Security
Last updated: May 7, 2026
Your receipts contain personal financial information. We treat them with the same care a small business expects from its bookkeeper or accountant. This page describes how we protect that data — the infrastructure we run on, who has access to it, and how it flows through our AI providers.
1. Encryption
All traffic between your browser, our servers, and our sub-processors is encrypted in transit with TLS. Receipt images and the structured data we extract from them are encrypted at rest on the storage volumes operated by our infrastructure providers.
2. Authentication & Access Control
2.1. Customer accounts
You can sign in with email and password (with email one-time-code verification), Google, or GitHub. Every query and mutation against your data goes through a centralized authorization layer that scopes results to your account — there is no path in the application that returns one customer’s data to another.
2.2. Administrative access
Administrative tools are restricted to a single founder account that signs in via Google OAuth. Two-factor authentication is enforced at the Google account level, so administrative access cannot be reached by guessing or brute-forcing a password — there is no password to guess.
2.3. Support access
As is common across SaaS products, our admin tooling allows the support team to access a customer’s receipts and account when the customer has explicitly requested help (for example, “a scan looks wrong, can you check it?”). Every administrative action is recorded in an internal audit log.
3. Audit Logging
Administrative actions — viewing customer detail, adjusting limits, deleting accounts on request, and so on — are written to a tamper- resistant audit log inside the application database. Each entry records the actor, the action, the affected record, and a timestamp.
4. Webhook Integrity
Inbound webhooks from our billing provider (Polar) and our email provider (Resend) are signed using the Standard Webhooks signature scheme and verified on every request. Requests with missing or invalid signatures are rejected before any application logic runs.
5. Infrastructure & Sub-processors
We deliberately keep our stack small. Each provider below has its own published security posture; we have selected providers with industry- standard certifications and contractual data protection commitments.
| Provider | Purpose |
|---|---|
| Convex | Application backend, database, and receipt-image storage |
| Vercel | Web and application hosting |
| OpenAI | AI chat (analysis and Q&A over your receipts) |
| OpenRouter → Google | Receipt OCR using Google Gemini, accessed via OpenRouter |
| Resend | Transactional email and inbound receipt forwarding |
| Polar | Subscription billing and payment processing |
Resend retains email delivery logs for 30 days for diagnostic purposes. We do not use any other sub-processors for the storage or processing of customer data.
6. AI & Your Data
scan-ai uses two AI services, each operating under strict data- handling guarantees that we have configured at the account level:
- Receipt OCR — Google Gemini. When you upload a receipt, the image is sent to Google’s Gemini API (via OpenRouter) for text extraction. The data flow operates under Zero Data Retention (ZDR): Google does not retain prompts or responses beyond the time required to process the request, and the data is not used to train Google’s models.
- AI chat — OpenAI. When you ask a question about your receipts, the relevant data is sent to OpenAI’s API. Our use of the API is governed by OpenAI’s Data Processing Addendum (DPA). Under that DPA and OpenAI’s API terms, inputs and outputs are not used to train OpenAI’s models.
You own both the inputs you provide and the outputs the models return. We do not allow either provider to use your data for model training.
7. We Do Not Sell Your Data
We do not sell, share, or monetize your receipt, transaction, or financial data — full stop. The only parties who see your data are the sub-processors listed above, each of which is contractually limited to providing the service we use them for.
8. Account & Data Deletion
You can request deletion of your account and all associated data by emailing support@scan-ai.ca from the email address on file. Deletion is processed within the timeframes required by applicable privacy regulations (within 30 days for GDPR and CCPA requests). Once we complete a deletion, your account is signed out, your records are removed from our application database, and any residual copies in encrypted backups age out within 30 days.
9. Reporting a Vulnerability
If you believe you have found a security issue, please email support@scan-ai.ca with details and reproduction steps. We will acknowledge your report and work with you on a fix. We do not currently operate a paid bug- bounty program.
For security questions:
Email: support@scan-ai.ca