1. Introduction

This Privacy Policy ("Policy") describes how WhatReceipt ("we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you access or use the WhatReceipt platform available at https://whatreceipt.com, including any associated websites, applications, and services (collectively, the "Service").

WhatReceipt is a software-as-a-service ("SaaS") platform that enables users to upload receipts—in image or PDF format—and extract structured financial information using artificial intelligence. The Service helps users organize, classify, and manage their receipts and expense data digitally.

WhatReceipt is operated from Mexico and serves users globally. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any part of this Policy, you should discontinue use of the Service immediately.

This Policy was last updated on February 12, 2026.

2. Information We Collect

We collect information necessary to provide, maintain, and improve the Service. The categories of information we collect are as follows:

2.1 Account Information: When you create an account, we collect your name, email address, and authentication credentials. Account creation and authentication are managed through Supabase, our database and authentication provider.

2.2 Uploaded Receipt Files: You may upload receipt images (JPEG, PNG, HEIC, and similar formats) and PDF documents to the Service. These files are stored on S3-compatible cloud storage infrastructure managed by us.

2.3 Extracted Receipt Data: Our Service uses artificial intelligence, powered by OpenAI, to extract structured data from your uploaded receipts. This extracted data may include merchant name, transaction date, itemized amounts, tax figures, totals, currency, and payment method.

2.4 Usage and Log Data: We automatically collect technical information when you interact with the Service, including your IP address, browser type and version, operating system, referring URLs, pages visited, timestamps of access, and general interaction patterns. This data helps us understand how the Service is used and allows us to diagnose technical issues.

2.5 Payment Information: If you subscribe to a paid plan, payment processing is handled by Stripe. We do not directly collect, store, or process your credit card number or full payment credentials. Stripe may share with us limited transaction details such as the last four digits of your card, billing address, and transaction status. Please refer to Stripe's privacy policy for details on how they handle your payment data.

2.6 Communications Data: If you contact us for support, submit feedback, or otherwise communicate with us, we collect the content of those communications along with associated metadata such as your email address and timestamps.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery and Operation: To create and manage your account, process uploaded receipts through AI-based extraction, store and organize your receipt data, and provide the core functionality of the Service.

3.2 Service Improvement: To analyze usage patterns in aggregate, identify technical issues, optimize performance, and develop new features that enhance the user experience.

3.3 Communications: To send you transactional emails (such as account verification, password resets, and receipt processing confirmations) via Mailjet, our transactional email provider. We may also send you service-related announcements, updates, and security alerts.

3.4 Customer Support: To respond to your inquiries, troubleshoot problems, and provide assistance related to the Service.

3.5 Security and Fraud Prevention: To monitor for unauthorized access, detect abuse or suspicious activity, enforce our Terms of Service, and protect the rights, property, and safety of WhatReceipt and its users.

3.6 Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

3.7 Marketing (with consent): With your explicit consent, we may send promotional communications about new features, offers, or related services. You may opt out of marketing communications at any time by following the unsubscribe instructions included in each email or by contacting us directly.

4. Legal Basis for Processing

We process your personal information on one or more of the following legal grounds, depending on the nature of the processing activity and the jurisdiction in which you reside:

4.1 Contractual Necessity: Processing that is necessary for the performance of our contract with you—specifically, to provide the Service as described in our Terms of Service. This includes account management, receipt processing, and data storage.

4.2 Consent: Where required by applicable law, we obtain your explicit consent before processing your personal information for specific purposes, such as sending marketing communications or activating optional features that involve additional data use. You may withdraw consent at any time.

4.3 Legitimate Interests: We may process your information where it is necessary for our legitimate business interests, provided those interests are not overridden by your rights. Examples include improving the Service, ensuring platform security, and preventing fraud.

4.4 Legal Obligation: We may process your information to comply with applicable legal requirements, including tax regulations, anti-fraud measures, and lawful requests from governmental authorities.

