Privacy Policy

Heshbomail ("we", "us", "our") is an email receipt scanner hosted at https://battleshipsonline.net/heshbo/ and operated from Israel. Heshbomail connects to a mailbox that you authorize, scans selected date ranges for receipts, invoices, bills, statements, refunds, failed-payment notices, and related payment records, and displays extracted receipt data in the app. This policy describes how Heshbomail accesses, uses, stores, and shares Google user data and other mailbox data.

Contact for privacy, security, and deletion requests: stone.gaming@gamil.com.

1. Google OAuth Scopes and Mailbox Access

When you sign in with Google, Heshbomail requests these Google OAuth scopes:

• openid - used to sign you in and verify the Google account identity.
• email - used to read the verified email address for the connected mailbox.
• https://www.googleapis.com/auth/gmail.readonly - Google's read-only Gmail API scope. Heshbomail uses it through the Gmail REST API to list and fetch Gmail messages, labels, message bodies, headers, MIME parts, and attachments needed for user-requested receipt scanning, preview, download, and export features.

For Google OAuth Gmail connections, Heshbomail uses the Gmail REST API with the gmail.readonly scope, not Gmail's broader full-mail scope and not Gmail IMAP/XOAUTH2 scanning. Manual Gmail app-password connections and non-Google mailbox providers may still use IMAP where available. Heshbomail does not send, delete, move, archive, label, mark, modify, or otherwise change messages in your Gmail account.

2. Google and Email Data We Access

For the scan period or action you request, Heshbomail may access:

• Your Gmail email address and Google OAuth identity data, including account subject, issuer, and email verification status.
• Gmail labels and mailbox folders needed to find relevant email locations.
• Email headers such as sender, recipients when present, subject, date, provider message identifiers, Gmail message/thread identifiers, labels or mailbox name, and IMAP UID where IMAP is used.
• Email body text and HTML for messages in the selected scan period.
• MIME structure and attachment metadata such as filename, MIME type, size, and Gmail or IMAP MIME part id.
• PDF and HTML attachment content when needed for receipt extraction. Image attachments may be fetched for user preview or download, but automated text extraction is currently focused on PDF and HTML content.
• Links inside receipt-like emails that may point to hosted invoices, receipts, statements, or payment documents.
• OAuth refresh tokens and short-lived access tokens needed to keep an authorized mailbox connection active.

3. How We Use the Data

• Authenticate you and connect to Gmail or another authorized email provider.
• Scan selected date ranges for receipts, invoices, bills, statements, refunds, and failed-payment notices.
• Extract vendor, amount, currency, payment date, tax/VAT, payment method, category, confidence score, payment status, and related receipt fields.
• Show receipts, scan history, dashboards, filters, search, recurring-payment signals, and logical transaction grouping.
• Preview or download source attachments when you request them.
• Export user-requested reports and files, including CSV, XLSX, PDF, JSON, and ZIP exports.
• Fetch receipt document links contained in emails when needed to complete receipt extraction.
• Optionally verify low- or medium-confidence receipt candidates with AI when both the server feature flag and your account setting enable AI verification.
• Maintain security, prevent abuse, troubleshoot failures, and comply with legal obligations.

4. External Document Links Found in Emails

Some receipt emails contain links to externally hosted invoice or payment documents. When an email appears receipt- or document-related, Heshbomail may fetch up to three HTTPS document links found directly in that email body and inspect PDF or HTML content at those URLs to extract receipt/payment text.

• Heshbomail does not crawl the web generally.
• Nested crawling is disabled: links discovered inside fetched external HTML pages are not recursively scanned.
• No Gmail credentials or OAuth tokens are sent to those external document hosts.
• The external host will receive a normal server request for the URL contained in your email.
• If the document becomes part of a detected receipt, extracted document text and reference metadata may be stored with that receipt.

5. What We Store

Data category	Examples	Purpose
Account identifiers	Email hash, connected mailbox email address	Match your sessions and saved receipt history
OAuth identity binding	Provider, Google subject/issuer/email verification status, subject hash	Safely link future Google sign-ins to the same account
Session/device metadata	Device name, user agent, created time, last accessed time, expiry	Manage active signed-in sessions
Mailbox secrets	OAuth refresh token reference, temporary access-token cache, IMAP credentials for non-OAuth sessions	Maintain authorized mailbox connections
Scan history	Date range, counts, status, duration	Show previous scans and scan progress
Receipt records	Vendor, amount, currency, dates, tax/VAT, method, category, status, confidence, subject, sender, Gmail message/thread identifiers or IMAP UID, label/mailbox, message hash, detection signals	Display, filter, edit, export, and reconcile receipts
Encrypted receipt content	Receipt body text excerpt, linked-document text, manual notes	Review receipt evidence and improve extraction accuracy
Attachment metadata	Filename, MIME type, size, Gmail or IMAP MIME part id	Show attachment availability and support preview, download, and export
Encrypted Gmail REST attachment content	Attachment bytes for stored receipt attachments from Gmail REST scans, up to the configured per-attachment size limit	Preview, download, and export detected receipt attachments without needing to refetch the mailbox
Temporary Gmail REST scan spool	Encrypted raw Gmail message payloads and worker/fallback queue state for messages in an active or recently failed scan	Process Gmail REST scans reliably across server workers and clean up by scan cleanup or expiry maintenance
Account settings	AI verification enabled/disabled, categorization rules	Apply your preferences to future scans
Operational logs	Security events, errors, timing, and redacted scan diagnostics only during non-production troubleshooting when explicitly enabled	Security, troubleshooting, abuse prevention

What We Do Not Store Persistently

• IMAP-only attachment bytes as a general mailbox archive. IMAP attachments are fetched on demand where possible, and temporary files are deleted after use.
• Full bodies of emails that are not detected as receipts, except in the temporary encrypted Gmail REST scan spool while a scan is being processed or awaiting cleanup. Diagnostic content logging is disabled by default and blocked in production.
• The raw session token. The raw token is stored only in your browser's HttpOnly cookie; the server stores a SHA-256 hash.
• Google profile data beyond the identifiers needed for sign-in and mailbox matching. We do not request or store your Google name, profile photo, locale, phone number, or contacts.

