Privacy Policy

When you create an account, we collect your email address and name. When you upload receipts, we store the original files and all data extracted from them — vendor names, amounts, dates, line items, and any other fields our AI identifies. We also collect standard usage data such as the number of uploads, search queries, and feature interactions. We do not collect payment card details directly — these are handled by Stripe. If you choose to connect Gmail or Outlook, we also store OAuth access credentials (access and refresh tokens), your connected inbox email address, sync status, and Gmail/Outlook message IDs for emails we have already processed (to avoid importing the same receipt twice). We do not permanently store the full text or body of your emails — only receipt attachments and inline receipt content that pass our receipt-detection filters.

ReceiptIQ offers optional email sync so you can automatically import receipts and invoices from your inbox. This feature is entirely opt-in — we only access your email if you explicitly connect Gmail or Outlook from your account Settings or Dashboard. Gmail (Google): When you connect Gmail, you authorise ReceiptIQ to access your Google account using the gmail.readonly scope. This is read-only access. We use it solely to: • Search your Gmail inbox for messages that appear to contain receipts or invoices (by subject, sender, attachment type, and filename) • Download receipt attachments (PDF, images, and similar files) and convert qualifying inline HTML receipts to PDF • Import those files into your ReceiptIQ account for AI extraction and storage We do not use Gmail data to serve advertisements. We do not sell, rent, or share your Gmail data with third parties for their marketing purposes. We do not allow humans to read your Gmail messages except: (a) with your explicit consent for a specific message, (b) where necessary for security purposes (such as investigating abuse), or (c) where required by applicable law. We do not send, delete, modify, or label your emails. We do not access Gmail contacts, calendar, Drive, or any Google service other than Gmail read access and your email address (via the userinfo.email scope). Outlook / Microsoft 365: When you connect Outlook, you authorise ReceiptIQ to read your mailbox using the Microsoft Graph Mail.Read permission (read-only). The same principles apply: we scan only for receipt-related messages, import qualifying attachments, and do not modify or delete your email. We do not use Outlook data for advertising or sell it to third parties.

ReceiptIQ's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we use Google user data (Gmail) only to provide and improve the user-facing receipt import feature you request. We do not use Google user data for serving advertisements, for selling to third parties, or for training generalized machine learning models. We do not allow humans to read your Gmail data unless you have given us affirmative agreement for specific messages, it is necessary for security purposes, or we are required to do so by law. We do not transfer Google user data to third parties except: (1) as necessary to provide the service (e.g. cloud hosting and AI extraction infrastructure that processes receipt files on our behalf, under strict data-processing terms), (2) for legal compliance, or (3) as part of a merger or acquisition with notice to you. You may request deletion of data we received from Google APIs by disconnecting Gmail (see below) or contacting us at support@receipt-iq.com. For more information, see Google's API Services User Data Policy: https://developers.google.com/terms/api-services-user-data-policy

Your data is used to provide the ReceiptIQ service: storing your receipts, running AI extraction, enabling search, and managing your account. Email integration data is used exclusively to find and import receipt-related messages from your connected inbox — not for advertising, profiling, or any purpose unrelated to the service. We may use aggregate, anonymised usage patterns to improve our AI models and product experience. We do not use individual receipt content to train models without your explicit consent. We use your email address to send transactional notifications (upload confirmations, billing receipts) and, if you opt in, product updates.

Receipt files and extracted data are stored in Supabase, which uses PostgreSQL for structured data and Supabase Storage (backed by S3-compatible object storage) for files. Search embeddings — vector representations of your receipts used to power semantic search — are stored in Qdrant, a dedicated vector database. Both Supabase and Qdrant infrastructure are hosted in the EU and/or US depending on your region. All data in transit is encrypted via TLS. All data at rest is encrypted by the storage providers.

