Privacy Policy
Last Updated: May 5, 2026
This Privacy Policy explains how ReceiptSanity ("we", "us", or "our") collects, uses, discloses, and protects your personal information when you use our web or mobile application. We are committed to handling your data with transparency and in compliance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as applicable international privacy laws including the GDPR where relevant.
1. Information We Collect
We collect the following categories of personal information:
- Account Data: Your name, email address, and billing information provided at registration.
- User Content: Receipt images you upload, and the structured metadata extracted from those images (merchant name, date, amounts, line items, and tax information).
- Technical Data: IP addresses, device identifiers, operating system, app version, and usage logs collected automatically to operate and maintain the service.
We do not collect sensitive information beyond what is contained in receipts you choose to upload.
2. Third-Party AI Processing of Your Images
By using ReceiptSanity, you acknowledge and expressly consent to the following:
To extract structured data from your receipt images, we transmit those images to a third-party artificial intelligence service. Specifically:
- OpenAI (openai.com) — Receipt images are sent via OpenAI's API to a large language model (GPT-4o or equivalent) for optical character recognition and metadata extraction. OpenAI processes your image data on our behalf as a data sub-processor.
This transmission is necessary for the core function of the service. Without it, we cannot extract receipt data. OpenAI's processing of this data is governed by OpenAI's Privacy Policy and their API data usage policies. As of the date of this policy, OpenAI does not use API-submitted data to train its models by default.
Infrastructure sub-processors:
- Cloudflare — Our application runs on Cloudflare Workers and stores receipt images and data in Cloudflare R2 object storage. Cloudflare operates as a data processor under our instructions.
As these providers operate globally, your data may be transferred to and processed on servers located outside Australia, primarily in the United States.
3. How We Use Your Data
We use your personal information solely for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing the receipt scanning and classification service | Performance of contract |
| Sending account-related communications (billing, security alerts) | Performance of contract / legitimate interests |
| Reviewing the accuracy and effectiveness of our AI data extraction (internal quality assurance only — see Section 4) | Legitimate interests |
| Complying with legal obligations | Legal obligation |
We do not use your data for advertising, profiling, or any purpose beyond those listed above.
4. We Do Not Sell or Share Your Personal Data
We do not sell, rent, lease, trade, or otherwise transfer your personal information — including your receipt images, extracted financial data, or account information — to any third party for any commercial, marketing, or other purpose.
The only internal use of your data beyond direct service delivery is limited to reviewing the effectiveness of our AI data extraction pipeline. This means we may inspect a sample of extracted receipt records to assess accuracy, identify parsing errors, and improve our classification logic. This review:
- Is conducted solely by authorised ReceiptSanity personnel.
- Is used exclusively for internal quality assurance and service improvement.
- Does not involve sharing your data with any third party.
- Does not result in your individual data being used to build profiles, target advertising, or any commercial secondary use.
This limited internal review does not constitute "use" of your data for any purpose other than improving the accuracy of the service you have subscribed to.
5. Data Security
We implement industry-standard security measures including:
- Encryption of data in transit (TLS 1.2+) and at rest.
- Access controls limiting data access to authorised personnel only.
- Regular review of our security posture and sub-processor compliance.
No method of transmission or storage is completely secure. In the event of a data breach affecting your personal information, we will notify you and the relevant regulatory authority in accordance with applicable law.
6. Your Rights
Regardless of your location, you have the right to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete personal information.
- Delete your account and associated receipt images and data.
- Object to or restrict processing of your personal information in certain circumstances.
- Portability — request a copy of your data in a machine-readable format.
- Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at the address in Section 9.
7. Data Retention
We retain your receipt data and account information for as long as your account is active or as necessary to provide the service. If you cancel your subscription or request deletion:
- Your account data and receipt records will be deleted within 30 days of the request.
- Residual copies in backup systems will be purged within 90 days.
- We may retain de-identified, aggregated statistical data (e.g. total number of receipts processed) that cannot be linked back to you, indefinitely.
Certain data may be retained longer where required by Australian tax law or other applicable legal obligations.
8. Children's Privacy
ReceiptSanity is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected such information, please contact us immediately.
9. Contact and Complaints
For privacy enquiries, access requests, or complaints, contact us at:
ReceiptSanity Submit a request via our Support page
If you are located in Australia and are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. If you are located in the European Economic Area, you may contact your local data protection authority.
10. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email or via an in-app notice at least 14 days before the change takes effect. Continued use of the service after that date constitutes acceptance of the updated policy.