Pleo can help you easily attach online receipts, straight from your inbox. In order to do so, we need to connect directly to your email account, which is not something we take lightly. This article outlines the security and privacy aspects of making this integration and ends with how to set up Fetch.
Our efforts to ensure the security of our infrastructure
The Pleo application and its external infrastructure are assessed periodically to ensure that the highest industry standards can be guaranteed at all times. This includes penetration tests and external assessments to identify any weaker area.
In addition, Pleo is PCI-DSS certified and is therefore required to adhere to all the requirements stated by the PCI Security Standards Council.
Some common questions
How do we guarantee compliance with Data security laws?
Only if explicit consent is provided, Pleo may access user data for the purpose of enabling automatic email fetching. Communications are encrypted end to end and emails are parsed to fetch receipts but never read by the human eye.
Remember that to be able to enable the system, the Pleo user must be signed in to their email account and must grant the authorisations requested by the email provider as they are necessary for the rendering of the Service.
What data are we retrieving from your inbox?
Just emails or attachments that match our strict criteria for receipts. Depending on the format receipts are sent in, we either retrieve the attachment from an email (for instance when an invoice is attached as a PDF) or we convert the body of the email into a PDF and retrieve that.
Emails that look a lot like a receipt
We developed an engine that determines quickly whether your email is or contains a receipt. Most of the time it does this pretty well, but there is an off chance that it finds a document that looks a lot like a receipt but it isn't exactly that, it could for instance be the shipping confirmation. In this case it will still upload the receipt to Pleo, but you can easily remove the receipt again from the app.
Note that several things need to be true before we attach a receipt to an expense: it should match the exact amount and currency of the purchase, match the date of the purchase, and contain words such as "invoice" or "receipt". This way we minimise the risk of retrieving unrelated emails.
Are we storing your emails in our database?
No, we're not. The only thing we store in our database is the matching receipt that is attached to your expense in Pleo. Any scanned receipts that fail to match will not be stored.
Will my regular emails ever get in front of human eyes?
No, that won't happen. First of all, this would never be something we'd feel comfortable with, but it's also in direct violation with email providers' terms and conditions for integrations.
Can I revoke access to my inbox?
Yes, you can - at any time. You can revoke Pleo's access to your inbox at any time, either from Pleo's mobile app (find Power-ups in the settings) or through the admin settings of the email provider.
Where can I report a security vulnerability I encountered?
In the odd case you do find a security vulnerability please report it to us here. We will handle incoming reports with the highest priority.