Privacy Policy

1) Information we collect

A. You provide to us

• Account data (name, email, password or SSO identifier, locale, organization, role).
• Content you upload (receipt images/PDFs, notes, tags, categories).
• Support communications (messages, feedback, survey responses).

B. Collected automatically

• Device & log data (IP, device/browser type, OS, timestamps, crash logs).
• Usage data (features used, clicks, pages/screens viewed).

C. From connected services (with your consent)

• Email accounts you connect via OAuth (e.g., Gmail, Microsoft 365) to discover and process receipt-like messages and attachments (see Email access).
• Cloud storage (e.g., files you select from third-party storage providers).
• Accounting tools (if you choose to sync exports with providers like QuickBooks/Xero/Sage).

2) How we use information

• Provide the Services, including scanning/processing receipts, categorizing spend, and enabling exports.
• Maintain and improve performance, reliability, and user experience.
• Security and fraud prevention, including abuse, spam, and anomaly detection.
• Communications about changes, updates, billing, and support.
• Compliance with legal obligations (tax, accounting, requests from authorities when lawful).

Legal bases (where applicable): consent, contract performance, legitimate interests (e.g., service improvement, security), and compliance with law.

3) Email access & connected inboxes

If you connect an email account, we use provider APIs (e.g., Gmail API, Microsoft Graph) with the minimum scopes needed to identify and process receipts and invoices. Typical operations include:

• Discovering receipt-like emails using subjects, senders, and structured content.
• Fetching message content and attachments to extract receipt data.
• De-duplication and labeling (e.g., applying a “Processed” label/folder) to avoid reprocessing.

We do not read or use your non-receipt communications for unrelated purposes. We store only the information needed to provide the Services (e.g., receipt data, minimal message metadata for deduplication) and retain raw message parts only if you enable that option for audit trails.

You can disconnect your email account at any time from settings. Upon disconnection, we stop access and delete OAuth tokens. You may also request deletion of previously processed data (see Your rights).

4) Cookies & analytics

We use cookies and similar technologies to keep you signed in, remember preferences, protect accounts, and understand product usage. Where required, we’ll request your consent for non-essential cookies. You can manage cookies in your browser settings.

5) How we share information

• Service providers (processors): cloud hosting, storage, analytics, customer support, email delivery, security monitoring. They process data under our instructions.
• Integrations you enable: if you choose to sync/export to third-party tools, we share relevant data as needed to complete the integration.
• Legal and safety: to comply with law, enforce terms, or protect rights, property, or safety of users and the public, when permitted.
• Business transfers: in a merger, acquisition, or asset sale, we’ll provide notice and choices where required.

We do not sell your personal information. For California residents, we do not share personal information for cross-context behavioral advertising without your consent.

6) Data retention

We retain personal information only as long as necessary to provide the Services and for legitimate business or legal purposes.

• Receipts & line items: by default, up to 7 years (or longer if required by applicable tax or accounting laws you select).
• Account data: for the life of the account and for a reasonable period after closure to resolve disputes or comply with law.
• Logs & diagnostics: typically 12–24 months, unless needed longer for security or legal reasons.

You can request deletion of your account and associated data (subject to legal retention obligations).

7) Security

We use administrative, technical, and physical safeguards to protect personal information, including encryption in transit and at rest, access controls, audit logging, and regular reviews. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

8) International data transfers

We may process and store information in countries other than where you reside. When transferring personal information internationally, we implement appropriate safeguards (e.g., Standard Contractual Clauses for EEA/UK data) and ensure processors provide adequate protection.

9) Your privacy rights

Your rights depend on your location and applicable laws. Subject to exceptions, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete information (erasure).
• Port data in a machine-readable format.
• Object to or restrict certain processing.
• Withdraw consent where processing is based on consent.

Residents of the EEA/UK and California may have additional rights under GDPR/UK GDPR and CCPA/CPRA. To exercise rights, contact privacy@recyt.co. We will verify your request and respond within the time required by law.

10) Children’s privacy

Our Services are not directed to children under the age required by local law (e.g., 13 in the U.S., 16 in parts of the EEA). We do not knowingly collect personal information from children. If you believe a child provided personal information, contact us to request deletion.

11) Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version with a new “Last updated” date and, if changes are material, provide additional notice (e.g., email or in-app).

12) Contact us

Questions or requests about this Policy or your personal information?

Email: privacy@recyt.co
Address: Hamilton, Ontario, Canada