This privacy policy describes how invoiceNow (“the Software”, “the app”) handles information when you use the desktop application and when you optionally connect a Google account to send invoices via Gmail. invoiceNow is free software developed by Oisin McGrath (“I”, “me”, “the developer”) under the GNU General Public License, version 2 (GPLv2) only — not any later version.
Plain summary: invoiceNow runs on your computer. I do not run a cloud account system for your invoices. I do not receive your email content or Gmail tokens on any server of mine. Optional Gmail access is only to send messages you approve, using Google’s API from your machine.
This document is written so you (and Google’s OAuth review) can see exactly what
the Software does with data. It is not legal advice. For how the Software is
licensed and the “use at your own risk” rules, see the
Terms of use and the LICENSE file shipped
with the Software.
1. What invoiceNow is
invoiceNow is a desktop application for people who create tax invoices (especially Australian sole traders). It can store business profile details, contacts, invoices, and PDF files on your device, and optionally help you email a PDF using:
- a desktop mail program (for example Thunderbird), or
- your own Gmail account (Google OAuth + Gmail API), or
- your own Microsoft / Outlook account (Microsoft OAuth + Graph).
I operate no invoiceNow backend server that stores your invoices, contacts, or mail. There is no invoiceNow cloud login for your business data. If you never connect Gmail or Outlook, the app never talks to Google or Microsoft about your mail.
2. Who is the “controller” of what?
- Data on your computer (profile, contacts, invoices, local database, PDFs, OAuth tokens): you control that environment. The Software processes it locally so the features work. I do not host it.
- Google account data when you Connect Gmail: Google remains the provider of your Gmail account. The Software requests limited API access from your machine after you consent in Google’s screens.
- This website (oisinmcgrath.com pages): static information only; see section 11.
- Email to [email protected]: if you write to me, I may retain the message to respond. I do not use that inbox as a dump of app usage analytics.
3. Google user data — what we access, use, store, and share
Google requires apps that use Google APIs to disclose clearly how they access, use, store, or share Google user data. That is the purpose of this section.
3.1 Scopes (access)
If you choose Gmail and click Connect, the Software requests only:
-
https://www.googleapis.com/auth/gmail.send(gmail.send) — permission to send email on your behalf after you compose and explicitly approve a message in the app (recipient, subject, body, and PDF attachment). The Software does not use this scope to read your inbox, list messages, or browse existing mail. -
https://www.googleapis.com/auth/userinfo.email(userinfo.email) — to learn the email address of the Google account you connected, so the app can show “Connected as …” and identify the account. -
openid— standard OpenID Connect scope used as part of identifying the signed-in Google account.
The Software does not request broader Gmail scopes such as
full mailbox read, modify, or mail.google.com.
3.2 How Google user data is used
Google user data obtained through these APIs is used only to:
- complete the sign-in you started and show which account is connected;
- send the single invoice (or similar) email you started and confirmed, by calling Google’s Gmail API from your computer; and
- refresh access tokens so Connect stays working until you disconnect or revoke access.
It is not used for advertising, analytics products, credit scoring, AI model training on your mail, resale, or any purpose other than those user-facing features.
3.3 How Google user data is stored
After you sign in, OAuth access and refresh tokens (and the connected email address returned by Google) are stored only on your own machine, inside invoiceNow’s local application-data directory. They are never uploaded to a server the developer controls.
Example locations of that application-data directory:
- Linux:
~/.local/share/invoiceNow/ - Windows:
%APPDATA%\invoiceNow\
Message content you type for an invoice email, and PDF attachments generated by the app, also live on your device (and, when you send via Gmail API, are transmitted over an encrypted TLS connection from your device to Google so Google can deliver the message — that transmission is part of using Gmail, not a transfer to me).
3.4 Sharing / transfer of Google user data
I do not sell, rent, or trade Google user data. I do not share Google user data with advertisers, data brokers, or information resellers.
