ReceiptsLab

Privacy Policy

Last updated: March 26, 2026

ReceiptsLab ("we," "us," or "our") operates the receiptslab.com website and related services. This Privacy Policy explains how we collect, use, store, and protect your information when you use ReceiptsLab. We are committed to protecting your privacy and handling your data responsibly.

Overview

ReceiptsLab is designed with privacy as a core principle. The free tier processes all data entirely within your browser. The premium tier stores data in secure cloud infrastructure with strict access controls. In both cases, we minimize data collection and never sell or share your data with advertisers.

Free Tier: Client-Side Only

When you use ReceiptsLab without an account (free tier), all data processing happens entirely within your browser. Your receipt data is stored in your browser's IndexedDB database and is never transmitted to our servers. We do not collect, process, or store any receipt data for free tier users. Analytics calculations run locally on your device, and your financial data remains completely private.

Because data is stored in your browser, it may be lost if you clear browser data, switch browsers, or use private/incognito mode. We recommend using the built-in JSON export feature to create backups of your receipt data.

Premium Tier: Cloud Storage

Premium users who create an account have their receipt data stored securely in our cloud database hosted on infrastructure we control (self-hosted on dedicated hardware). This data is associated with your authenticated account and used solely to provide analytics features across your devices. We do not sell, share, or use your receipt data for advertising, marketing research, or any purpose other than providing the ReceiptsLab service to you.

Information We Collect

Account information (Premium tier only)

When you sign up for a Premium account via Google OAuth, we receive and store your email address, display name, and profile picture URL from Google. We do not receive or store your Google password.

Receipt data (Premium tier only)

Imported receipt data is stored in our cloud database after PII scrubbing (see below). This includes transaction dates, item descriptions, quantities, prices, store locations, and category information.

Payment information

Payment processing is handled entirely by Stripe. We do not receive, process, or store your credit card numbers, bank account details, or other payment credentials. Stripe provides us with a customer identifier and subscription status only. See Stripe's Privacy Policy for details on how they handle payment data.

Waitlist emails

If you sign up for our waitlist, we store your email address via Resend (our email service provider) to notify you about product updates. You can unsubscribe at any time by clicking the unsubscribe link in any email or by contacting us directly.

Automatically collected information

Our hosting infrastructure (Cloudflare) may collect standard web server logs including IP addresses, browser type, referring URLs, and pages visited. These logs are used for security monitoring and are not linked to your account or receipt data. In some deployments, ReceiptsLab may also use self-hosted, cookieless, anonymous analytics to measure aggregate pageviews and product usage trends. This analytics setup is operated on infrastructure we control and is used only to understand and improve the service. We do not send receipt contents, uploaded files, payment data, email addresses, names, raw event text, or other personal identifiers to analytics. We do not use advertising networks, tracking pixels, or third-party marketing analytics.

PII Scrubbing

Before storing any receipt data (in either tier), we automatically scrub personally identifiable information from the raw receipt JSON. This includes payment card digits, membership numbers, and other sensitive identifiers. The scrubbed data cannot be used to reconstruct your payment methods or membership details.

Third-Party Service Providers

We use the following third-party services to operate ReceiptsLab. Each processes only the minimum data necessary for its function:

  • Cloudflare (CDN, DNS, DDoS protection): Routes web traffic to our servers. May process IP addresses and request metadata. See Cloudflare Privacy Policy.
  • Google OAuth (authentication): Provides sign-in for Premium accounts. Receives only the authentication request. See Google Privacy Policy.
  • Stripe (payment processing): Handles subscription billing for Premium users. We never see or store your card details. See Stripe Privacy Policy.
  • Resend (transactional email): Sends waitlist confirmations and account notifications. Processes email addresses only. See Resend Privacy Policy.

Data Retention

Free tier data is stored in your browser's IndexedDB and retained until you clear it or your browser data is cleared. We have no access to this data and cannot recover it.

Premium tier receipt data is retained indefinitely while your account is active. If you cancel your subscription, your data is retained for 30 days after your billing period ends to allow for reactivation. After 30 days, data is permanently deleted. If you delete your account, all associated data is permanently deleted immediately.

Waitlist email addresses are retained until you unsubscribe or request removal.

Cookies and Local Storage

We use essential cookies only for authentication sessions (Premium tier) and theme preferences (light/dark mode). These essential cookies are separate from analytics. When analytics is enabled for a given deployment, it is cookieless and does not rely on advertising or third-party tracking cookies. The free tier uses IndexedDB (a browser storage API) to store receipt data locally.

Data Security

We implement appropriate technical and organizational measures to protect your data, including: encryption in transit (TLS/HTTPS enforced via HSTS), infrastructure hosted on dedicated hardware we control, PII scrubbing before data storage, authentication via OAuth 2.0 (no passwords stored), and regular security header enforcement (CSP, X-Frame-Options, X-Content-Type-Options).

Your Rights Under GDPR (European Users)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:

  • Right of access (Article 15): Request a copy of your personal data.
  • Right to rectification (Article 16): Request correction of inaccurate data.
  • Right to erasure (Article 17): Request deletion of your personal data.
  • Right to data portability (Article 20): Receive your data in a structured, machine-readable format (JSON export).
  • Right to restrict processing (Article 18): Request limitation of data processing.
  • Right to object (Article 21): Object to processing based on legitimate interests.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Your Rights Under CCPA (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to know: Request what personal information we collect and how it is used.
  • Right to delete: Request deletion of your personal information.
  • Right to opt out of sale: We do not sell personal information to third parties.
  • Right to non-discrimination: We will not discriminate against you for exercising your rights.

To exercise these rights, contact [email protected].

Children's Privacy

ReceiptsLab is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal information, please contact us at [email protected].

Data Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach, as required by GDPR. The notification will include the nature of the breach, the data affected, steps we are taking to address it, and recommended actions for affected users.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Premium users of material changes via email and update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact

For privacy-related inquiries, data access requests, or to exercise your rights under GDPR or CCPA, please contact us at [email protected].