ReceiptOS Privacy Policy

1. Introduction

ReceiptOS ("we," "our," or "us") operates the ReceiptOS platform, an AI-powered financial intelligence platform for growing businesses. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

We are committed to protecting your privacy and maintaining the highest standards of data security, especially when handling sensitive financial information. This policy describes our practices in accordance with applicable privacy laws.

2. Information We Collect

2.1 Personal Information

We collect personal information that you provide directly to us, including:

• Account Information: Name, email address, phone number, company name, job title
• Authentication Data: Username, password, and authentication tokens
• Profile Information: Profile photos, preferences, and account settings
• Billing Information: Payment details, billing addresses, and subscription information

2.2 Financial Data

As a financial management platform, we collect and process various types of financial information:

• Expense Data: Receipt images, expense amounts, descriptions, categories, and dates
• Bank Account Information: Account details through Plaid integration for transaction monitoring
• QuickBooks Data: Accounting records, chart of accounts, vendor information, and transaction history through OAuth connections
• Invoice and Payment Data: Client billing information, payment records, and accounts receivable data
• Credit Card Transactions: Corporate card data when integrated with our platform

2.3 Receipt and Document Processing

We process receipt images and documents using AI/OCR technology:

• Receipt Images: Photos and scanned documents containing merchant information, amounts, and transaction details
• Document Content: Text extracted from receipts, invoices, and other financial documents
• AI Processing Data: Machine learning model outputs, confidence scores, and categorization results

2.4 Integration Data

Through third-party integrations, we may access:

• QuickBooks Online Data: Complete accounting records as authorized by you through OAuth
• Banking Data via Plaid: Transaction history, account balances, and account metadata
• Communication Platform Data: Slack/Teams messages containing expense submissions
• WhatsApp Business Data: Messages and media sent through our WhatsApp integration

2.5 Usage and Technical Data

We automatically collect certain information about your use of our services:

• Log Data: IP addresses, browser type, device information, and access times
• Usage Analytics: Feature usage, session duration, and interaction patterns
• Performance Data: System performance metrics and error logs
• Location Data: General geographic location based on IP address

3. How We Use Your Information

3.1 Primary Business Purposes

We use your information to:

• Provide Core Services: Process expenses, categorize transactions, and generate financial reports
• AI Processing: Train and improve our machine learning models for receipt recognition and categorization
• Financial Intelligence: Provide analytics, insights, and automated financial workflows
• Integration Services: Sync data with QuickBooks, banking systems, and other financial tools
• Customer Support: Respond to inquiries, troubleshoot issues, and provide technical assistance

3.2 Business Operations

• Account Management: Create and maintain user accounts, process payments, and manage subscriptions
• Security: Detect fraud, prevent unauthorized access, and protect system integrity
• Compliance: Meet regulatory requirements, maintain audit trails, and support tax reporting
• Product Development: Improve our services, develop new features, and optimize user experience

3.3 Communication

• Service Communications: Send account notifications, security alerts, and system updates
• Customer Support: Respond to support requests and provide assistance
• Marketing Communications: Send newsletters and product updates (with opt-in consent)

4. Legal Basis for Processing

We process personal data based on:

• Contract Performance: Processing necessary to provide our services under our Terms of Service
• Legitimate Interests: Improving our services, security, and fraud prevention
• Legal Compliance: Meeting regulatory requirements and legal obligations
• Consent: For marketing communications and optional features (where consent is obtained)

5. Information Sharing and Disclosure

5.1 Third-Party Service Providers

We share information with trusted service providers who assist in our operations:

• Cloud Infrastructure: Vercel for hosting and deployment, Supabase for database and authentication
• Payment Processing: Polar.sh for subscription billing and payment processing
• Analytics: Vercel Analytics for performance monitoring
• Communication: Twilio for SMS/WhatsApp messaging services
• AI Services: OpenAI and Mistral AI for advanced language processing and receipt OCR capabilities

5.2 Integration Partners

With your explicit authorization, we share data with:

• Accounting Software: QuickBooks, Xero, and other accounting platforms you connect
• Banking Services: Plaid for secure bank account access
• Business Tools: Slack, Teams, and other workplace platforms you integrate

5.3 Legal Requirements

We may disclose information when required by law or to:

• Comply with legal processes, court orders, or government requests
• Protect our rights, property, or safety, or that of our users
• Investigate potential violations of our Terms of Service
• Respond to claims of fraudulent or illegal activity

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction, subject to equivalent privacy protections.

