Privacy Policy

Reciptix LLP ("we," "our," or "us") operates the Receiptix mobile application and website ("the Service"). Reciptix LLP is a limited liability partnership registered in the United Kingdom and is the data controller for personal data processed through the Service. This Privacy Policy explains what we collect, why, who we share it with, and what rights you have.

Summary

• What we collect: the email address you sign up with, the receipts and expense entries you create, and basic technical data needed to run the app.
• What we use it for: running the app, processing receipts, sending you the emails you've asked for, and improving the product.
• Who we share it with: a small set of trusted vendors that help us deliver the Service (Google/Firebase, Anthropic, RevenueCat, Bento, and a few others — listed in full below).
• What we don't do: we do not sell your data, we do not use your individual receipts for advertising, and we do not use your receipts to train AI models.
• Your rights: you can access, correct, export, or delete your data at any time. Contact us at support@receiptix.io.

1. Information We Collect

Account Information. When you create an account, we collect your email address (required) and optionally your name and profile photo. If you sign in with Apple, Google, or another authentication provider, we receive the basic profile information that provider chooses to share.

Expense Data. This is the data you create as you use the app. It includes:

• Images and PDFs of receipts you upload or scan
• Text data extracted from those receipts (merchant, date, line items, totals, taxes, currency)
• Manually entered expense information
• Voice notes converted to text by your device's speech recognition (we do not retain the audio)
• Categories, tags, projects, and notes you add to your expenses

Subscription and Purchase Data. When you subscribe to a paid plan, we receive subscription status, plan tier, currency, renewal date, and original transaction identifiers from Apple, Google, or RevenueCat. We do not see or store payment card numbers or bank account details — those are handled by Apple and Google.

Project Sharing Data. If you share a project with another user, your display name and profile photo (but not your email address) become visible to other members of that project, and theirs to you.

Telegram Linking Data. If you link your account to our Telegram bot, we store your Telegram user ID so we can associate Telegram messages with your account. We do not store Telegram usernames or unrelated message content.

Device and Technical Data. To operate the Service, we automatically collect:

• Device identifiers such as Firebase Installation ID
• Push notification tokens (so we can send you reminders and notifications you've enabled)
• App version, operating system, device model, language, and timezone
• IP address (logged automatically by our hosting infrastructure for security and abuse prevention)
• Crash reports and diagnostic logs via Firebase Crashlytics
• Usage events such as screen views, feature interactions, and error rates via Firebase Analytics

What we do not collect. We do not collect advertising identifiers (IDFA on iOS, GAID on Android). We do not access your contacts, calendar, photo library (beyond images you explicitly select), or location.

2. How We Use Your Information

We use the information described above to:

• Provide the core functionality of the app — storing your expenses, syncing across devices, generating reports, and sharing projects with others you invite
• Process receipt images and PDFs to extract structured expense data, using third-party AI services as described in Section 4
• Send you transactional emails (account confirmation, expense reports you've requested, password resets)
• Send you lifecycle and product emails (subscription confirmations, important changes, occasional product updates) — you can unsubscribe at any time
• Provide customer support when you contact us
• Detect, prevent, and respond to fraud, abuse, and security incidents
• Measure app performance, fix bugs, and improve the product
• Comply with legal obligations

What we never do:

• We do not sell your personal data to anyone.
• We do not use your individual receipts or expense data for advertising or marketing purposes.
• We do not use your receipts or expense data to train AI models, ours or anyone else's.
• We do not share your expense data with third parties beyond what is strictly necessary to operate the Service as described in this policy.

3. Legal Basis for Processing (UK and EU Users)

Under UK GDPR and EU GDPR, we rely on the following legal bases to process your personal data:

• Performance of contract — to provide the Service you've signed up for, including storing your expenses, processing receipts, and delivering subscription benefits.
• Legitimate interests — to keep the Service secure, prevent abuse, measure product performance, improve the app, and send product and lifecycle messages (emails and push notifications) about features and updates similar to the Service. You can opt out of emails via the unsubscribe link in any message and turn off push notifications in your device settings.
• Legal obligation — where we are required to retain or disclose data to comply with applicable law.

4. Third-Party Services and Sub-Processors

We rely on the following service providers to deliver the Service. Each processes personal data only on our behalf and only for the purposes described.