Your receipts are private to your account — whether uploaded manually or imported via Gmail or Outlook. We do not share, sell, or expose your receipt data to third parties, other users, or advertisers. Receipt content is never used to train AI models without your explicit, opt-in consent. If you delete a receipt from your account, it is removed from all storage systems including our search index within 7 days.

We use a small number of trusted third-party services to run ReceiptIQ: • Google (Gmail API & OAuth) — only when you connect Gmail. Google processes your OAuth authorisation and provides read-only access to your inbox. Google's privacy policy applies to data Google processes: https://policies.google.com/privacy • Microsoft (Microsoft Graph & OAuth) — only when you connect Outlook. Microsoft processes your OAuth authorisation and provides read-only mailbox access. Microsoft's privacy policy applies: https://privacy.microsoft.com/ • Stripe — for payment processing and subscription management. Stripe receives your billing details and handles all card transactions. Stripe's privacy policy applies to data they collect. • Supabase — for database and file storage. Your receipts, account data, and OAuth tokens are stored on Supabase infrastructure. • Qdrant — for vector search. Embeddings derived from your receipt text are stored in Qdrant to power semantic search within your account. • AI inference services — receipt images and PDFs (including those imported from email) are sent to our AI extraction infrastructure to identify vendor, amounts, dates, and line items. These services process files on our behalf to return structured data; they are not authorised to use your content for their own model training. • Resend — for transactional email (account verification, password reset, billing notifications). Resend's privacy policy applies to delivery metadata they process. • Google Analytics (Google LLC) — for understanding how visitors use the marketing site (page views, device type, browser, and general geographic region). We use Google Analytics 4 with no advertising features enabled. Google may set first-party cookies (_ga, _ga_*) to distinguish unique visitors. Google's privacy policy applies to data they collect on our behalf. We do not use advertising networks or social media plugins. We do not sell your personal data or email content to data brokers or advertisers.

You can stop ReceiptIQ from accessing your email at any time from Settings → Email Integrations → Disconnect, or by revoking access directly with your provider: • Revoke access in Google: visit https://myaccount.google.com/permissions, find ReceiptIQ, and click Remove Access. This immediately prevents further Gmail access. • Revoke access in Microsoft: visit https://account.live.com/consent/Manage, find ReceiptIQ, and remove permissions. • In ReceiptIQ: go to Settings, find Gmail or Outlook under Email Integrations, and click Disconnect (confirm when prompted). We delete your stored OAuth tokens immediately and revoke Gmail access with Google when possible. Revoking access or disconnecting stops future syncs. Receipts already imported remain in your account until you delete them from the dashboard or request account deletion.

We retain your account data and receipts for as long as your account remains active. OAuth tokens and email integration records are retained only while your inbox remains connected, and are deleted when you disconnect or delete your account. If you delete your account, all personal data, receipt files, OAuth tokens, and integration records are permanently deleted within 30 days. Billing records may be retained for up to 7 years as required by financial regulations, but are stripped of personal identifiers where possible. Backups are rotated on a 30-day cycle.

You can access all your data at any time from your account dashboard. You can export your receipts and extracted data in CSV format at any time from the dashboard or via the API. You can delete individual receipts from the dashboard at any time. To request full account deletion, disconnect an email integration, or receive a complete data export, contact us at support@receipt-iq.com. We will respond within 2 business days. If you are in the EU or UK, you have rights under GDPR including the right to access, rectify, erase, and port your data.

We use session cookies to keep you logged in during your session. We also use Google Analytics cookies (_ga, _ga_*) to collect anonymous usage statistics such as page views and visitor counts. These cookies do not contain personal information and are not used for advertising. No data is shared with advertising networks. You can disable cookies in your browser, but doing so will prevent you from staying logged in and will stop analytics collection.

If you have any questions about this privacy policy or how your data is handled, please contact us at support@receipt-iq.com. We aim to respond to all privacy enquiries within 2 business days.

ReceiptIQ is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, contact us at support@receipt-iq.com and we will delete it promptly.