Privacy policy
Last updated: May 7, 2026
This Privacy Policy explains how scan-ai (“we”, “us”) collects, uses, and protects personal information, and the rights you have under the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA, as amended by the CPRA). Our companion Security page describes the technical safeguards behind the practices below.
1. Who We Are
scan-ai is a receipt-scanning service operated from Canada. For the purposes of GDPR we act as the data controller for your account information and as a processor for the receipt content you upload. For the purposes of CCPA we are the business that determines the purposes and means of processing your personal information. You can reach us at support@scan-ai.ca.
2. Information We Collect
2.1. Account information
- Name (if provided)
- Email address
- A salted password hash, when you sign up with email and password
- OAuth identifiers from Google or GitHub, when you sign in with those providers
- Subscription plan and billing-status metadata received from our payments provider
2.2. Receipt and transaction data
- Receipt images you upload
- Information extracted from those images by our AI provider (merchant, date, total, line items, tax amounts, and similar fields)
- Tax categorizations, budgets, and notes you create
- Emails you forward to your personal
code@in.scan-ai.caaddress for receipt processing
Please do not upload special-category receipts. scan-ai is built for ordinary business and personal expenses. We ask that you do not upload receipts that reveal special categories of personal data under GDPR Article 9 — for example, detailed pharmacy or medical receipts, receipts that disclose religious affiliation, political opinions, trade-union membership, or sexual orientation. We do not solicit, index, or analyze these categories, and we do not request such inferences from our AI providers; if you upload a receipt of this type we will process it only as an ordinary expense record.
2.3. Usage and diagnostic data
- Product analytics events (pages visited, features used)
- Application logs and error reports needed to diagnose problems
- IP address and user-agent associated with sign-in and webhook events
3. How We Use Your Information — and Our Legal Bases (GDPR)
| Purpose | GDPR legal basis |
|---|---|
| Provide the service: process receipts, extract data, run AI chat, store records, deliver email | Performance of contract (Art. 6(1)(b)) |
| Bill subscriptions and prevent fraud and abuse | Performance of contract and legitimate interests (Art. 6(1)(b) and (f)) |
| Send transactional service emails (verification codes, receipts, security notices) | Performance of contract (Art. 6(1)(b)) |
| Send product announcements or marketing email | Consent (Art. 6(1)(a)); withdrawable at any time |
| Improve the product (aggregated, non-identifying analytics) | Legitimate interests (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. We Do Not Sell or Share Your Data
We do not sell, rent, or monetize your personal information or receipt content. We do not “share” personal information for cross- context behavioral advertising as those terms are defined under the CCPA/CPRA. The only parties that process your data on our behalf are the sub-processors listed in Section 5.
5. Sub-processors
We use a small number of vendors to operate the service. Each is bound by a data-processing agreement and may only use the data we send them to provide the service we have contracted them for.
| Sub-processor | Purpose |
|---|---|
| Convex | Application backend, database, and receipt-image storage |
| Vercel | Web and application hosting |
| OpenAI | AI chat and analysis |
| OpenRouter → Google | Receipt OCR using Google Gemini, accessed via OpenRouter |
| Resend | Transactional and inbound email (30-day delivery-log retention) |
| Polar | Subscription billing and payment processing |
Neither OpenAI nor Google uses the data we send through their APIs to train their models. Our use of OpenAI is governed by OpenAI’s Data Processing Addendum (DPA), and our Gemini OCR data flow operates under Zero Data Retention (ZDR), so prompts and responses are not retained beyond the time required to process the request. See our Security page for the technical detail on AI data flows.
6. International Data Transfers
Our infrastructure and several of our sub-processors operate in the United States. Where personal information is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we and our sub- processors rely on the European Commission’s Standard Contractual Clauses (and equivalent UK/Swiss addenda) as the transfer mechanism, together with appropriate technical safeguards described on our Security page.
7. Data Retention
- Account and receipt data are retained while your account is active and deleted on request, as described in Section 9.
- Email delivery logs at our email provider are retained for 30 days.
- Encrypted backups age out within 30 days of a successful deletion request.
- Audit logs of administrative actions are retained for legitimate-interest and legal-compliance purposes.
8. Your Rights
8.1. Rights under GDPR (EU/UK/Switzerland)
- Access — obtain a copy of the personal data we hold about you.
- Rectification — have inaccurate data corrected.
- Erasure (“right to be forgotten”) — have your account and associated data deleted.
- Restriction — ask us to stop processing your data while a dispute is resolved.
- Data portability — receive your data in a structured, commonly used, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where we rely on consent, you may withdraw it at any time.
- Lodge a complaint with your supervisory authority.
8.2. Rights under CCPA/CPRA (California residents)
- Right to know what categories of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.
- Right to delete the personal information we have collected from you, subject to limited exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing — we do not sell or share personal information, so there is nothing to opt out of.
- Right to limit use of sensitive personal information— we do not use sensitive personal information for purposes beyond providing the service.
- Right to non-discrimination — we will not deny you service or charge you a different price for exercising any of these rights.
9. How to Exercise Your Rights
To exercise any of the rights above — including deleting your account — email support@scan-ai.ca from the address on file with your account. We may ask for additional verification before completing a request.
We respond within the timeframes required by applicable law: within 30 days for GDPR requests (extendable by a further two months for complex requests, with notice) and within 45 days for CCPA requests (extendable by another 45 days, with notice). When we complete a deletion request we sign you out of all sessions, remove your records from our application database, and let any residual copies in encrypted backups age out within 30 days.
You may also designate an authorized agent to make a request on your behalf, subject to the verification requirements above. Exercising any of these rights is free of charge unless your request is manifestly unfounded or excessive.
10. Security
We protect your information with TLS in transit, encryption at rest, signed-webhook verification on inbound integrations, role-based access controls, and an audit log of administrative actions. Our full security posture is described on the Security page. No system is perfectly secure; we will notify affected users of a confirmed breach as required by applicable law.
11. Cookies & Analytics
We use a small set of strictly necessary cookies to keep you signed in and to remember your preferences. We use a privacy-respecting product- analytics tool to understand which features are used; we configure it to profile only signed-in customers and do not use it for cross-site advertising.
12. Children
scan-ai is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it.
13. Changes to This Policy
We will update the “Last updated” date at the top of this page when we make changes. For material changes affecting how we use your data, we will notify you by email or in-app notice before the change takes effect.
For privacy-related questions or requests:
Email: support@scan-ai.ca