing Agreement (DPA).
Enterprise Customers may request Aptosi’s standard DPA by contacting privacy@aptosi.com. The DPA governs Aptosi’s processing activities where applicable law (e.g., GDPR) requires such an agreement.
Information We Collect and Why
The table below describes each category of data we collect, how it is collected, its purpose, and how we use it.
| Data Category | How Collected | Purpose | How Used |
|---|---|---|---|
| User Account Information (name, work email, profile picture) | OAuth authentication via Google or Microsoft | Identity verification; account creation; organizational linkage | Display user profile; securely associate account with processed data |
| Email Content & Attachments (PDF/Word attachments, headers, subject lines) | Gmail API or Microsoft Graph API, after explicit authorization | Core service: locate, classify, and analyze accounts-payable documents | Server-side processing to extract invoice data. We do not store your full inbox; only AP-relevant emails are processed. |
| Extracted Invoice & Vendor Data (vendor names, amounts, dates, bank details) | AI models (Google Vertex AI / Gemini) analyzing identified invoice content | Verify invoice details against approved-vendor records; detect fraud anomalies | Compared against vendor records to generate Match / Unusual / Informational findings. Results stored in Firestore for audit logs. |
| Processing Statistics & Status (finding counts, sync timestamps) | Synced between Aptosi Dashboard and Chrome Extension | Real-time AP workflow visibility | Chrome Extension retrieves statistics to display status notifications without requiring dashboard refresh |
| Pseudonymized Usage & Analytics Data (feature usage, performance metrics, browser type) | Google Analytics 4 (IP anonymization enabled) | Product improvement; bug identification; UX enhancement | Aggregated and pseudonymized; used for data-driven product decisions only. Not sold or used for advertising. |
| Local Extension Data (session tokens, sync timestamps) | chrome.storage API (stored locally in browser) | Session maintenance; extension-platform synchronization | Authentication tokens and timestamps stored locally; reduces re-login frequency and redundant network calls |
Legal Bases for Processing (GDPR / UK GDPR)
Where the General Data Protection Regulation (GDPR) or UK GDPR applies, we rely on the following lawful bases:
- Performance of a Contract (Art. 6(1)(b)): Processing necessary to deliver the Service under our agreement with your organization, including account management, email analysis, invoice extraction, and fraud detection.
- Legitimate Interests (Art. 6(1)(f)): Processing for product analytics, security monitoring, and service improvement, where our interests are not overridden by your rights and freedoms. We conduct legitimate interest assessments on request.
- Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable law, including responding to lawful requests from public authorities.
- Consent (Art. 6(1)(a)): Where required (e.g., optional cookies or marketing communications), we will request your explicit consent. You may withdraw consent at any time without affecting prior processing.
Where we process financial data (bank account details, payment amounts) that may constitute “special category” or sensitive data under applicable law, we rely on Art. 9(2)(b) (employment/contract context) or explicit consent as appropriate.
Automated Processing and AI-Assisted Decisions
Aptosi uses artificial intelligence and automated processing (via Google Vertex AI / Gemini) to analyze invoice content and generate fraud findings categorized as Match, Unusual, or Informational. These findings are presented to your organization’s AP team as inputs to human decision-making; they do not constitute final, binding decisions about any individual or entity without human review.
Where GDPR Art. 22 applies, we confirm that Aptosi’s AI findings are intended to assist human reviewers, not to produce solely automated decisions with legal or similarly significant effects on data subjects. If you believe an automated finding has materially affected your organization, please contact privacy@aptosi.com.
