Privacy Policy

Last updated: 4 April 2026

1. Who we are

Gargoyle (gargoyle.nz) is operated by Shan Ming Yang Limited, a New Zealand limited company. In this policy "we", "us", and "our" refer to Shan Ming Yang Limited.

Gargoyle is an automated expense-claim tool that reads your Gmail inbox to identify receipts and invoices and helps you submit them to Hnry.

2. What Google data we access

When you sign in with Google, we request the following permissions:

  • Your name and email address — to identify your account.
  • Gmail (read-only) — to search your inbox for emails that contain receipts, invoices, or order confirmations. We do not read, store, or process any other email content.

Our use of data received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

3. How we use your data

We use the information we collect solely to provide the Gargoyle service to you:

  • Authenticate you and maintain your session.
  • Search Gmail for expense-related emails within the date range you specify.
  • Extract vendor name, amount, date, and currency from receipts and invoices.
  • Present extracted expenses for your review before any export or submission.

We will never use your Gmail data to serve advertisements, build user profiles for third parties, or for any purpose other than providing the expense-scanning features visible in the Gargoyle interface.

4. What we store

We store the following personal information in our database:

  • Your name, email address, and Google account ID.
  • Your Google OAuth access and refresh tokens, encrypted at rest using industry-standard Fernet symmetric encryption.
  • Expense candidates extracted from your emails: vendor name, amount, currency, date, email subject line, sender address, and any attached PDF or image receipt.
  • Metadata about scan jobs you have run (date range, counts, status).

We do not store the full body of emails beyond the extraction process. Raw email content is processed in memory and discarded; only the structured expense data derived from it is persisted.

5. Data sharing and third parties

We do not sell, rent, or share your personal information or Google user data with any third party, including advertisers, data brokers, or analytics providers.

We may disclose information if required to do so by law or in response to a valid legal process in New Zealand.

6. Data retention and deletion

We retain your data for as long as your account is active. You may request deletion of your account and all associated data at any time by emailing us (see section 9). We will process deletion requests within 30 days.

You can also revoke Gargoyle's access to your Google account at any time via Google Account Permissions. Revoking access prevents future scans but does not automatically delete data already stored; contact us to request full deletion.

7. Security

We take reasonable steps to protect your information. OAuth tokens are encrypted before storage. The application is served over HTTPS. Access to production systems is restricted to authorised personnel only.

No system is completely secure. If you become aware of any security issue, please contact us immediately.

8. Your rights under the NZ Privacy Act 2020

Under the New Zealand Privacy Act 2020, you have the right to:

  • Ask whether we hold personal information about you.
  • Request access to that information.
  • Request correction of any information that is inaccurate or misleading.

To exercise these rights, contact us at the address in section 9. We will respond within 20 working days as required by the Act.

9. Contact us

If you have any questions about this policy, or to request data access, correction, or deletion, please email: hello@gargoyle.nz

Shan Ming Yang Limited
New Zealand

10. Changes to this policy

We may update this policy from time to time. The date at the top of this page indicates when it was last revised. Continued use of Gargoyle after changes are posted constitutes acceptance of the revised policy.