The only “transfers” of Google-related data in normal use are:
- between your computer and Google (OAuth, token refresh, and Gmail send), which you initiate by using Connect / Send; and
- none to me, because the desktop app does not upload that data to any developer backend.
If you yourself forward, export, or back up files from your computer, that is under your control, not mine.
3.5 Google API Services User Data Policy — Limited Use
invoiceNow’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
- Google user data is used only to provide or improve user-facing features that are prominent in the app (connect account; send mail you approve).
- Transfers are limited to what is needed for those features (for example sending your approved message to Google’s API), security/legal compliance, or your clear direction — not for ads or sale.
- Google user data is not used to serve advertisements.
- Humans (including me) do not read your Gmail data in normal operation because that data never reaches my servers. Exceptions under Limited Use (security, law, or your affirmative agreement for specific items) do not apply to routine use of this app as shipped.
4. Email is sent only on your explicit action
The Software does not send email automatically in the background or on a schedule. A Gmail API send happens only when you start an email action and confirm the preview. Desktop mail opens a draft in your mail program; you still press Send there.
5. Other data the app processes locally (not Google)
On your device, the Software may store, for example:
- business profile fields you enter (name, ABN, bank details, address, logo path);
- contacts and invoice line items you create;
- PDF paths, settings, and tutorial/onboarding flags;
- optional advanced OAuth client ID overrides if you paste them;
- your chosen email method (desktop / Gmail / Outlook).
That information is not uploaded to me. I have no server that receives your invoicing database.
6. Security
Reasonable steps for a local desktop app include: using HTTPS for OAuth and API calls to Google/Microsoft; storing tokens in your user profile data directory rather than shipping them in the installer; and not logging token secrets to a developer backend.
You are responsible for device security (OS updates, account passwords, disk encryption, backups, who can use your login). Anyone with access to your user account can typically access the local database and tokens. I cannot secure a computer I do not control.
7. Retention and deletion
Google access
Revoke the app at any time: https://myaccount.google.com/permissions (Google Account → third-party access / connections). After revocation, Google will reject the app’s tokens.
Local data
- In the app: Settings → Email → Disconnect clears stored OAuth tokens for that provider.
- Delete the application data folder (and invoice PDFs you no longer want) to remove local business data. That is under your control.
Because I hold no server-side copy of your Google tokens or invoice database, revoking Google access and deleting local files is a complete removal from the product’s perspective.
Tokens remain on disk until you disconnect or delete them. There is no separate cloud retention period on my side.
8. Microsoft / Outlook (for completeness)
If you connect Outlook, the Software uses Microsoft identity and Graph delegated permissions appropriate to sending mail (for example Mail.Send and User.Read), with tokens stored locally the same way. The same principles apply: no developer backend, send only on your action, tokens on your machine. Microsoft’s own terms and privacy policy apply to Microsoft’s services.
9. Children
invoiceNow is a business tool intended for adults aged 18 and over. It is not directed at children, and Connect features should not be used with a child's Google account.
10. Free software and honesty about risk
invoiceNow is free software. I provide it in the hope that it is useful. I do not sell a paid privacy “service”, do not host your data, and do not promise perfection. Privacy practices described here describe how the Software is designed to behave. Bugs, misuse, malware on your machine, or third-party outages can still cause problems — that risk sits with you under the GPL and the Terms of use.
11. This website
Public pages at oisinmcgrath.com (home, this policy, terms) are static. They use no tracking, no analytics, and no advertising cookies that I configure. Your browser and host may still produce ordinary server or TLS logs outside my product design; I do not run ad trackers on these pages.
12. Changes
If how the Software uses Google user data changes, I will update this policy and the “Last updated” date. Material changes to Google data use should also be reflected in the product and, where required, fresh consent. Continued use after an update means you should re-read this page when you upgrade.
13. Contact
Privacy questions about invoiceNow: [email protected]
Developer: Oisin McGrath · https://oisinmcgrath.com