Skip to main content
OptiPay
This English translation is provided for convenience only. The Hebrew version is the legally binding version. View the Hebrew (binding) version

Privacy Policy

Last updated: May 30, 2026

1. Introduction

OptiPay is committed to protecting your privacy. This policy explains how we collect, use, store and protect your personal information when you use our services.

2. Information We Collect

Information you provide: Name, email address and phone number upon registration. Receipts and financial documents that you upload. Payment details for subscription billing.

Information collected automatically: IP address, browser type and operating system. Usage data on the website and in the app. Cookies and similar tracking technologies.

Information from third parties: Email data from Gmail or Outlook (receipts only, with your consent). Information from payment providers.

3. How We Use Information

We use your information in order to: provide, maintain and improve the service; automatically process and categorize receipts; send service-related notifications; comply with legal and regulatory requirements; and detect and prevent fraud.

4. Sharing Information

We do not sell your personal information. We may share information with: service providers acting on our behalf (cloud storage, payment processing, usage analytics: Google and PostHog); law enforcement authorities where required by law; and third parties with your explicit consent.

5. Data Security

We implement advanced security measures, including: encryption of data in transit (TLS 1.3) and at rest (AES-256); two-factor authentication (2FA); periodic security audits; and restricting access to information on a need-to-know basis.

6. Data Retention

We retain your information for as long as your account is active. After an account is deleted, the information will be deleted within 30 days, except for information we are required to retain by law.

7. Your Rights (GDPR)

In accordance with the GDPR and the Israeli Privacy Protection Law, you have the right to: access your personal information; correct inaccurate information; delete your information (the "right to be forgotten"); restrict the processing of your information; port your information to another service; and object to the processing of information for marketing purposes.

8. Cookies

We use cookies that are necessary for the service to function, preference cookies to remember your settings, and analytics and measurement cookies to improve the service. For analytics we use PostHog (EU cluster) and Google Tag Manager, which is used to deploy measurement and analytics tags, including Google Analytics. Data collected by Google Analytics, such as IP address, device and browser type, and site-usage events, is processed by Google LLC in accordance with Google's Privacy Policy.

Use of PostHog is optional and subject to your consent via the cookie banner. You can opt out of Google Analytics tracking using Google's official opt-out browser add-on, and manage all cookie preferences through your browser settings.

9. International Data Transfer

Your information may be stored on servers outside Israel. We ensure that any international transfer is carried out in accordance with the requirements of the GDPR, including the use of Standard Contractual Clauses.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be published on the website and sent by notice to registered users at least 30 days before they take effect.

11. Contact

For privacy-related questions, you can contact our Data Protection Officer: privacy@optipay.co.il

12. Google Limited Use (Google API Limited Use)

OptiPay uses the Gmail API in accordance with the Google API Services User Data Policy, including the Limited Use requirements.

OptiPay's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Gmail data access: OptiPay accesses Gmail data solely to detect and extract receipts and business transaction documents for expense categorization. To identify which messages are receipts, message metadata and content are scanned transiently during processing; messages that are not receipts are classified in memory and discarded. Their content is never persisted.

Use limitations: We do not sell, share, or transfer Gmail data to third parties, use it for targeted advertising, or use it to develop, improve, or train generalized or non-personalized AI/ML models, and we do not permit third parties to do so. Gmail data is used only for the purpose for which access was granted. Humans do not read Gmail data except (a) with your explicit consent, (b) for security or abuse investigation, or (c) where required by applicable law.

Revoking access: You can revoke OptiPay's access to Gmail at any time from the Connections page in your account settings, or from your Google Account security settings at myaccount.google.com/permissions. Revoking access immediately revokes the OAuth token and stops all future syncs.

13. Microsoft Graph (Outlook) Data Use

OptiPay uses the Microsoft Graph API (the Mail.Read permission) in accordance with the Microsoft APIs Terms of Use and the Microsoft Privacy Statement, applying the same limited-use principles that govern Gmail data.

Outlook data access: OptiPay accesses your Outlook mailbox solely to detect and extract receipts and business transaction documents for expense categorization. To identify which messages are receipts, message metadata and content are scanned transiently during processing; messages that are not receipts are classified in memory and discarded. Their content is never persisted.

Use limitations: We do not sell, share, or transfer Outlook data to third parties, use it for targeted advertising, or use it to develop, improve, or train AI/ML models, and we do not permit third parties to do so. The data is used only for the purpose for which access was granted.

Revoking access: You can revoke OptiPay's access to Outlook at any time from the Connections page in your account settings, or from your Microsoft account security settings at account.microsoft.com. Revoking access immediately revokes the OAuth token and stops all future syncs.