← Back to Home

Data Protection Policy

Last updated: May 23, 2026

1. Our Commitment

Receiptiles is committed to protecting the personal data of all users. This policy outlines the technical and organizational measures we implement to safeguard your information in compliance with GDPR, CCPA, and other applicable data protection regulations.

2. Data Protection Principles

  • Lawfulness: We process data only with a valid legal basis.
  • Purpose limitation: Data is collected for specified, explicit purposes.
  • Data minimization: We collect only what is necessary for the stated purpose.
  • Accuracy: We take reasonable steps to keep data accurate and up to date.
  • Storage limitation: Data is retained only as long as necessary.
  • Integrity & confidentiality: Appropriate security measures protect all data.

3. Legal Basis for Processing

  • Contract performance: Processing receipt data to deliver the service you signed up for.
  • Legitimate interest: Analytics, fraud prevention, and service improvement.
  • Consent: Marketing communications and optional data partnerships (with opt-out).
  • Legal obligation: Tax record retention, law enforcement requests.

4. Technical Safeguards

  • AES-256 encryption at rest for all stored data.
  • TLS 1.3 encryption for all data in transit.
  • On-device processing where feasible (edge parsing on hardware adapter).
  • Database-level row security and access controls.
  • Automated vulnerability scanning and dependency auditing.
  • Regular penetration testing by independent third parties.

5. Organizational Safeguards

  • Principle of least privilege for all internal access.
  • Mandatory security training for all team members.
  • Background checks for personnel with data access.
  • Documented incident response procedures.
  • Annual SOC 2 Type II audits.

6. Data Breach Response

In the event of a data breach:

  • We will notify affected users within 72 hours of discovery.
  • We will notify relevant supervisory authorities as required by law.
  • We will provide clear information about what data was affected and remediation steps.
  • We will conduct a root cause analysis and implement preventive measures.

7. International Data Transfers

When data is transferred outside of the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision. All sub-processors are contractually bound to equivalent data protection standards.

8. Data Protection Officer

Our Data Protection Officer can be reached at dpo@receiptiles.com for any data protection queries, subject access requests, or complaints.

Data Protection Policy — Receiptiles · KreditWiz