Privacy policy for account and receipt data

Document

Privacy Policy

Last Updated: 2026-04-21

Version: 1.2.7

1. Data Controller

The controller responsible for data processing is:

Serhat Coban

LoRen IT

Mühlenstraße 8a

14167 Berlin

Germany

Email: snapsort@loren-it.com

Support: support@loren-it.com

Serhat Coban operates as a sole proprietor under the trade name LoRen IT.

2. What this policy covers

This policy describes how we process personal data when you use snapsort through the mobile apps, the supporting website, and related legal or billing flows.

3. Categories of personal data

Depending on how you use snapsort, we process in particular:

account and sign-in data such as email address, password hash, optional profile data, session identifiers, and security metadata,
receipt and invoice content such as uploaded images, PDFs, or CSV import files that are processed temporarily, OCR text, structured fields, notes, categories, line items, and manual corrections,
device and usage metadata such as locale, country hints, export and quota counters, IP address, timestamps, browser or device details, and security diagnostics,
subscription and billing data such as Stripe customer or subscription identifiers, store transaction identifiers, RevenueCat subscription status data, and invoice records,
support and communication data when you contact us.

Important: receipts can contain personal data about you or third parties. You control what you upload. Please avoid uploading documents that are not needed for expense tracking.

4. Purposes and legal bases

| Purpose | Examples | Legal basis |

|---------|----------|-------------|

| Providing the service | account, receipt processing, exports, sync, shared groups, budgets | Art. 6(1)(b) GDPR |

| Subscription and payment handling | checkout, invoices, payment status, entitlement checks, disputes | Art. 6(1)(b) GDPR and, where required, Art. 6(1)(c) GDPR |

| Support and service communication | replies to requests, password reset, verification, transactional notices | Art. 6(1)(b) GDPR / Art. 6(1)(f) GDPR |

| IT security, abuse prevention, diagnostics, and service integrity | logs, access protection, rate limits, CSRF and session safeguards | Art. 6(1)(f) GDPR |

| Legal retention and compliance duties | invoice and payment records, legal claims defense | Art. 6(1)(c) GDPR / Art. 6(1)(f) GDPR |

5. How data is used in the service

The public website is limited to informational pages, legal or support content, account registration, and purchase or management of web subscriptions. Receipt capture, OCR review, groups, budgets, and exports are provided primarily through the mobile apps.

5.1 Registration and sign-in

For registration we process your email address and a password hash. If you sign in with Google or Apple, we receive the data required to authenticate you and populate your profile from the provider you choose.

Password reset links currently expire after 1 hour. Email verification links currently expire after 7 days. Browser sessions are currently configured for a 7-day lifetime and are refreshed while the account is active.

5.2 Receipt processing and OCR

When you upload receipts or invoices, we process supported image formats (JPEG/JPG, PNG, WebP, HEIC/HEIF), PDF files, or structured CSV imports, create OCR or import output, and derive structured receipt fields. snapsort uses Google Cloud Vision API for OCR-assisted text recognition on image uploads. snapsort uses Gemini by Google for downstream analysis and structuring. Uploaded image files, extracted text, or derived image data may be transmitted to Google for that purpose. For PDFs with extractable server-side text, snapsort may skip image OCR and send extracted text only to Gemini. Additional local, rule-based, and internal processing steps also run inside snapsort. CSV imports are validated through the separate import path and converted into structured receipt data.

Original upload files are not stored as a permanent receipt-image archive. After successful OCR and persistence processing, snapsort deletes original images, PDF handoff files, and OCR handoff objects after processing completes. In retry, error, or cleanup cases, temporary upload files and OCR artifacts may be kept briefly; configured cleanup paths typically remove temporary upload files within 2 hours and temporary OCR artifacts within 6 hours. The structured receipt data, OCR text, and your manual edits can remain in your account until you delete them or your account is deleted.

To improve parsing and localization, the app may also send locale or country hints supplied by your device or by you.

OCR output is not guaranteed to be correct. Please review extracted content before relying on it.

5.3 Groups, budgets, exports, and quota logs

If you use group features, the information needed for shared expense management is made available to invited or otherwise authorized group members.

Exports are generated on request and made available for download or email delivery for a limited time. Premium export access is subject to plan limits. The current public Premium scope includes up to 10 successful exports per calendar month, with additional export capacity only where separate bonus tokens or another plan explicitly provide it.

We also process export and quota event logs to enforce plan limits and prevent abuse.

5.4 Payments and subscriptions

For paid web subscriptions, we use Stripe for checkout, billing, and the customer portal. Payment details for web subscriptions are processed directly by Stripe. We receive only the information required to manage subscriptions, invoices, payment status, and disputes.