4.5 International Compliance Approach: WhatReceipt is committed to respecting privacy rights under applicable data protection frameworks worldwide, including the Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), the European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), to the extent each applies. We do not claim formal certification under any specific regulatory regime, but we design our practices to align with widely recognized principles of data minimization, purpose limitation, transparency, and user control.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share your data only in the limited circumstances described below:

5.1 Service Providers: We engage trusted third-party service providers who process data on our behalf to support the operation of the Service. These providers are contractually obligated to use your data only for the purposes we specify and to maintain appropriate security measures. Our current service providers include Supabase (authentication and database), OpenAI (AI-based receipt processing), Stripe (payment processing), Mailjet (transactional email delivery), Upstash (infrastructure and caching), and cloud hosting and S3-compatible storage providers.

5.2 Legal Requirements: We may disclose your information if required to do so by law, regulation, or valid legal process (such as a court order or subpoena), or if we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, investigate fraud, or respond to a government request.

5.3 Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

5.4 With Your Consent: We may share your information with third parties when you have given us explicit consent to do so.

5.5 Aggregated or De-Identified Data: We may share aggregated or de-identified information that cannot reasonably be used to identify you, for purposes such as analytics, research, or industry benchmarking.

6. Third-Party Services

The Service relies on third-party providers to deliver core functionality. Each provider operates under its own privacy policy and data handling practices. We encourage you to review their respective policies:

6.1 Supabase: Provides database hosting and user authentication services. Your account information and application data are stored on Supabase infrastructure. Supabase's privacy policy is available at https://supabase.com/privacy.

6.2 OpenAI: Powers the AI-based extraction of structured data from your uploaded receipts. Receipt content is transmitted to OpenAI's API for processing. We do not permit OpenAI to use your data to train their models, in accordance with their API data usage policies. OpenAI's privacy policy is available at https://openai.com/privacy.

6.3 Stripe: Handles payment processing for paid subscriptions. Payment credentials are submitted directly to Stripe and are not stored on our servers. Stripe's privacy policy is available at https://stripe.com/privacy.

6.4 Mailjet: Delivers transactional emails on our behalf, such as account verification and service notifications. Mailjet receives your email address and the content of those communications. Mailjet's privacy policy is available at https://www.mailjet.com/privacy-policy.

6.5 Upstash: Provides Redis-based caching and infrastructure services used to improve Service performance and reliability. Upstash's privacy policy is available at https://upstash.com/trust/privacy.html.

6.6 Cloud Hosting and Storage: Our application infrastructure and uploaded files are hosted on industry-standard cloud platforms with S3-compatible object storage. These providers maintain robust security programs and compliance certifications.

We select service providers based on their security practices, compliance posture, and contractual commitments to data protection. However, we cannot guarantee the practices of third parties and are not responsible for their independent actions.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

7.1 Account Data: We retain your account information for as long as your account remains active. If you request account deletion, we will delete or anonymize your personal data within thirty (30) days, except where retention is required for legal, tax, or audit purposes.

7.2 Uploaded Files and Extracted Data: Your uploaded receipt files and associated extracted data are retained for the duration of your active account. Upon account deletion, these files will be permanently removed from our primary storage within thirty (30) days. Residual copies in encrypted backups may persist for up to ninety (90) days before being overwritten.

7.3 Usage and Log Data: Technical logs and usage data are retained for a maximum of twelve (12) months for purposes of security monitoring, troubleshooting, and service improvement, after which they are automatically purged or anonymized.

7.4 Payment Records: Transaction records and billing history necessary for accounting, tax reporting, or regulatory compliance may be retained for up to five (5) years following the end of the applicable subscription period, as required by law.

7.5 Communications: Support correspondence and feedback may be retained for up to two (2) years after the last interaction to maintain continuity of support and for quality assurance purposes.

8. Data Security

We implement reasonable and appropriate technical and organizational measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. While no method of transmission over the Internet or electronic storage is completely secure, we strive to employ industry-standard protections, including but not limited to the following:

8.1 Encryption: Data transmitted between your browser and the Service is protected using Transport Layer Security (TLS). Stored data, including uploaded receipt files and extracted information, is encrypted at rest using strong encryption standards.

8.2 Authentication and Access Controls: User authentication is managed through Supabase with secure session handling. Internal access to user data is restricted on a need-to-know basis using role-based access controls and the principle of least privilege.

8.3 Infrastructure Security: Our hosting environment leverages cloud providers that maintain comprehensive security programs, including network firewalls, intrusion detection, regular vulnerability assessments, and compliance with recognized security standards.

