Receipts In Order
Menu
Receipts Hospitality Retail

Countries

United States United Kingdom
Rest of the world Australia Austria Belgium Bulgaria Canada Croatia Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Hungary Ireland Italy Japan South Korea Latvia Lithuania Luxembourg Malta Netherlands Poland Portugal Romania Slovakia Slovenia Spain Sweden

Receipts In Order

Privacy Policy

Domain: https://receiptsinorder.com

Last updated: 29 December 2025

Draft for review by qualified legal counsel.

1. Introduction

Receipts In Order ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share personal data when you use our website and services.

This policy applies to all users of https://receiptsinorder.com and associated applications.

2. Who We Are (Data Controller)

We are the data controller for the purposes of the UK GDPR.

Registered address: Braview, California, FK12DH, Falkirk, Scotland.

Contact email: [email protected]

3. How You Access the Service

OAuth-Only Authentication

Accounts are created and accessed only using Google OAuth or Apple Sign-In.

We do not offer username/password authentication.

Permissions

We request email address only from OAuth providers.

We do not request access to contacts, files, calendars, or other third-party data.

4. Personal Data We Process

4.1 Account Data

  • Email address
  • OAuth provider identifier

4.2 Uploaded and Processed Content

  • Receipts and invoices submitted by you
  • Extracted structured data (e.g. supplier name, date, totals, VAT/tax amounts)

4.3 Technical and Usage Data

  • IP address
  • Browser and device information
  • Log and usage metadata
  • Error and performance diagnostics

5. Data Minimisation

The platform is intentionally designed to minimise data collection.

We do not intentionally collect or process:

  • Bank account numbers
  • Payment card numbers
  • CVV or security codes
  • Full financial account credentials

Document identifiers are limited to receipt or invoice reference numbers only.

You should not upload documents containing sensitive personal data unless legally necessary for your own business purposes.

6. Legal Bases for Processing

We process personal data under the following UK GDPR bases:

  • Contractual necessity - to provide the Service
  • Legitimate interests - service reliability, security, and improvement
  • Legal obligation - compliance with law and regulation
  • Consent - where required (e.g. cookies, optional features)

7. Sub-Processors and Third Parties

We use trusted third-party service providers ("sub-processors") to operate the Service, including:

  • DigitalOcean - hosting, databases, object storage
  • Amazon Web Services (AWS) - inbound email ingestion
  • Stripe - billing and payments
  • Google / Apple - authentication (OAuth)
  • OCR and language model providers (e.g. Mistral, OpenAI, Google Gemini)
  • Gmail API - only if you enable automated forwarding features

Sub-processors act only on our instructions and are contractually bound to appropriate data protection obligations.

8. Data Residency and Transfers

  • Core infrastructure is located in London (UK)
  • Inbound email processing occurs in Ireland (EU)
  • OCR and LLM providers may process data in other regions depending on provider configuration

Where data is transferred outside the UK, appropriate safeguards are applied in accordance with UK GDPR.

9. Logging and Debugging

We maintain operational logs for system reliability, security monitoring, and error diagnosis.

Derived or extracted content may appear in logs if debug logging is enabled. Debug logging is restricted and controlled in production environments.

10. Data Retention

We retain personal data:

  • For as long as your account remains active
  • For a limited period after account deletion for legal compliance, dispute resolution, and backups

Retention periods for:

  • Original documents
  • Extracted/derived data
  • Exports
  • Logs and support records

are defined internally and may vary by data type.

11. Account Deletion

You may request deletion of your account at any time.

Upon deletion:

  • Access to the Service is revoked
  • Data is scheduled for deletion in accordance with retention rules
  • Certain records may be retained where legally required

12. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate or incomplete data
  • Request erasure
  • Restrict processing
  • Object to processing
  • Data portability
  • Lodge a complaint with the UK Information Commissioner's Office (ICO)

Requests can be made via [email protected].

13. Security Measures

We implement appropriate technical and organisational safeguards, including encryption in transit, access controls and least-privilege policies, and environment isolation.

No system can be guaranteed 100% secure.

14. Cookies and Analytics

Please see our Cookies & Analytics Policy for details on Google Analytics (gtag.js), cookie usage, and consent and opt-out options.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on https://receiptsinorder.com.

16. Governing Law

This Privacy Policy is governed by Scots law, subject to applicable UK data protection legislation.