Privacy Policy

Last updated: February 26, 2026

What we do

Order Tracker helps you track online orders by connecting to your email accounts. We scan for order confirmation and shipping emails from supported retailers and display your order information in one place.

Data we access

  • Email access (IMAP or Google OAuth) — We connect to your email solely to search for order-related messages from supported retailers. We do not read, store, or process any other emails.
  • Order data — Order numbers, dates, items, totals, and tracking information extracted from retailer emails. This data is stored locally in your browser (IndexedDB) and optionally synced to your account.
  • Authentication — We use Discord OAuth via Supabase for sign-in. We store your user ID and session tokens. We do not access your Discord messages or contacts.

Google API usage

When you connect a Google account, we request the gmail.readonly scope to search for order emails. Our use of Google API data complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only access Gmail data to find order and shipping emails from retailers.
  • We do not use Gmail data for advertising, market research, or email tracking.
  • We do not share Gmail data with third parties except as needed to provide the service.
  • We do not allow humans to read your email content unless required for security or legal compliance.

Data storage

Order data and email account credentials are stored locally in your browser (IndexedDB) and optionally synced to your account. When synced, IMAP passwords are encrypted at rest in our database and only decrypted server-side during scrape requests. Google OAuth refresh tokens are stored in your browser's local storage and sent to our backend only to exchange or refresh access tokens. All data transmission occurs over HTTPS.

Data sharing

We do not sell, rent, or share your personal data or order information with any third parties. We do not use your data for advertising or analytics beyond basic anonymous usage metrics (via Vercel Analytics).

Data deletion

You can delete all your data at any time from the Settings page. Disconnecting a Google account removes all stored tokens immediately. Deleting an email account removes all associated credentials and order data from your browser.

Security

All connections use HTTPS. IMAP credentials are transmitted securely and never persisted on our servers. Google OAuth tokens are managed per Google's security guidelines with automatic refresh and expiration handling.

Contact

For questions about this policy, reach out via our Discord server.