Subprocessors and Third-Party Services
We engage the following subprocessors to deliver the Service. All subprocessors are bound by contractual obligations no less protective than those in this Policy.
| Subprocessor | Purpose | Data Processed | Transfer Mechanism |
|---|---|---|---|
| Google APIs (Gmail & OAuth) | Email access; authentication | Email content; OAuth tokens | Google API Services User Data Policy; SCCs for EEA transfers |
| Microsoft Graph API | Outlook access; authentication | Email content; OAuth tokens | Microsoft Online Services Terms; SCCs for EEA transfers |
| Google Firebase / Firestore | User auth; cloud database | Account info; invoice records; findings | Google Cloud DPA; SCCs for EEA transfers |
| Google Vertex AI / Gemini | AI document extraction; fraud detection | Invoice content; vendor data | Google Cloud DPA; SCCs for EEA transfers |
| Google Analytics 4 | Pseudonymized usage analytics | Browser/device info; feature interactions | Google Analytics Terms; IP anonymization enabled |
| Stripe | Subscription billing | Billing contact info; payment metadata (no full card numbers stored) | Stripe Privacy Policy; SCCs for EEA transfers |
We will notify Customers of material changes to our subprocessor list at least 30 days in advance where required by applicable law or DPA. An up-to-date subprocessor list is available at privacy@aptosi.com on request.
International Data Transfers
Aptosi is headquartered in the United States. If you access the Service from outside the United States, your data may be transferred to and processed in the United States or other countries where our subprocessors operate.
European Economic Area (EEA) and UK
For transfers of personal data from the EEA or UK to the United States, Aptosi relies on the European Commission’s Standard Contractual Clauses (SCCs) (2021 versions) and, where applicable, the UK International Data Transfer Addendum (IDTA). Our DPA incorporates the relevant SCCs. To obtain a copy, contact privacy@aptosi.com.
India
For Customers and users in India, Aptosi processes personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act). Cross-border transfers are made only to countries or entities consistent with applicable DPDP transfer rules. As transfer rules under the DPDP Act are finalized by the Government of India, Aptosi will update this section accordingly. Indian data principals may exercise their rights as described in Section 10 of this Policy.
Data Security
We implement administrative, technical, and physical safeguards designed to protect your data against unauthorized access, disclosure, alteration, or destruction:
- Encryption in transit via TLS 1.2 or higher for all data transmitted to and from the Service
- Encryption at rest using Google Cloud KMS envelope encryption for OAuth refresh tokens and sensitive stored data
- Server-side processing: AI extraction and fraud analysis occur on Aptosi’s secure cloud infrastructure, not on end-user devices
- Access controls: We do not store your Google or Microsoft passwords. OAuth scopes are scoped to minimum necessary permissions. Internal access to Customer data is restricted on a need-to-know basis
- Security certifications: Aptosi holds Google CASA Tier 2 certification. SOC 2 Type II is targeted for Q4 2026
No method of transmission or storage is 100% secure. In the event of a data breach affecting your personal data, Aptosi will notify affected Customers without undue delay and, where required by applicable law (including within 72 hours under GDPR), notify the relevant supervisory authority.
Data Retention
We retain data only as long as necessary for the purposes described in this Policy, or as required by applicable law. The table below sets our standard retention periods:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account & User Data | Duration of active subscription + 90 days post-termination | Contract performance |
| Extracted Invoice & Vendor Records | Duration of active subscription + 3 years post-termination | Audit trail; legal/regulatory compliance |
| Processing Statistics & Findings | Duration of active subscription + 3 years post-termination | Fraud reporting; audit logs |
| Auth Tokens (local extension) | Session duration only; purged on revocation or uninstall | Minimal data principle |
| Pseudonymized Analytics Data | Up to 26 months (Google Analytics 4 default) | Product improvement |
| Backup Copies | Up to 90 days following deletion of primary records | Disaster recovery |
Upon written request, Aptosi will delete or return Customer data in accordance with the applicable subscription agreement or DPA. Residual copies in backup systems will be purged within 90 days of the deletion request. Anonymized or aggregated data that cannot reasonably be used to identify any individual may be retained indefinitely.
Cookies and Tracking Technologies
The Aptosi Dashboard uses strictly necessary cookies for authentication and session management, and pseudonymized analytics cookies via Google Analytics 4 (with IP anonymization enabled). We do not use advertising or cross-site tracking cookies.
