Privacy Policy - SpendScan

1. Who We Are

SpendScan is operated by Storm Farrell, based in Germany (the "Data Controller").

If you have any questions about this policy or how we handle your data, please contact us at support@spendscan.app.

We have not appointed a Data Protection Officer (DPO) as we do not meet the thresholds requiring one under Article 37 of the GDPR. For all data protection enquiries, please contact us at the email address above.

2. What Data We Collect

We collect the following categories of personal data:

Data you provide directly

Account information: your email address and, if you sign in via Google or Apple, your name and profile picture from that provider
Receipt images and their extracted contents (item names, prices, store names, dates)
Custom categories and spending preferences you configure

Data collected automatically

Usage data: pages visited, features used, and interactions with the Service
Technical data: IP address, device type, operating system, browser type, and app version
Error and diagnostic data: crash reports and performance metrics
Approximate location derived from your IP address (country/region level only)

Payment data

Subscription status and billing history. Full payment card details are processed directly by our payment providers (Stripe and RevenueCat) and are never stored by us.

3. How We Use Your Data and Our Legal Bases

Under the UK GDPR and EU GDPR, we must have a lawful basis for processing your personal data. The table below sets out the purposes for which we process your data and the legal basis we rely on.

Performance of a contract (Article 6(1)(b) GDPR)

We process your data as necessary to provide the Service you have signed up for:

Creating and managing your account
Processing and analysing your receipts using AI
Generating spending insights and reports
Processing your subscription payments
Sending transactional emails (account confirmations, receipts, notifications)

Legitimate interests (Article 6(1)(f) GDPR)

We process your data where we have a legitimate interest that is not overridden by your rights:

Analytics to understand how the Service is used and to improve it (web: Vercel Analytics; mobile: Vexo Analytics)
Error monitoring and crash reporting to maintain service reliability (Sentry)
Security monitoring and fraud prevention
IP-based geolocation to provide a localised experience

Legal obligation (Article 6(1)(c) GDPR)

We may process your data where required by applicable law, including:

Retaining financial and tax records as required by German commercial law (HGB §257) and other applicable legislation
Responding to lawful requests from public authorities

4. Sub-processors and Data Sharing

We do not sell your personal data. To provide the Service, we share your data with the following third-party service providers ("sub-processors"). Each is contractually bound to handle your data only as instructed and in accordance with applicable data protection law.

Supabase

Database, authentication, and file storage. Your data is stored on servers located in the EU (Frankfurt, Germany).

Vercel

Web application hosting and web page analytics. Servers may be located in the US or EU. Vercel Analytics collects anonymised usage data without cookies.

OpenAI

AI processing of your receipt images to extract and categorise items. Receipt image data and extracted text are sent to OpenAI's API. OpenAI is based in the United States.

Sentry

Error tracking and crash reporting. May process technical data including device information and limited user context. Sentry is based in the United States.

Stripe

Web subscription and payment processing. Stripe processes billing information and payment card details directly. Stripe is based in the United States and Ireland.

RevenueCat

Mobile in-app purchase and subscription management (iOS and Android). RevenueCat is based in the United States.

Postmark (ActiveCampaign)

Transactional email delivery (account notifications, receipts, weekly summaries). Postmark is based in the United States.

Inngest

Background job processing (receipt analysis queues, weekly report generation). Inngest is based in the United States.

Vexo Analytics

Mobile app analytics. Collects anonymised usage data to help us understand how the mobile app is used.

MaxMind

IP-based geolocation to derive your approximate country or region. MaxMind is based in the United States.

PDF.co

PDF receipt processing. When you upload a PDF receipt, it is sent to PDF.co for conversion prior to AI analysis.

Google (Google Sign-In)

Optional sign-in via your Google account. If you choose this option, Google shares your name, email, and profile picture with us.

Apple (Sign in with Apple)

Optional sign-in via your Apple ID. If you choose this option, Apple may share your name and email (or a relay address) with us.

We may also disclose your data to legal authorities where required by applicable law or in response to a valid legal request.

5. International Data Transfers

Your primary account data (database records and uploaded files) is stored on servers located in the European Union (Frankfurt, Germany) via Supabase.

Several of our sub-processors are based in the United States. Where we transfer personal data outside the European Economic Area (EEA) or the United Kingdom, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where relevant, the UK International Data Transfer Agreement (IDTA). Each sub-processor listed above maintains its own international transfer mechanisms; please refer to their respective privacy policies for details.

6. Data Retention

We retain your personal data for the following periods:

Account and receipt data: retained for as long as your account is active. When you delete your account, your personal data (receipts, account information, preferences) is deleted promptly. Please note that automated backup systems may retain residual copies for a short period before being overwritten.
Financial and billing records: retained for the period required by applicable law (German commercial law requires retention of financial records for up to 10 years under HGB §257).
Error and diagnostic logs: typically retained for 90 days by our error monitoring provider (Sentry).
Analytics data: aggregated and anonymised; not tied to individual accounts after collection.

7. Your Rights

Under the EU GDPR and UK GDPR, you have the following rights in respect of your personal data:

Right of access: you can request a copy of the personal data we hold about you.
Right to rectification: you can ask us to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): you can request deletion of your personal data. You can do this directly in the app via Settings > Account > Delete Account.
Right to restriction of processing: you can ask us to restrict how we use your data in certain circumstances.
Right to data portability: you can request a copy of your data in a structured, machine-readable format.
Right to object: you can object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent: where we process data on the basis of consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at support@spendscan.app. We will respond within one month of receiving your request, as required by the GDPR.

You also have the right to lodge a complaint with a supervisory authority:

EU (Germany): the competent data protection supervisory authority in Germany. A list of German supervisory authorities is available at bfdi.bund.de.
UK: the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies and Tracking

We use the following types of cookies and similar technologies:

Strictly necessary cookies: session and authentication cookies required to keep you logged in and to operate the Service. These cannot be disabled.
Analytics (web): Vercel Analytics collects anonymised page view data to help us understand how the web app is used. This does not use cookies and does not collect personal data.
Analytics (mobile): Vexo Analytics collects anonymised usage events in the mobile app. No personally identifiable information is collected.

We rely on our legitimate interests (improving and maintaining the Service) as the legal basis for analytics. You may object to this processing at any time by contacting us at support@spendscan.app.

You can also manage cookies through your browser settings at any time.

9. Automated Decision-Making

SpendScan uses artificial intelligence (via OpenAI) to automatically extract and categorise items from your receipt images. This automated processing helps us provide the core features of the Service. It does not produce legal effects or similarly significantly affect you — the results are spending insights for your own use, and you can edit or delete any extracted data at any time.

10. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via a notice in the Service before the changes take effect. We will also update the "Last updated" date below. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For any questions about this Privacy Policy, to exercise your rights, or to raise a data protection concern, please contact us at: support@spendscan.app

Last updated: 19 February 2026