LEGAL

Privacy policy

How SlipSave handles your account, receipts, and billing data.

Account & authentication

Signing up creates an account on our backend (Supabase, EU region — Stockholm). We store your email address and an account ID. We don't store your password — Supabase hashes it before writing. If you sign in with Google we also receive your Google account email; we never see your Google password.

Receipt processing

When you tap Process on a scan, the receipt images you selected are sent to our backend, which forwards them to our AI provider with a fixed extraction prompt. We do not store your raw photos on our servers — they pass through to the AI service and are discarded after extraction. The parsed JSON (store name, items, prices) is returned to your phone and saved in the local SQLite database.

Per-call audit log

Each AI call is logged on our server: which user triggered it, the model identifier, token counts (no text), latency, and outcome (success / cap-hit / error). We use this to enforce free / Pro caps and to detect abuse. Token counts are aggregate numbers — the receipt content itself is not stored on the server.

Data retention

We auto-delete AI processing audit logs 13 months after they are created. Receipt images uploaded for processing are processed in-memory on our servers and never persisted.

Device fingerprinting

Each device contributes a one-way hash of its Android system identifier to a per-device counter that limits free-tier abuse. This is a best-effort signal — a factory reset, work profile setup, or rooted device can rotate it. We do not treat the identifier as authoritative, and we never store it un-hashed.

Subscription billing

Pro is a Google Play subscription. Google handles the payment; our server only sees the resulting purchase token, subscription ID, and renewal/cancel events from Real-time Developer Notifications. We use those to mark your account as Pro. Card details never reach us.

Card numbers in receipts

Anything that looks like a 16- to 19-digit card number in the AI's parsed text is replaced with [redacted] before it lands in the database — same on the local side.

Sign-out vs. delete account

Sign-out wipes the receipts on this device but keeps your account on our server. The next sign-in starts with a clean local database (cloud sync is on the roadmap, not yet shipped, so locally-cached receipts are removed to prevent another sign-in from another account seeing them).

Delete account permanently removes your account on our server, which cascade-drops the per-call audit log and every subscription notification we've ever received for you, then wipes the local database and image folder. Your billing history at Google is unaffected — manage it from the Play Store.

This summary is the binding policy for the app — if it ever disagrees with what the code does, the code is the bug.