• Google / Firebase (United States and EU) — authentication, database (Firestore), file storage (Cloud Storage), Cloud Functions, push notifications (FCM), crash reporting (Crashlytics), and analytics (Firebase Analytics / Google Analytics 4).
• Google Document AI (United States and EU) — extracting text from receipt images and PDFs.
• Anthropic (United States) — categorizing and structuring receipt data using the Claude API. Anthropic does not train its models on data submitted via the API.
• RevenueCat (United States) — managing in-app subscriptions, entitlements, and subscription analytics.
• Bento (United States) — sending transactional and lifecycle emails (account confirmation, subscription notifications, expense reports). Bento receives your email address, name, Firebase user ID, and subscription events. Bento does not receive your expense data.
• Apple (United States) — App Store distribution, in-app purchase processing, push notification delivery (APNs), and (where applicable) on-device or cloud-based speech recognition for voice mode on iOS.
• Google Play (United States) — Play Store distribution, in-app purchase processing, and (where applicable) on-device or cloud-based speech recognition for voice mode on Android.
• Telegram (United Arab Emirates) — only if you choose to link a Telegram account. Telegram receives the messages you send to our bot and the responses our bot sends back.

We may add or change sub-processors over time. Material changes will be reflected in this policy.

5. Data Storage, Security, and Retention

Where your data is stored. Your data is stored using Google Firebase, primarily in data centers operated by Google. Some data may be processed in the United States or other regions where our service providers operate (see Section 6 on international transfers).

Security. We implement industry-standard technical and organizational measures to protect your data, including encryption in transit (HTTPS/TLS), encryption at rest, role-based access controls, and authentication.

Retention. We retain your account and expense data for as long as your account remains active. When you delete your account (see Account Deletion), we delete your personal data and expense records from our active systems within 30 days. Some information may remain in encrypted backups for up to 90 days before being permanently removed. Anonymized usage statistics, security logs, and aggregate metrics may be retained longer for product improvement and compliance purposes.

6. International Data Transfers

Reciptix LLP is registered in the United Kingdom. Most of our service providers are based in the United States or operate global infrastructure. When your personal data is transferred outside the UK or the European Economic Area, we rely on appropriate safeguards to protect it, including:

• The UK International Data Transfer Agreement and the European Commission's Standard Contractual Clauses (SCCs)
• The UK extension to the EU-US Data Privacy Framework, where applicable
• Other transfer mechanisms recognized by UK and EU data protection law

7. Data Access by Our Team

Your expense data is processed automatically by our systems. Our team does not proactively browse or read user data.

Access to individual user data by our team is limited to specific situations:

• Responding to a support request you've sent us
• Investigating a technical issue or bug you've reported
• Investigating suspected fraud, abuse, or a security incident
• Complying with a legal obligation

8. Your Data Protection Rights

Depending on where you live, you may have some or all of the following rights regarding your personal data:

• Right of access — to ask us what personal data we hold about you and to receive a copy
• Right to rectification — to ask us to correct inaccurate or incomplete data
• Right to erasure — to ask us to delete your data ("right to be forgotten")
• Right to restriction — to ask us to limit how we use your data
• Right to data portability — to receive your data in a structured, machine-readable format and transmit it to another service
• Right to object — to object to processing based on legitimate interests, including for direct marketing
• Rights related to automated decision-making — we do not make decisions about you that have legal or similarly significant effects based solely on automated processing
• Right to withdraw consent — where we rely on consent, you can withdraw it at any time
• Right to lodge a complaint — you can complain to your local data protection authority.

To exercise any of these rights, contact us at support@receiptix.io. To delete your account directly, see our Account Deletion instructions. We will respond within one month of receiving your request.

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information.

Categories of personal information we collect. In the past 12 months, we have collected the following categories: identifiers (email, user ID, device identifiers); commercial information (subscription data); internet or other electronic activity (usage events, crash reports); geolocation data (only the country/region inferred from IP address); and other information you provide (expense data).

Your CCPA/CPRA rights:

• Right to know what personal information we collect, use, disclose, and share
• Right to delete personal information we have collected from you
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing of personal information. We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising your rights

To exercise these rights, contact us at support@receiptix.io. We will verify your request by confirming your identity through the email address associated with your account.

10. Cookies and Tracking Technologies

In the app: the Receiptix mobile app does not use browser cookies. It does use device identifiers and similar technologies (Firebase Installation ID, push tokens) as described in Section 1.

On our website: our website (receiptix.io) uses cookies for essential functionality and Google Analytics.

In our emails: our transactional and lifecycle emails may include open tracking pixels so we can measure delivery and engagement at an aggregate level. If you would prefer not to be tracked in this way, most email clients allow you to disable image loading.

11. Children's Privacy

Receiptix is not directed at children. The Service is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and you believe your child has provided us with personal data, please contact us at support@receiptix.io and we will delete the account.

For users in the United States: in compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13.

12. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (in the UK, the Information Commissioner's Office) within 72 hours of becoming aware of the breach, where required by law. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date below and, for significant changes, notify you by email or through the app. Your continued use of the Service after the changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or wish to make a complaint, please contact us at support@receiptix.io.

You can also see our Terms of Use.

Last Updated: April 11, 2026