Privacy Policy

1. Who We Are

X-X-X-X (“we”, “us”, “our”) operates Receiptio, a receipt-scanning and expense-tracking service. For purposes of the EU and UK General Data Protection Regulations (collectively, “GDPR”), we are the data controller of your personal data. For California residents, we are the business that determines the purposes and means of processing your personal information.

2. Summary in Plain Language

• We collect only what we need to run Receiptio for you.
• Your receipts and extracted data are used to provide the Service to you, and for no unrelated purpose.
• We do not sell your personal information. We do not use it to train third-party or generalized AI models.
• You can access, export, correct, or delete your data at any time.
• Questions? Email privacy@receiptio.com — a human responds within one business day.

3. Information We Collect

• Account data: your name, email address, password (stored as a salted hash), and authentication tokens.
• Subscription and billing data: plan, billing status, last four digits of your payment method, billing address as required for tax. Full payment-card details are handled by our payment processor and are never stored on our servers.
• Receipt data: the images and PDFs you upload, and the structured fields we extract from them (vendor, date, total, line items, category, tax) including any edits you make.
• Usage data: technical information about how you use the Service (features used, errors encountered) so we can fix bugs and improve the product.
• Device and log data: IP address, browser type and version, operating system, and timestamps. Used for security, fraud prevention, and abuse detection.
• Communications: support emails and in-app messages you send us, and our responses.

4. How We Use Your Information (and the GDPR Legal Bases)

• To provide and operate Receiptio — performance of a contract (Art. 6(1)(b) GDPR).
• To process payments and prevent fraud — performance of a contract and our legitimate interests in preventing fraud (Art. 6(1)(b), (f)).
• To improve, secure, and maintain the Service — our legitimate interests in running a reliable, safe product (Art. 6(1)(f)). We use aggregated or anonymized data wherever possible.
• To send service-related communications (billing receipts, security alerts, important updates) — performance of a contract. These are not promotional.
• To send product news and tips — only if you opted in. You can withdraw consent at any time from the unsubscribe link in any such email (Art. 6(1)(a)).
• To comply with legal obligations — Art. 6(1)(c) (e.g., tax records, lawful requests).

5. Receipts, OCR, and Automated Processing

When you upload a receipt, we run OCR and parsing on the image to extract structured fields. This is automated processing necessary to provide the Service. It does not produce decisions with legal or similarly significant effects on you. You can review and correct any extracted field at any time, and you can delete an individual receipt or your entire account from your settings.

6. Who We Share Data With

We share personal data only with the following categories of recipients, and only for the purposes stated. All third-party processors are bound by written contracts requiring confidentiality and adequate safeguards.

• Hosting and storage providers — to operate the Service and store your data.
• Payment processors — to process subscription payments and detect fraud.
• Email delivery providers — to send transactional emails (receipts, security alerts, password resets).
• Customer support tooling — to help you when you contact us.
• Error and performance monitoring — to detect crashes and fix bugs.
• Legal authorities — only when required by law and with the narrowest possible disclosure.
• In a corporate transaction — if X-X-X-X is involved in a merger, acquisition, or financing, subject to standard confidentiality and continuity of this Policy.

We do not sell or share your personal information for cross-context behavioral advertising. We do not “sell” personal information as that term is defined under the California Consumer Privacy Act (CCPA/CPRA) or analogous US state laws.

7. International Data Transfers

We operate the Service for users in the European Union, the United Kingdom, the United States, and other regions. When we transfer personal data from the EU/EEA or UK to a country that does not benefit from an adequacy decision (such as some US-based providers), we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and other appropriate safeguards. You can request a copy of the relevant transfer mechanism by emailing privacy@receiptio.com.

8. How Long We Keep Data

• Account and receipt data: for as long as your account is active, plus up to 30 days after deletion (to allow recovery from accidental deletion), after which it is permanently erased from our active systems.
• Billing records: retained for as long as applicable accounting and tax law requires (typically 7–10 years).
• Logs and security data: up to 12 months.
• Support tickets: up to 24 months after resolution, to handle follow-ups.
• Backups: rolling encrypted backups are purged on a defined schedule and are not used for any purpose other than disaster recovery.

9. Your Rights

If you are in the EU, EEA, or UK (GDPR): you have the right to access, rectify, erase, restrict processing, port your data, object to processing based on legitimate interests, and withdraw any consent you previously gave. You also have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu; the UK Information Commissioner's Office is at ico.org.uk.

If you are in California (CCPA / CPRA): you have the right to know what personal information we collect and how we use it, to delete it, to correct it, to opt out of sale or sharing (we do not sell or share), to limit use of sensitive personal information, and to non-discrimination for exercising your rights.

If you are in another US state with a comprehensive privacy law (such as Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or Iowa), you have substantially similar rights.

To exercise any right, email privacy@receiptio.com from the address on your account, or use the in-app data request form under Settings → Privacy. We respond within 30 days (or sooner where the law requires). You can also authorize an agent to make a request on your behalf, subject to verification.

10. Children

Receiptio is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us at privacy@receiptio.com and we will delete it.

11. Security

We use industry-standard measures to protect your data, including encryption in transit (TLS) and at rest, strict access controls based on least privilege, audit logging of access to production systems, and regular security reviews. No system is perfectly secure; if a breach affects your personal data we will notify you and the relevant supervisory authorities within the timeframes required by law.

12. Automated Decision-Making

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. OCR and field extraction on your receipts is an automated convenience that you remain in control of — you can review and edit every extracted field.

13. Changes to this Policy

If we make material changes, we will notify you by email or in-app at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision. We keep an archive of prior versions and can provide one on request.

14. Contact

• General privacy inquiries: privacy@receiptio.com
• Data Protection Lead: privacy@receiptio.com
• EU representative (where required by Art. 27 GDPR): to be designated upon EU establishment; contact privacy@receiptio.com in the meantime.
• UK representative (where required): to be designated; contact privacy@receiptio.com in the meantime.