Privacy Policy

This privacy policy explains how Receiptor AI collects, uses, and protects your information. We're a small team building software to automate bookkeeping, and we take your privacy seriously.

1. Who We Are

Receiptor AI is operated by Merlino, Inc., a Delaware corporation.

• Legal Name: Merlino, Inc.
• Registration: Delaware (Tax ID: 301409760)
• Address: 390 NE 191st St STE 8214, Miami, FL 33179, United States
• Data Protection Officer: Romeo Bellon
• Privacy Contact: info@receiptor.ai

We provide our services worldwide with no geographic restrictions.

2. Information We Collect

Account Information

When you sign up, we collect:

• Your name and email address
• Company name (optional)
• Password (encrypted) or OAuth/social login credentials

Payment Information

We use Stripe to process payments. We do not store your full credit card details. Stripe handles all payment data in accordance with its security standards.

Email Access

When you connect your email account, we:

• Access emails within your specified date range to identify financial documents
• Scan email metadata (sender, subject, date, attachments) to find receipts, invoices, and credit notes
• Extract only the financial documents you've requested
• Do not store email content - we only keep the extracted documents
• Store email IDs solely to prevent reprocessing

We support Gmail, Outlook, and IMAP email providers. Access is granted through OAuth tokens, app-specific passwords, or account credentials, depending on your email provider.

Financial Documents

We process and extract data from:

• Receipts
• Invoices
• Credit notes and refunds

From these documents, we extract accounting-related information, including:

• Merchant/vendor name
• Transaction amount and currency
• Date
• Tax information
• Line items
• Payment method (only last 4 digits and network, like Visa/Mastercard, if available)

We do not extract or store full credit card numbers or bank account numbers.

WhatsApp Integration

If you use WhatsApp:

• You provide your phone number
• We send you a message that opens a dedicated chat
• You send or forward document scans to this chat
• We only access messages you send to this specific chat - we have no access to your other WhatsApp conversations

Cloud Storage Integration

We integrate with Google Drive and Dropbox with limited permissions:

• Read/write access only for files we create
• Access is restricted to what these platforms allow for third-party apps
• No access to your other files

Accounting Software Integration

We integrate with QuickBooks Online and Xero. You can:

• Manually or automatically send expenses, bills, vendors, tax rates, and the chart of accounts
• Customize integration settings
• Control what data is synchronized

We use OAuth for these integrations and do not store your accounting software passwords.

Technical and Usage Data

We collect:

• Device and browser information
• IP addresses
• Usage patterns and in-app behavior
• Session data

We use Google Analytics and PostHog for analytics, which may include session replays and usage logs to help us improve the product.

Cookies

We use essential cookies for authentication and functionality. Our analytics tools (Google Analytics, PostHog) use cookies to track usage. You can control cookies through your browser settings. We respect Do Not Track browser signals.

3. How We Use Your Information

We use your information to:

• Extract and categorize financial documents from your email
• Generate reports and summaries
• Forward processed data to your accounting software
• Provide customer support
• Send transactional emails (extraction complete, errors, etc.)
• Send monthly product updates (you can opt out)
• Send notifications and alerts
• Improve our product through usage analytics

We do not use your data for marketing purposes or to train AI models.

4. AI Processing

We use a combination of third-party AI services (OpenAI, Azure, AWS) and our custom-trained models to process your documents.

Your data is never used to train or improve AI models—neither ours nor third-party models.

5. Data Storage and Security

Where We Store Data

• All data is stored on AWS infrastructure in Europe (EU region)
• Database: MongoDB on AWS Europe
• The database is offline and not connected to the internet
• Servers operate in private subnets with AWS security (load balancers, gateways)

Security Measures

• Encryption at rest: AES-256
• Encryption in transit: TLS 1.2+ and SSL
• Access controls: Role-based team access with logging
• Multi-factor authentication: Required for all internal systems
• Security assessment: Cloud Application Security Assessment (CASA) Type 2 certified
• SOC 2 compliance: In progress

Backups

• Automated backups every 6 hours
• Backups are encrypted and stored offline
• Retention period: 7 days

Data Retention

• Processed documents: Kept indefinitely for your use unless you delete them
• Extracted data: Kept indefinitely unless you delete it
• Email content: Not stored (only email IDs to prevent reprocessing)
• Account data: Deleted immediately upon account deletion
• Automatic deletion schedules: Currently in development

You can permanently delete your documents at any time without contacting support.

