Privacy Policy

Receipture is a receipt-management platform operated by Receipture Inc. ("Receipture", "we", "us", "our"), based in Ontario, Canada. This policy explains how we handle personal information in compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Ontario's privacy framework.

We collect the following categories of information:

• Account info: name, email address, password hash, role (firm admin, accountant, or client), and the firm you belong to.
• Contact info: phone number (for clients who opt in to SMS receipt prompts).
• Receipt data:images of receipts you upload, emails you forward to your account's ingestion address, and the structured data we extract from them (vendor, date, total, tax, line items, payment method, last-four card digits).
• Billing info: handled by Stripe; Receipture stores only the customer ID and subscription state, never card numbers or full payment details.
• Usage info: standard server logs (IP address, user agent, timestamps) used for security and debugging.

We use this information to:

• Provide the receipt-capture, OCR, and reporting service.
• Send transactional messages (account verification, billing receipts, SMS prompts asking for the purpose of a receipt).
• Process payments and manage subscriptions through Stripe.
• Detect abuse, prevent fraud, and enforce our Terms of Service.
• Improve the product (aggregated, non-identifying analytics).

We do not sell your personal information. We do not use the contents of your receipts for marketing or to train third-party AI models.

We share narrowly-scoped data with the following third-party providers, each governed by their own privacy policies:

• Supabase — database and authentication hosting.
• Vercel — application hosting and edge delivery.
• Stripe — payment processing and subscription billing.
• Twilio — outbound SMS to clients who have opted in to text-message receipt prompts.
• SendGrid — outbound transactional email and inbound parsing of forwarded receipts.
• Anthropic (Claude API) — receipt content extraction. Receipt images and OCR text are sent to Claude for structured extraction; Anthropic states it does not retain customer API data for training.
• Google Cloud Vision — optical character recognition on receipt images.

We do not transfer personal information to other parties for their own marketing or advertising purposes.

Your data is stored on infrastructure operated by the providers listed above, primarily in North American data regions. Some providers may process data in the United States, where laws differ from Canada's. By using Receipture you consent to this cross-border processing for the purpose of providing the service.

We retain account and receipt data for as long as your firm has an active account, plus a reasonable period afterward to satisfy legal, tax, and accounting record-retention requirements (in Canada, generally six years after the relevant tax year). You may request deletion at any time, subject to those retention obligations.

Under PIPEDA, you have the right to:

• Access the personal information we hold about you.
• Correct information that is inaccurate or incomplete.
• Withdraw consent for non-essential processing.
• Request deletion of your account and associated data.
• File a complaint with the Office of the Privacy Commissioner of Canada if you believe your rights have been violated.

To exercise any of these rights, email us at hello@receipture.ca.

We use industry-standard measures to protect your data: TLS for data in transit, encryption at rest on managed databases, role-based access controls, and Supabase Row-Level Security to isolate data between firms. No system is perfectly secure; if we ever experience a breach affecting your information, we will notify you and the appropriate regulators in accordance with Canadian breach-notification rules.

Receipture uses cookies and local storage strictly for sign-in sessions and theme preferences. We do not use third-party advertising cookies or cross-site tracking. We may adopt privacy-respecting product analytics (such as PostHog) in the future; if so, this policy will be updated.

Receipture is a business tool and is not directed to children under 18. We do not knowingly collect personal information from children.

We may update this policy from time to time. Material changes will be communicated by email to firm administrators at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Questions or concerns about this policy or your personal information? Email hello@receipture.ca.