Privacy policy

Account & authentication

Signing up creates an account on our backend (Supabase, EU region). We store your email address and an account ID. We don't store your password — Supabase hashes it before writing. If you sign in with Google we also receive your Google account email; we never see your Google password.

Receipt processing

When you tap Process on a scan, the receipt images you selected are sent to our backend, which forwards them to the AI service with a fixed extraction prompt. We do not store your raw photos on our servers — they pass through to the AI service and are discarded after extraction. The parsed JSON (store name, items, prices) is returned to your phone and saved in the local SQLite database.

Per-call audit log

Each AI call is logged on our server: which user triggered it, the model identifier, token counts (no text), latency, and outcome (success / cap-hit / error). We use this to enforce free / Pro caps and to detect abuse. Token counts are aggregate numbers — the receipt content itself is not stored on the server.

Device fingerprinting

To stop a single device from creating dozens of free accounts to skip the cap, every Process tap mints a Play Integrity token and sends a hash of your Android SSAID (SHA-256 with a server-side salt). The hash can't be reversed to your SSAID and is only used to count how many free scans came from this device.

Subscription billing

Pro is a Google Play subscription. Google handles the payment; our server only sees the resulting purchase token, subscription ID, and renewal/cancel events from Real-time Developer Notifications. We use those to mark your account as Pro. Card details never reach us.

Geolocation

Off by default. If you turn it on in Settings → Privacy & data, a one-time location fix is attached when you finish a scan; the coordinates live alongside that single shop event row in the local database — they never leave the device.

Card numbers in receipts

Anything that looks like a 16- or 19-digit card number in the AI's parsed text is replaced with [redacted] before it lands in the database — same on the local side.

Sign-out vs. delete account

Sign-out wipes the receipts on this device but keeps your account on our server. The next sign-in starts with a clean local database (cloud sync is on the roadmap, not yet shipped, so locally-cached receipts are removed to prevent another sign-in from another account seeing them).

Delete account permanently removes your account on our server, which cascade-drops the per-call audit log and every subscription notification we've ever received for you, then wipes the local database and image folder. Your billing history at Google is unaffected — manage it from the Play Store.