AI Data Governance
Oracron uses Claude (Anthropic) to extract and audit freight invoices. This page explains exactly what happens to your data — what we log, what Anthropic holds, and what we commit to never doing.
"Anthropic does not train on commercial API inputs or outputs. Your invoice data is never used to improve any AI model — by Oracron or Anthropic."
Source: docs.claude.com/en/docs/legal-and-compliance/data-usage
The facts, plainly stated
Does Anthropic train on our API calls?
No. Commercial API inputs/outputs are contractually excluded from model training under Anthropic's usage policy. This applies to all Oracron edge function calls — invoice extraction, enrichment, dispute letter generation.
How long does Anthropic retain API logs?
Up to 30 days under Anthropic's standard commercial API terms, for abuse and trust-and-safety monitoring. After this period, Anthropic's copies of the request and response are automatically deleted. Oracron's own audit log (see below) is separate and retained under your contract.
Where is your data stored?
All invoice data, shipment records, and extracted content are stored in your organisation's selected region — the EU (Frankfurt, Germany) or the US, chosen at onboarding — on Supabase infrastructure. AI inference calls transit through Anthropic's API — headquartered in the US with EU Standard Contractual Clauses (SCCs) in place.
Does Oracron log every AI call?
Yes. Every Claude API call writes a row to our
ai_audit_log
table: edge function name, model used, policy version, SHA-256 hash of
request/response (no content stored in the log), token counts, latency, and your
organisation ID. This is your audit trail for GDPR Art. 30 record-keeping.
How is the policy version tracked?
Every API call carries the current
POLICY_VERSION
string (v1.0.0) in both a custom HTTP header (X-Oracron-Policy) and the system prompt. Any policy change increments this version and customers
are notified per Terms §7.7 (30-day sub-processor change notice).
Are you pursuing Zero Data Retention (ZDR)?
Yes. ZDR is an enterprise agreement with Anthropic that eliminates the up-to-30-day retention window entirely — inputs/outputs are not stored at rest after the inference response returns. We are pursuing ZDR once we reach the commercial threshold that qualifies us (≥3 paying customers or €5k MRR). Once active, we will update the privacy policy and notify all customers.
Does Oracron sell or share invoice data?
Never. Invoice data, shipment records, rate tables, and any extracted content are strictly confidential. They are never sold, shared with third parties for commercial purposes, or used to train any model — including our own internal improvements. See our Privacy Policy §4 for the full commitment.
What happens on each invoice extraction
Step-by-step data flow for a PDF invoice processed by Oracron.
-
1
PDF uploaded to Supabase Storage (EU)
File stored in your org's private bucket. AES-256 at rest, TLS 1.3 in transit. Accessible only to your organisation.
-
2
invoice-ingest edge function fires
Supabase Edge Function (Deno, running in your region) reads the PDF and constructs a Claude API request. The system prompt includes the policy marker (
X-Oracron-Policy: v1.0.0) and ametadata.user_idset to a SHA-256 hash of your organisation ID — an opaque identifier that itself contains no personal data. The invoice document, which may contain shipper and consignee names and addresses, is sent to Anthropic for extraction. -
3
Claude processes the invoice
Anthropic's API returns extracted fields (invoice number, lines, amounts, carrier). Anthropic holds this data for up to 30 days for trust-and-safety purposes, then auto-deletes. It is never used for model training.
-
4
Audit log row written to ai_audit_log
We write model, policy version, SHA-256 hashes, token counts, and latency. No invoice content is stored in this table — only the fingerprint of the call.
-
5
Extracted data stored in your Supabase org
Invoice lines, fee codes, amounts written to
invoices/invoice_lines. Row-Level Security (RLS) ensures only users in your organisation can read or write this data.
AI sub-processors
Non-AI sub-processors (database, email, CDN) are listed in the Privacy Policy. Customers are notified 30 days before any sub-processor change per Terms §7.7.
Questions about AI governance?
We respond to all privacy and data governance inquiries within 2 business days.
Policy version: v1.0.0 — Effective 2026-05-08 — Permanent link