Privacy Policy

We know you're trusting us with deeply personal information — your conversations, your relationships, your patterns. We don't take that lightly. This policy explains exactly what we do with your data, how we protect it, and what control you have over it.

What Information We Collect

Information You Provide

Account Information: Email address, password (hashed — we never see it), name (optional), and country/timezone.

Conversation Data: Messages you upload or sync, contact names/identifiers, message timestamps, and media files (if you choose to include them).

Payment Information: Processed by Stripe — we don't store card details. We retain your billing address and transaction history.

Usage Information: Which features you use, report generation history, and app settings and preferences.

Information We Collect Automatically

Technical Data: Device type and OS version, app version, IP address (for security), and crash reports and error logs.

Analytics (Anonymous): Feature usage patterns, performance metrics, and general usage statistics.

We DON'T collect: location data, contact lists, photos outside of conversations, or microphone or camera access.

How We Use Your Information

To Provide Our Service: Analyze conversation patterns, generate reports, save your analysis history, and provide customer support.

To Improve Receipts: Fix bugs and improve performance, develop new features, and understand usage patterns (anonymized).

To Protect Everyone: Prevent fraud and abuse, enforce our terms of service, and comply with legal obligations.

What We DON'T Do: Sell your data to anyone, use your conversations for advertising, share your data with marketers, read your messages (only AI does), or build profiles to sell.

How We Store and Protect Your Data

Encryption: All conversation data is encrypted at rest in our database, TLS encryption protects all data in transit, and backups are encrypted and stored separately.

Security Measures: Two-factor authentication available, regular security audits, strictly limited employee access, incident response procedures, and compliance with industry standards.

Where Your Data Lives: Primary servers and backups in geographically separate locations. We use Supabase for infrastructure. All locations have strong privacy laws.

How Long We Keep Your Data

Data Type	Retention Period	Why
Messages	Until you delete	You control this
Analysis Results	2 years after last access	Historical reference
Generated Reports	90 days in our system	You should download them
Account Info	30 days after deletion	In case you change your mind
Payment Records	7 years	Tax and legal requirements
Support Tickets	2 years	To help you better

Who We Share Data With

Service Providers (only when necessary):

• Stripe: Payment processing
• Anthropic: AI analysis (anonymized chunks)
• Supabase: Infrastructure
• Resend: Email delivery

All partners are contractually bound to protect your data, limited to what they need, and prohibited from using your data for their purposes.

Legal Requirements: We may disclose data if required by court orders, search warrants, legal investigations, or imminent harm situations. We'll notify you unless legally prohibited.

We NEVER Share With: Advertisers, data brokers, marketing companies, your contacts or their lawyers (without court order), or anyone else without your permission.

Your Rights and Controls

Access Your Data: Download your messages, export analysis results, get copies of reports, and see what we have on file.

Control Your Data: Delete specific conversations, clear analysis history, remove your entire account, and opt out of analytics.

Correct Information: Update account details, fix incorrect data, and clarify context.

How to Exercise Rights: Go to Settings → Privacy in the app, or email privacy@rcpts.ai. We'll respond within 30 days.

Data Portability: You can export your data in JSON format (structured), PDF reports, or original message formats.

Children's Privacy

Receipts is NOT for anyone under 18. We don't knowingly collect data from minors. If we discover we have, we'll delete it immediately. Relationship analysis requires maturity, legal consent, and sensitive content handling.

International Users

Your data may be processed in various datacenters around the world. We use standard contractual clauses. You have the same privacy rights regardless of location, and local laws may provide additional protections.

GDPR (European Users): You have additional rights under GDPR. We're your data controller. Contact our DPO at privacy@rcpts.ai. You can lodge complaints with your supervisory authority.

CCPA (California Users): You have additional rights under CCPA. We don't sell personal information. You can opt out of analytics. No discrimination for exercising rights.

AI and Your Data

Messages are chunked into segments, sent to Anthropic's Claude API, analyzed for patterns, and results returned and stored. Original messages are never stored by the AI.

AI Privacy Measures: No personal identifiers sent, context anonymized, no training on your data, secure API connections, and regular privacy audits.

Warrant Canary

We maintain a signed statement that we update at least every 30 days confirming we haven't been served with any secret government orders. If the canary stops updating or specific statements disappear, something may be wrong. Learn more about our warrant canary.

Changes to This Policy

We'll send email notifications for significant changes, give 30 days notice before changes take effect, provide the option to export data before changes, and include a clear explanation of what changed.

Contact Us

Privacy Team: privacy@rcpts.ai

Data Protection Officer: dpo@rcpts.ai

Response Times: General questions: 5 business days. Rights requests: 30 days. Urgent security: 24 hours.