8.4 Data Isolation: Each user's data is logically segregated within our systems. Receipt files and extracted data belonging to one user are not accessible to other users.

8.5 Incident Response: We maintain internal procedures for identifying, reporting, and responding to potential security incidents. In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law.

We regularly review and update our security practices. However, we cannot guarantee absolute security, and you acknowledge that the transmission of information over the Internet carries inherent risks.

9. International Data Transfers

WhatReceipt operates from Mexico and utilizes service providers that may process or store data in jurisdictions outside of your country of residence, including the United States and other countries.

9.1 Transfer Mechanisms: When your personal information is transferred to a country that may not provide the same level of data protection as your home jurisdiction, we take reasonable steps to ensure that appropriate safeguards are in place. These may include entering into data processing agreements with our service providers that incorporate standard contractual clauses or equivalent protections recognized under applicable law.

9.2 User Acknowledgment: By using the Service, you acknowledge and consent to the transfer, processing, and storage of your personal information in Mexico and other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

9.3 Safeguard Requests: You may contact us to request further information about the specific safeguards applied to international transfers of your personal data.

10. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. WhatReceipt is committed to facilitating the exercise of these rights to the extent required by applicable law.

10.1 Right of Access: You may request confirmation of whether we process your personal information and obtain a copy of the data we hold about you.

10.2 Right to Rectification: You may request correction of inaccurate or incomplete personal information.

10.3 Right to Deletion: You may request the deletion of your personal information, subject to applicable legal retention requirements. Deletion of your account will result in the permanent removal of your data as described in the Data Retention section above.

10.4 Right to Object or Restrict Processing: You may object to or request restriction of certain processing activities, including direct marketing communications.

10.5 Right to Data Portability: Where technically feasible and required by law, you may request a copy of your personal data in a structured, commonly used, and machine-readable format.

10.6 Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

10.7 ARCO Rights (Mexico): Under the LFPDPPP, you have the rights of Access, Rectification, Cancellation, and Opposition (ARCO). To exercise these rights, submit a written request to the contact information provided below. We will respond within twenty (20) business days of receiving a complete request.

10.8 How to Exercise Your Rights: To exercise any of the above rights, please contact us at info@whatreceipt.com with a description of your request and sufficient information to verify your identity. We will respond within the timeframe required by applicable law.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze usage, and support the operation of the Service.

11.1 Essential Cookies: These cookies are strictly necessary for the Service to function. They enable core features such as user authentication, session management, and security protections. They cannot be disabled without impairing the Service.

11.2 Analytics and Performance Cookies: We may use analytics services to collect aggregated information about how users interact with the Service. This helps us measure performance, identify areas for improvement, and understand usage trends.

11.3 Functional Cookies: These cookies remember your preferences and settings to provide a more personalized experience.

11.4 Cookie Management: Most web browsers allow you to manage cookie preferences through browser settings. You may choose to block or delete cookies; however, doing so may affect the functionality of the Service. For more specific control, refer to your browser's help documentation.

11.5 Do Not Track: Some browsers offer a "Do Not Track" (DNT) signal. There is currently no universally accepted standard for how online services should respond to DNT signals. At this time, we do not respond to DNT signals, but we will continue to monitor developments in this area.

12. Children's Privacy

The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18.

If we become aware that we have collected personal information from a child under 18 without appropriate parental or guardian consent, we will take prompt steps to delete that information from our systems.

If you are a parent or guardian and believe that your child has provided personal information to us, please contact us immediately at info@whatreceipt.com so that we can take appropriate action.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

13.1 Notification: If we make material changes to this Policy, we will notify you by posting the updated Policy on our website with a revised "Last Updated" date. For significant changes, we may also notify you via email or through an in-app notification.

13.2 Review: We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

13.3 Continued Use: Your continued use of the Service following the posting of changes constitutes your acceptance of those changes. If you do not agree with a revised Policy, you should discontinue your use of the Service.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

WhatReceipt

Email: info@whatreceipt.com

Website: https://whatreceipt.com

We will make reasonable efforts to respond to all legitimate inquiries within a timely manner. If you are located in Mexico and are unsatisfied with our response, you may also contact the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) at www.inai.org.mx.