You may configure cookie preferences through your browser settings. Disabling strictly necessary cookies will impair Service functionality.
Your Privacy Rights
Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal data. To exercise any right, contact privacy@aptosi.com. We will respond within the timeframes required by applicable law (generally 30–45 days, with a possible extension of up to an additional 30 days for complex requests).
Rights Available to All Users
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete personal data.
- Deletion: Request deletion of your personal data, subject to our legal retention obligations and legitimate business purposes.
- Revoke Access: Revoke the Service’s OAuth access to your Google or Microsoft account at any time through your account security settings.
- Uninstall: Uninstall the Chrome Extension at any time; local extension data will be purged.
Additional Rights Under GDPR / UK GDPR
- Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format or request direct transfer to another controller.
- Restriction of Processing (Art. 18): Request that we restrict processing of your data in certain circumstances.
- Objection to Processing (Art. 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
- Withdraw Consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
- Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority (e.g., your EU Member State’s data protection authority, or the UK ICO). We encourage you to contact us first at privacy@aptosi.com.
California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
- Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
- Right to Delete: Request deletion of your personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt Out of Sale or Sharing: Aptosi does not sell or share personal information for cross-context behavioral advertising. If this practice changes, we will update this Policy and provide an opt-out mechanism.
- Right to Limit Use of Sensitive Personal Information: Financial data (bank details, invoice amounts) processed by Aptosi may constitute “sensitive personal information” under CPRA. We use such data only to provide the Service and do not use it for inferring characteristics unrelated to our service. You may contact privacy@aptosi.com to request limits on such use.
- Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
To submit a verifiable consumer request, contact privacy@aptosi.com. We will verify your identity before processing the request and respond within 45 days (extendable by an additional 45 days with notice).
India – DPDP Act Rights
If you are a Data Principal under India’s Digital Personal Data Protection Act, 2023, you have the following rights:
- Right to Access: Request a summary of personal data processed and the purposes of processing.
- Right to Correction and Erasure: Request correction, completion, or erasure of personal data.
- Right to Grievance Redressal: Lodge a grievance with Aptosi’s Grievance Officer. We will acknowledge receipt within 48 hours and resolve within 30 days.
- Right to Nominate: Nominate another individual to exercise rights on your behalf in the event of your death or incapacity.
Aptosi’s Grievance Officer for DPDP Act purposes may be reached at: privacy@aptosi.com. Subject line: “DPDP Grievance.”
Do Not Sell or Share My Personal Information
Aptosi does not sell personal information to third parties, nor do we share personal information for cross-context behavioral advertising. This section is provided to comply with CCPA/CPRA. If our practices change, we will update this Policy and provide a mechanism to opt out prior to any such change.
Children’s Privacy
The Service is designed exclusively for business use and is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact privacy@aptosi.com and we will promptly delete it.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Post the updated Policy at aptosi.com/privacy with a revised “Last Updated” date
- Notify active Customers via email or in-product notice at least 30 days before material changes take effect
- Where required by applicable law (e.g., GDPR), seek renewed consent if the change affects processing based on consent
Your continued use of the Service after the effective date of any update constitutes acceptance of the revised Policy.
EU / UK Representative
Aptosi does not currently have an establishment in the European Economic Area or the United Kingdom. As we expand into those markets, we will designate an Article 27 (GDPR) representative and publish their contact details here. Until such designation, EEA/UK data subjects may direct inquiries to privacy@aptosi.com.
Contact Us
For questions, rights requests, DPA inquiries, or any other privacy matters:
Company: We Are Aptly, Inc. (DBA Aptosi)
Address: Palo Alto, CA, USA
Privacy Contact: privacy@aptosi.com
DPDP Grievance: privacy@aptosi.com (Subject: “DPDP Grievance”)
DPA Requests: privacy@aptosi.com (Subject: “DPA Request”)