Pleo can help you easily attach online receipts, straight from your Gmail inbox. In order to do so, we need to connect directly to your Gmail account, which is not something we take lightly. This article outlines the security and privacy aspects of making this integration.

Our efforts to ensure the security of our infrastructure

The Pleo application and its external infrastructure are assessed periodically to ensure that the highest industry standards can be guaranteed at all times. This includes penetration tests and external assessments to identify any weaker area. 

In addition, Pleo is PCI-DSS certified and is therefore required to adhere to all the requirements stated by the PCI Security Standards Council.

Some common questions

How do we guarantee compliance with Data security laws? 

Only if explicit consent is provided, Pleo may access Google user data for the purpose of enabling automatic email fetching. Emails are parsed to fetch receipts but never read by the human eye and encrypted at all times. 

We will not process personal data for a longer period than is necessary for fulfilling the purpose, and the customer’s data is never processed for any other purpose as set out in our Privacy Policy. For the scope of emails receipts finders, personal data might be parsed but not stored or retained on our servers. 

Remember that to be able to enable the system, the Pleo user must be signed in to their Gmail account and must grant the authorisations requested by Gmail as they are necessary for the rendering of the Service.


What data are we retrieving from your inbox?

Just receipts. Depending on the format receipts are sent in, we either retrieve the attachment from an email (for instance when an invoice is attached as a PDF) or we convert the body of the email into a PDF and retrieve that.

Emails that look a lot like a receipt
We developed an engine that determines quickly whether your email is or contains a receipt. Most of the time it does this pretty well, but there is an off chance that it finds a document that looks a lot like a receipt but it isn't exactly that, it could for instance be the shipping confirmation. In this case it will still upload the receipt to Pleo, but you can easily remove the receipt again from the app.
Note that we have a few things that need to be true before we download a receipt, it should for instance definitely contain the merchant's name and the exact amount of the purchase. This way we ensure no completely unrelated emails will ever be retrieved.


Are we storing your emails in our database?
No, we're not. The only thing we store in our database is the actual receipt that is also uploaded to Pleo. Any receipts that we scan through along the way or other information from your inbox will not be stored.


Will my regular emails ever get in front of human eyes?
No, that won't happen. First of all, this would never be something we'd feel comfortable with, but it's also in direct violation with Google's terms and conditions for integrations. 


Can I revoke access to my inbox?
Yes, you can - at any time. You can revoke Pleo's access to your Gmail at any time, either from Pleo's mobile app (find Power-ups in the settings) or through Gmail (go to manage third party permissions).


Where can I report a security vulnerability I encountered?
In the odd case you do find a security vulnerability please report it to us here. We will handle incoming reports with the highest priority.


Managing Receipt Finder as an admin

Receipt Finder can be enabled directly as a user of Pleo, just like any other Gmail permission. If for any reason you feel the need to revoke access to Receipt Finder, you can do so from the G Suite admin panel.

Did this answer your question?