6. Data Sharing and Third Parties

We use the following third-party services that may process your data:

• Stripe: Payment processing
• Customer.io: Transactional emails and product updates
• AWS: Cloud hosting and infrastructure
• OpenAI, Azure, AWS: AI processing services
• Google Analytics & PostHog: Product analytics
• Google Drive & Dropbox: Optional cloud storage integration
• QuickBooks & Xero: Optional accounting software integration

These services act as subprocessors under GDPR terms. We rely on AWS's Data Processing Agreement for international data transfers.

We do not sell, rent, or trade your personal information to third parties.

Legal Disclosures

We do not share your data with law enforcement or government agencies except when required by valid legal process (court order, subpoena, or other legal obligation). To date, we have never received such a request.

Business Transfers

In the event of a merger, acquisition, or sale of assets, user data may be transferred to the new owner. We would notify you via email and provide options for data deletion if you prefer not to continue.

7. Your Rights and Control

Access and Download

You can download your data at any time in the following formats:

• CSV files
• PDF reports
• ZIP archive of all documents

Account Management

You can:

• Update your account information directly in the app
• Pause or resume email monitoring without deleting your account
• Export processed receipts and reports (standalone or to QuickBooks/Xero)
• Delete your account yourself through the app

When you delete your account, all data is removed immediately.

Communication Preferences

You can unsubscribe from product update emails using the link in any email or through your account settings. You will continue to receive essential transactional emails (such as extraction confirmations, error notifications, etc.).

Data Protection Rights

For EU, UK, and California residents, you have the right to:

• Access your personal data
• Correct inaccurate data
• Request the deletion of your data
• Object to the processing of your data
• Request data portability
• Withdraw consent at any time

To exercise these rights, contact us at info@receiptor.ai.

GDPR Compliance: We comply with the General Data Protection Regulation for all EU and UK users.

CCPA Compliance: We comply with the California Consumer Privacy Act for California residents.

8. International Data Transfers

We store data in AWS Europe but serve customers worldwide. Data transfers are governed by AWS's Data Processing Agreement and standard security practices. Your data remains stored in EU regions regardless of your location.

9. Data Breaches

In the unlikely event of a data breach:

• We will assess and contain the breach immediately
• Affected users will be notified within 72 hours via email or phone
• We will provide details about what data was affected and the steps we're taking
• Relevant authorities will be notified as required by law

10. Children's Privacy

Receiptor AI is intended for business use. We do not have age verification in place, but our service is not designed for or directed at children under 16. We do not knowingly collect information from children.

11. Team Access to Your Data

Only authorized team members (Romeo Bellon and Luigi Fernandez, the founders) have access to customer data, and only under these circumstances:

• Responding to support requests
• Debugging technical issues
• Routine system maintenance

All data access is logged for security and accountability.

12. Changes to This Policy

We will notify you of privacy policy changes via email through Customer.io. For material changes that affect how we use your data, we may require your acceptance before you continue using the service.

13. Contact Us

For privacy questions, data requests, or concerns:

• Email: info@receiptor.ai
• Data Protection Officer: Romeo Bellon
• Address: 390 NE 191st St STE 8214, Miami, FL 33179, United States

For data access, correction, or deletion requests, simply email us at info@receiptor.ai with your request. We'll respond promptly.

This policy reflects our commitment to protecting your privacy while being transparent about our practices. We're a small team that values every customer, and we're here to answer any questions you have.