← Back to home

Privacy Policy

Last updated: 24 March 2026

Your Data is Safe

  • We never store your original receipt files
  • We never store your Google Drive folder URL
  • Files are processed in server memory and discarded immediately
  • Only extracted text data is saved (amounts, dates, vendors, categories)
  • We never sell or share your personal data
  • Your Google Drive files are never edited, moved, or deleted

What We Collect

Free Users

  • Hashed IP address — used to track free tier usage (10 receipts per user). Your IP address is hashed with SHA-256 before storage and is never stored in plaintext.
  • Extracted receipt data — retained for 24 hours, then deleted
  • localStorage data — theme preference, credit count, analytics opt-out flag. Stored in your browser only, not on our servers.

Paid Users

  • Email address — for account management and credit tracking
  • Extracted receipt data — retained for 12 months from processing
  • Payment information — processed securely by Stripe. We do not store your card details.

How We Process Your Receipts

When you share a Google Drive folder link:

  1. Our service account reads receipt files from your shared folder (read-only access)
  2. Each file is loaded into server memory temporarily
  3. The file content is sent to OpenAI's API for text extraction and categorisation
  4. Extracted data (amounts, dates, vendor names, categories, tax details) is saved to our database
  5. The file is discarded from memory — no copy is kept

Vendor Dictionary

When we process a receipt, the vendor name and its suggested category are saved to a shared dictionary. This helps improve categorisation accuracy for all users. The dictionary contains only vendor names and categories — no amounts, dates, tax IDs, or information traceable to an individual user.

Third-Party Services

  • OpenAI — processes receipt text and images for data extraction. OpenAI's API does not use customer data for model training.
  • Stripe — handles payment processing for credit purchases. We do not store card details.
  • Supabase — hosts our database where extracted data is stored.
  • Umami — privacy-focused analytics to understand site usage. No personal data is collected. You can opt out by visiting the site with ?notrack=true appended to the URL.
  • Google Drive API — used to read files from your shared folder. Read-only access, no write permissions.

AI Processing

Receipt extraction is handled by OpenAI's API. We do not use your extracted data to train AI models. The only "learning" that occurs is the vendor dictionary, which stores vendor names and categories — no personal or financial data.

Data Retention

  • Free tier extracted data: 24 hours
  • Paid tier extracted data: 12 months from processing
  • Vendor dictionary entries: retained indefinitely (no personal information)
  • Category corrections: retained indefinitely to maintain accuracy
  • Account data: retained until deletion is requested

Cookies and Local Storage

We do not use tracking cookies. We use browser localStorage for:

  • Theme preference (light/dark mode)
  • Free credit count (synced with server)
  • Analytics opt-out flag

An httpOnly session cookie is used for admin authentication only.

Your Rights

Under the New Zealand Privacy Act 2020 and applicable data protection laws, you have the right to:

  • Request access to your extracted data
  • Request correction of inaccurate data
  • Request deletion of your data
  • Opt out of analytics tracking

Contact

For privacy enquiries, contact us at privacy@tidymyexpenses.com.