6. Secrets, Encryption, and Security

• Browser traffic uses HTTPS/TLS.
• Gmail REST API and IMAP connections use HTTPS/TLS or SSL/TLS as applicable.
• OAuth flows use PKCE, cryptographic state, nonce checks, and verified OpenID Connect ID tokens.
• Session cookies are HttpOnly and SameSite where supported.
• Server-side session tokens are stored as SHA-256 hashes.
• OAuth refresh tokens, temporary OAuth access-token cache, and IMAP passwords are stored in server-side encrypted secret storage using AES-256-GCM.
• Receipt body text, linked document text, and notes are encrypted at rest.
• Credential encryption keys are stored separately from the database and outside the web root in production.
• Temporary files used for OAuth, scanning, PDF extraction, export, and AI verification are deleted or expired after the operation.

7. Third Parties and Sub-processors

We do not sell Google user data. We do not use Google user data for advertising, unrelated analytics, market research, or marketing campaigns. We transfer Google user data only to service providers necessary to operate the disclosed features.

• Google: processes Google OAuth sign-in and provides read-only Gmail API access through the Gmail REST API for Google OAuth Gmail connections.
• Other email providers: Microsoft, Yahoo, and custom IMAP providers may process mailbox access if you connect those providers instead of Google.
• External document hosts: when Heshbomail fetches a receipt/invoice URL found in an email, that host receives the server request for the URL. Gmail credentials and OAuth tokens are not sent to the host.
• OpenAI/Codex for optional AI verification: if AI verification is enabled by both the server and your account setting, selected low- or medium-confidence candidates may be sent to OpenAI through the Codex API/CLI. Sent fields may include receipt id, vendor, subject, sender, date, amount, currency, payment date, payment method, payment status, confidence, short email body excerpt, and short linked-document excerpt. The data is used only to classify receipt validity inside Heshbomail. OpenAI states that API inputs and outputs are not used to train models by default and that abuse-monitoring logs may be retained for up to 30 days unless a different retention setting or legal requirement applies. See OpenAI data controls.
• PDF extraction: the default configuration extracts PDF text locally on the Heshbomail server. If this deployment is changed to use a remote PDF extraction service for Google-connected accounts, we will name that service in this policy before enabling it.
• Email delivery infrastructure: when you ask Heshbomail to email an export to your connected address, the export is sent through the server's email delivery system.
• Hosting infrastructure: the server and database infrastructure that hosts battleshipsonline.net/heshbo stores the encrypted database, logs, and secret store needed to operate the service.

8. Google API Limited Use

Heshbomail's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

• We use Google user data only to provide and improve user-facing receipt scanning, export, verification, security, troubleshooting, and compliance features.
• We do not sell Google user data.
• We do not use Google user data for advertising.
• We do not use Google user data for unrelated analytics or marketing.
• Humans do not read Gmail data except when required for support, security, abuse investigation, legal compliance, or with your permission.
• We transfer Google user data only to service providers necessary to operate the disclosed features.

9. Retention, Deletion, and Revocation

• Sessions expire according to the configured session lifetime shown by the app. Session expiry may vary by deployment configuration.
• Disconnecting or signing out removes the current session. OAuth/IMAP secrets are removed when no active sibling session still needs them.
• For Google OAuth sessions, Heshbomail attempts a best-effort OAuth revocation request to Google on disconnect.
• You can revoke Heshbomail's Google access at any time at https://myaccount.google.com/permissions.
• Receipt and scan history remains linked to your mailbox/email hash until you delete scans in the app or request full account/data deletion.
• Deleting a scan deletes the scan row and related receipts, encrypted receipt content, attachment metadata, payment components, and linked records for that scan.
• To request deletion of all server-side data linked to your mailbox, email stone.gaming@gamil.com. We will delete the associated data within 30 days unless we must retain limited records for legal, security, or abuse-prevention reasons.
• You can export receipt data from the app before requesting deletion.

10. Your Rights

• You can access stored receipt data in the dashboard.
• You can export your receipt data through the export tools.
• You can disconnect the mailbox connection at any time.
• You can revoke OAuth access from your Google, Microsoft, or Yahoo account settings.
• You can request correction or deletion by contacting us.

11. Children

Heshbomail is intended for adults and is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has used Heshbomail, contact us and we will delete the associated data.

12. Changes to This Policy

We may update this policy from time to time. When we make a material change to how Heshbomail accesses, uses, stores, or shares Google user data, we will update the "Last updated" date and notify users through the app interface or another appropriate channel before or when the change takes effect.

13. Contact

Privacy, security, and deletion requests: stone.gaming@gamil.com

Operator location: Israel. Service domain: https://battleshipsonline.net/heshbo/