6. Data Security

6.1 Security Measures

We implement security measures to protect your information, leveraging the security capabilities of our infrastructure partners:

• Encryption: Data is encrypted in transit via HTTPS/TLS and at rest through our infrastructure providers
• Infrastructure Security: We use secure cloud providers (Supabase, Vercel) for underlying infrastructure security
• Access Controls: Application-level access controls and authentication through Supabase Auth
• Data Segregation: Customer data is logically separated at the application and database level

6.2 Financial Data Protection

Given the sensitive nature of financial information, we implement additional protections and rely on certified partners:

• Payment Security: Payment processing handled by PCI DSS compliant providers (Polar.sh, Stripe)
• Banking Integration Security: Plaid's bank-level security standards for financial data access
• Data Processing: Financial data processing through secure infrastructure (Supabase)
• Audit Capabilities: Application-level logging of data access and modifications
• Third-Party Certifications: We rely on our infrastructure partners' security certifications and regularly review their compliance status

Note: ReceiptOS is currently working toward formal security certifications. We implement security best practices and rely on certified infrastructure partners while building toward our own compliance frameworks.

6.3 AI/ML Security

For AI and machine learning operations:

• Model Security: AI models are secured and access is strictly controlled
• Data Anonymization: Personal identifiers are removed from training data where possible
• Processing Isolation: AI processing occurs in secure, isolated environments

7. Data Retention

7.1 Retention Periods

We retain information for as long as necessary to provide our services and comply with legal obligations:

• Account Data: Retained while your account is active and for 7 years after closure for compliance
• Financial Records: Retained for 7 years to support tax and audit requirements
• Usage Data: Aggregated usage analytics retained for 2 years

7.2 Data Deletion

Upon account closure or upon request (where legally permissible):

• Personal data is deleted within 30 days of account closure
• Financial records may be retained longer for compliance purposes
• Aggregated, anonymized data may be retained indefinitely for analytics

8. Your Privacy Rights

8.1 General Rights

You have the right to:

• Access: Request copies of your personal information
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your personal information (subject to legal requirements)
• Portability: Receive your data in a portable format
• Objection: Object to certain types of processing

8.2 California Privacy Rights

If you're a California resident, you have rights under the CCPA:

• Right to Know: Request information about data collection and use
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: Equal service regardless of privacy choices

8.3 Exercising Your Rights

To exercise your privacy rights, please contact us at support@receiptos.com. We will respond to requests within 30 days.

9. International Data Transfers

9.1 Cross-Border Processing

We may transfer your information internationally for processing and storage. When we do, we ensure appropriate safeguards are in place and data is protected by equivalent privacy standards.

9.2 Primary Processing Locations

• United States: Primary data processing and storage
• Cloud Providers: Vercel and Supabase infrastructure

10. Cookies and Tracking

10.1 Cookies We Use

• Essential Cookies: Required for basic site functionality and security
• Analytics Cookies: Help us understand usage patterns and improve our services
• Preference Cookies: Remember your settings and preferences

10.2 Third-Party Tracking

• Vercel Analytics: Performance monitoring
• Payment Processors: For secure payment processing

You can control cookies through your browser settings.

11. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected such information, we will take steps to delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will:

• Post the updated policy on our website
• Notify you via email of material changes
• Update the "Last Updated" date at the top of this policy
• For material changes, we may require your renewed consent

13. Contact Us

If you have any questions about this Privacy Policy, please contact us:

Email: support@receiptos.com