Your receipts. Your control.

• All customer data hosted in the European Union
• TLS 1.2+ encryption in transit, AES-256 encryption at rest
• Card details handled entirely by Stripe — never stored on our servers
• Full GDPR rights: access, export, correction, deletion
• Row-level security ensures users only ever see their own receipts
• Account deletion removes your data within 30 days

This page describes practices and platform features in plain language. It is not a certification or independent audit. Compliance is a shared responsibility — we provide the platform controls; you control your account credentials and the data you choose to upload.

Receiptly runs on managed cloud infrastructure with primary data residency in the European Union. Our database, file storage, and authentication services are operated by enterprise providers with SOC 2 Type II and ISO 27001 certifications.

Application logic runs on edge compute close to your location for performance, but persistent customer data — receipts, expense records, and account information — remains in EU regions.

• In transit: All traffic between your browser, our servers, and our backend providers uses TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.
• At rest: Receipt files in object storage and database records are encrypted at rest with AES-256.
• Secrets: API keys and webhook secrets are stored in an encrypted secrets manager, never in source code or client bundles.

Every database table enforces row-level security: queries are scoped to the authenticated user, so even a misbehaving client cannot read another user's receipts.

Authentication supports email/password and Google sign-in via secure OAuth. Sessions use signed, short-lived tokens with automatic refresh. We do not store passwords — only salted hashes managed by our auth provider.

Internal access to production data is limited to the minimum number of engineers required for support and incident response, and is logged.

To operate the service we process:

• Account data: email, display name, language preference, subscription tier.
• Receipt content: images or PDFs you upload, and the extracted fields (vendor, date, amount, VAT, category).
• Usage metadata: timestamps, request logs, and minimal analytics needed to monitor reliability and abuse.

We do not sell your data, share it with advertisers, or use it to train third-party AI models.

When you upload a receipt, the image is sent to an AI provider to extract structured fields (vendor, date, total, VAT). We use providers that contractually commit to not retain inputs or outputs for model training.

Extracted data is stored in your account; the original file is stored in your private bucket and can be deleted at any time. You can also delete the extracted record while keeping the file, or vice versa.

All payments and subscription billing are processed by Stripe, a PCI DSS Level 1 certified payment provider — the highest level available.

• No card data on our servers. Card numbers, CVCs, and expiry dates are entered on Stripe-hosted checkout pages and never touch Receiptly's infrastructure.
• Strong Customer Authentication (SCA / 3-D Secure 2) is enabled for European cards, as required by PSD2.
• Webhooks are signed with a shared secret and verified before any subscription state is updated.
• Redirect URLs are server-controlled — they cannot be forged by a tampered checkout link.
• Cancel anytime directly from Stripe's customer portal; no email gymnastics required.

We use the following processors to deliver the service. Each is bound by a Data Processing Agreement.

If you are in the EU/EEA, the UK, or Switzerland, you have the right to:

• Access the personal data we hold about you.
• Export your receipts and expense records in CSV or PDF at any time from Settings.
• Correct inaccurate data — either inline in the app or by contacting us.
• Delete your account and all associated data ("right to be forgotten").
• Object to or restrict processing, and to withdraw consent where processing relies on it.
• Lodge a complaint with your local supervisory authority.

Most rights can be exercised directly from your account Settings. For anything else, email us — see Contact.

• While your account is active: receipts are retained so you can produce historic VAT reports.
• On account deletion: personal data and receipt files are deleted from active systems immediately and purged from encrypted backups within 30 days.
• Billing records: invoice and transaction records may be retained by Stripe and by us as required by tax law (typically 7–10 years in the EU), in pseudonymised form.

We monitor uptime, error rates, and authentication anomalies continuously. In the event of a security incident affecting personal data, we will notify affected users and the competent supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33.

Found a vulnerability? Please report it responsibly to security@myreceiptly.com. We respond to all good-faith reports and will publicly credit responsible disclosure (with your permission).

For questions about your subscription or billing, you can also manage everything directly from Stripe's customer portal, accessible from your account Settings.