We take your privacy seriously. This policy explains what personal information we collect when you use Slipfolio, why we collect it, who we share it with, and what rights you have. We aim to collect only what we need to provide the service and nothing more. We will never sell your data or use it for advertising.
This policy applies to all users of Slipfolio worldwide. Depending on where you are located, additional rights may apply to you — see the regional sections below.
We do not use advertising networks or tracking pixels. We do not collect precise location data, contacts, health data, microphone recordings, or advertising identifiers.
We use the information we collect exclusively to:
If you are located in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases:
If you use the receipt extraction feature, the image or PDF you submit is transmitted to a third-party AI provider (currently OpenAI) for processing. The extracted structured data is returned to you and stored in your account. We use a content-hash cache so that identical files are not re-submitted to the provider unnecessarily. We do not use your receipt content to train AI models and do not opt in to provider model training. The AI provider may retain API inputs, outputs, and related logs for abuse monitoring, security, service operation, or legal compliance according to its own API data processing terms. Please review OpenAI's API data controls and privacy documentation if you have concerns about that processing step.
The extraction feature is optional. You can enter receipt information manually instead of sending a file to the AI provider.
We share your information only with the following service providers, and only to the extent necessary for them to perform services on our behalf:
We do not sell, rent, trade, or otherwise disclose your personal information to any third party for their own commercial or marketing purposes, under any circumstances.
Our service providers may process and store personal data in multiple regions as needed to provide, secure, support, and improve Slipfolio.
When personal data is transferred across borders, we use contractual, technical, and organisational safeguards required by applicable law. For transfers from the EEA or UK, we rely on subprocessors' published data processing agreements, which incorporate standard contractual clauses (SCCs), UK International Data Transfer Agreements (IDTAs), or another lawful transfer mechanism as permitted by applicable law.
We retain your personal data for as long as your account is active. When you delete your account, we will delete or anonymise your personal data and receipt files within 30 days, except where retention is required by law or legitimate operational need (for example, database backups, which rotate on the configured backup cycle for the current hosting plan; security, fraud-prevention, or billing records that must be kept for compliance). Server-side request logs are retained for up to 30 days.
If you belong to a shared workspace, deleting your account removes your user account and membership. Workspace records created by or shared with other members may remain available to the workspace owner or other members unless the workspace itself is deleted or the owner requests deletion.
We apply industry-standard security measures including: encrypted connections (TLS) for all data in transit; encrypted at-rest storage for receipt files; hashed and salted passwords; short-lived access tokens with rotation; optional multi-factor authentication (TOTP); and access controls limiting which systems can reach your data.
No security measure is perfect or guaranteed. In the event of a security breach that creates a real risk of significant harm to you, we will notify you and the applicable regulatory authority within the timeframe required by law (for example, 72 hours under GDPR; as soon as feasible under PIPEDA's breach reporting requirements).
You have the following rights regardless of where you are located:
Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, you have the right to access the personal information we hold about you and to challenge its accuracy and completeness. You may also withdraw consent to certain processing at any time, subject to legal or contractual restrictions. To exercise these rights, contact us at support@slipfolio.app. If you are unsatisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
In addition to the above, you have the right to: data portability; restriction of processing; objection to processing based on legitimate interests; and erasure ("right to be forgotten") where grounds apply. You have the right to lodge a complaint with your local data protection authority (e.g., your national DPA within the EU, or the ICO in the UK). To exercise any of these rights, contact us at support@slipfolio.app. We will respond within 30 days (or one calendar month as required by GDPR).
California residents have the right to know what personal information we collect and how we use it (described in this policy); the right to delete personal information; the right to correct inaccurate information; and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information as defined under California law. We do not discriminate against you for exercising any CCPA right. To submit a verifiable request, email support@slipfolio.app.
The web version of Slipfolio uses session cookies solely for authentication. These are httpOnly cookies (inaccessible to JavaScript) and are not used for advertising. If analytics is enabled, PostHog may store a first-party anonymous/device identifier in browser storage to count sessions and repeat visits. We do not use third-party advertising cookies. If your browser blocks cookies, some authentication features may not function correctly. We currently enable privacy-limited analytics for all users; if you are located in the EU or UK where the ePrivacy Directive requires consent for analytics storage, you may contact us at support@slipfolio.app to opt out at any time.
Slipfolio is not directed at children under the age of 13, or under 16 where required by applicable law (including under GDPR). We do not knowingly collect personal information from children below these thresholds. If we learn that we have done so, we will promptly delete that information and notify any applicable authority as required. If you believe a child has provided us with their data, please contact us immediately.
We may update this Privacy Policy as Slipfolio evolves. When we do, we will update the effective date at the top of this page. For material changes, we will notify you by email or service notice at least 30 days before the change takes effect where required by law. Your continued use of Slipfolio after the effective date constitutes acceptance of the updated policy.
Privacy questions, data requests, or complaints: support@slipfolio.app
We will acknowledge your request within 10 business days and respond fully within 30 days, or sooner if required by applicable law. If you are not satisfied with our response, you may escalate to the relevant data protection authority for your jurisdiction.