For iOS in-app purchases, Apple processes the purchase through the App Store / StoreKit. For Android in-app purchases, Google processes the purchase through Google Play / Play Billing. For mobile store-managed subscriptions, we use RevenueCat to synchronize subscription status with our backend and unlock entitlements.

5.5 Emails and support

We use Resend for transactional emails such as verification, password reset, export, and subscription messages. If we change transactional email infrastructure, we will update this notice and our current subprocessor information before or when the change goes live.

6. Recipients and service providers

Depending on use, the following categories of recipients may be involved:

hosting and storage providers used to operate snapsort,
Stripe for paid web subscriptions,
Apple App Store / StoreKit for iOS in-app purchases,
Google Play / Play Billing for Android in-app purchases,
RevenueCat for synchronization of mobile store-managed subscriptions,
Google or Apple if you choose those sign-in options,
Google Cloud Vision API and Gemini by Google for receipt processing,
Resend for transactional email delivery,
authorities, courts, or other legally required recipients where we are legally required or where needed to establish, exercise, or defend legal claims.

The current production deployment operates on Hetzner-hosted control-plane and worker-plane servers in Germany. The current OCR input handoff uses S3-compatible object storage in the `fsn1` region. Where archive or export artifacts are stored through the currently configured B2-backed path, the configured region is `eu-central-003`.

You can request the current subprocessor overview at snapsort@loren-it.com.

7. International data transfers

Some providers may process personal data outside the EU/EEA, including in the United States. Where such transfers occur, we rely on safeguards permitted under the GDPR, such as standard contractual clauses and, where applicable, adequacy decisions or equivalent lawful transfer mechanisms. You can request additional information or a copy or summary of the relevant safeguards at snapsort@loren-it.com.

8. Retention

We keep personal data only as long as needed for the relevant purpose. Key criteria include:

| Data category | Typical retention / criterion |

|---------------|-------------------------------|

| account, profile, receipt, budget, group, and structured OCR data | while your account remains active, unless you delete items earlier |

| original upload images, PDF handoff files, and OCR handoff objects | deleted after successful OCR and persistence processing; temporarily retained until cleanup in retry or error cases |

| temporary upload files | typically up to 2 hours unless already deleted after successful processing |

| temporary OCR files and artifacts | typically up to 6 hours unless already deleted after successful processing |

| export archives or signed export delivery artifacts | up to 24 hours after creation |

| password reset tokens | up to 1 hour |

| email verification tokens | up to 7 days |

| active browser sessions | up to 7 days, refreshed while active |

| accounts marked for deletion | permanent deletion scheduled after 30 days unless recovered |

| invoice and payment records | as required by applicable legal retention duties |

9. Cookies, local storage, and payment storage

For core web functionality, we use strictly necessary cookies such as:

| Name | Purpose | Duration |

|------|---------|----------|

| `better-auth.session_token` | sign-in and session management | depends on session lifetime |

| `csrf_token` | CSRF protection | session |

Additional display or convenience settings may be stored in browser or app-local storage depending on the surface. If you proceed to payment, Stripe may set its own cookies or use local storage that is necessary to provide checkout, billing, or portal functionality.

The public legal and pricing pages do not require marketing cookies. If analytics or marketing storage is introduced later, we will only use it with the consent required by applicable law.

10. Security and logs

We use technical and organizational measures to protect personal data, including access restrictions, session and CSRF safeguards, transport encryption, and security-relevant logging.

In the current Hetzner deployment, container-level application logs are bounded by rotation in the runtime configuration (`10 MB` maximum per log file, `5` files per service). Security and error logs are otherwise retained only for a limited period according to operational need and legal requirements. Diagnostic modes are intended to minimize content logging in production. If controlled troubleshooting temporarily includes short content excerpts, access is restricted to authorized personnel.

11. Your rights

Subject to applicable privacy laws, you may have rights of access, rectification, erasure, restriction, data portability, and objection to processing based on legitimate interests.

You can start account deletion while signed in. This marks the account for deletion, invalidates active sessions, and schedules permanent deletion after 30 days. The account can be recovered during that period. If you no longer have account access, you can contact us at snapsort@loren-it.com.

You also have the right to lodge a complaint with a competent supervisory authority.

12. Turkey supplement (KVKK)

If Turkish law applies, the processing described above also serves as a KVKK notice. Under KVKK, processing may be based in particular on contract necessity, compliance with legal obligations, establishment or protection of rights, legitimate interests, and explicit consent where required. International transfers may occur under KVKK Article 9 where legally permitted. Requests under KVKK Article 11 can be sent to snapsort@loren-it.com.

13. Contact and changes

For privacy questions, contact: