Privacy

Your receipts stay on your iPhone.

Effective April 23, 2026 · Last updated April 23, 2026

The short version

  • Your receipt images stay on your iPhone.
  • Reading the receipt (OCR) happens on your device.
  • For categorization and basket matching, the parsed text — store, total, items — is processed on our servers, encrypted in transit and at rest.
  • We don't sell your data, run ads, or track you across the web.
  • No bank login, ever.
  • You can delete everything from inside the app, any time.

Overview

Budget Lens AI is an iOS app for scanning receipts, tracking spending, and comparing grocery baskets. This policy explains what stays on your device, what is sent to our servers, and why.

What stays on your iPhone

The receipt image itself never leaves your device. Reading the receipt — detecting text, totals, line items and store names — runs on your iPhone using Apple's on-device vision frameworks. The raw photo is yours and stays with you.

What is sent to our servers

To categorize your purchases, compare basket prices across your own stores, and power the weekly insights, we send the parsed text of each receipt — store name, total, line items, date, your chosen category — to our servers. That payload is encrypted in transit (TLS) and at rest in our database. We do not send or store the original receipt image.

Categorization and basket matching are performed by a mix of on-device rules and cloud language models run by Anthropic (primary) and Google (fallback). The parsed text is processed to return a category, merchant match, and basket comparison back to your app. It is retained so your history, trends, and basket matching continue to work across devices if you opt into Premium cloud backup. Under our API terms, neither Anthropic nor Google is permitted to use your data to train their foundation models.

What we do collect

A short list:

  • Your email, if you create an account or join the waitlist. Used to sign you in and send occasional product updates you can unsubscribe from.
  • Subscription status, handled by Apple. We see whether you're on the free plan or paid — not your card, not your Apple ID.
  • Crash reports and basic usage signals. If the app crashes, we get a stack trace so we can fix it. These don't include your receipts.
  • Whatever you send us. If you email support, we keep that thread so we can follow up.

That's it. No ad tracking, no analytics sold to anyone, no building a profile of what you buy.

Anonymized community insights (opt-in)

We're building a feature called Community Insights. If you choose to turn it on (it's off by default), the prices of items you scan can be combined with prices from other opted-in users to produce anonymized, aggregated averages — for example, "the average price of eggs at Costco in Toronto last week, across 280 confirmed receipts." Those aggregates power features like "this item is cheaper at another nearby store."

How we keep it anonymous:

  • Aggregates are produced by item, store, and broad region — never by user.
  • We require a minimum number of contributors per aggregate (k-anonymity, default 50) before any aggregate is shown or shared. Aggregates below the threshold stay private inside our database until they grow.
  • Original receipt rows always stay tied to your account. Only the aggregated averages can leave the database, and only when the threshold is met.
  • You can turn Community Insights off at any time in Settings, and your contributions stop immediately. Deleting your account also removes your contributions and triggers a re-aggregation.

We may, in the future, share the same anonymized aggregates with brand or retail partners (for example, to inform pricing research) — never user-level data, only cohort statistics. If we do, we'll list those partners in the subprocessor list below before any sharing begins.

Third parties (subprocessors)

We use a small number of standard infrastructure providers. Each processes data only as needed to run the service, under their commercial API terms, and does not sell it or reuse it for other purposes. We don't share your data with advertisers, data brokers, or any third party for marketing.

  • Anthropic — primary cloud language model (Claude) for receipt categorization, basket matching, and the in-app assistant. Receives parsed receipt text only; never the image. Not used to train Anthropic's models under our API terms.
  • Google (Gemini API) — fallback cloud language model used when Anthropic is unavailable. Same scope: parsed text only, no image, not used for training under our API terms.
  • Firebase (Google) — account sign-in and authentication.
  • Supabase — encrypted database for your account, receipts, and basket history.
  • Railway — backend server hosting.
  • Apple — App Store subscription billing and receipt verification.
  • RevenueCat — subscription state management on top of Apple billing.
  • Sentry — crash reports and error telemetry. Does not receive receipt content.
  • PostHog — privacy-respecting product analytics (which screens are used, feature adoption). Does not receive receipt content.
  • Resend — transactional email delivery (waitlist confirmations, account emails).

How long we keep it

We keep your account email while your account is active. Crash reports expire after 90 days. Subscription records are kept as long as we're legally required to. Delete your account and we remove everything we hold about you.

Your rights

You can:

  • Delete your account and all data from inside the app (Settings → Account → Delete account).
  • Cancel anytime from iPhone Settings → your name → Subscriptions.
  • Unsubscribe from product emails using the link at the bottom of any email.

Changes

All rights reserved. We may update this policy over time.

Contact

Questions about privacy? Email privacy@budgetlens.ai. We read every one.