Understanding how Receiptor AI handles your data is important — especially when connecting email accounts that contain financial information. Here’s a straightforward breakdown of what access we have, how we protect your data, and how you stay in control.
Receiptor AI connects to Gmail, Outlook, and any IMAP inbox using OAuth 2.0 (or app-specific passwords for IMAP). This is the same secure standard used by apps like Slack, Zoom, and Google Workspace.
We never ask for or store your email password.
When you connect an inbox, you authorise access through your email provider’s own login screen.
The connection is read-only — Receiptor can scan your inbox for documents but cannot send, delete, or modify any emails.
We do not store email content. Only the extracted financial document is kept. Email IDs are stored solely to prevent reprocessing the same message.
If you want to use the auto-forwarding feature (sending documents by email via an Automation Rule), you need to grant an additional sending permission:
This permission is optional and entirely separate from the read-only access used to scan for documents.
It must be explicitly authorised by you, per inbox, from Sources → Email Accounts → Settings → Permissions.
If you never enable it, Receiptor has no ability to send emails from your account.
If you use a mobile scanner:
You provide a phone number and Receiptor AI sends it a first message to open a dedicated chat.
We only access messages sent to that specific Receiptor AI chat — we have no access to your other WhatsApp or iMessage conversations.
All data is stored on AWS infrastructure in the EU region (Europe). This applies regardless of where you are located — your data stays in EU-based servers.
Database: MongoDB on AWS Europe, offline and not connected to the public internet.
Servers operate in private subnets behind AWS security controls (load balancers, gateways).
Encryption at rest: AES-256
Encryption in transit: TLS 1.2+ and SSL
Access controls: Role-based internal access with logging. Only the two founders (Romeo Bellon and Luigi Fernandez) have access to customer data, and only for support, debugging, or maintenance.
Multi-factor authentication: Required for all internal systems.
CASA Type 2 certified: Cloud Application Security Assessment, Type 2.
SOC 2: In progress.
Backups: Automated every 6 hours, encrypted and stored offline, retained for 7 days.
We do not use your documents or data to train AI models — neither ours nor third-party models (OpenAI, Azure, AWS).
We do not sell, rent, or trade your data to third parties.
We do not extract or store full credit card numbers or bank account numbers. Only the last 4 digits and card network (e.g. Visa) are captured if present.
Processed documents: Kept indefinitely until you delete them.
Email content: Not stored (only email IDs to prevent reprocessing).
Account data: Deleted immediately when you delete your account.
You have full visibility and control over what’s connected to your account:
Go to Profile → Connected Apps to see every app and inbox you’ve authorised.
You can revoke access to any connection from this screen at any time.
Revoking access stops Receiptor from scanning that inbox going forward.
You can permanently delete your documents at any time without contacting support. To remove everything:
Go to Personal Settings and use the account deletion option.
This immediately and permanently removes your account, documents, workspace data, and all connected integrations.
GDPR: We comply with the General Data Protection Regulation for all EU and UK users.
CCPA: We comply with the California Consumer Privacy Act for California residents.
EU, UK, and California residents have the right to access, correct, delete, and port their data, and to withdraw consent at any time. Contact us at [email protected] to exercise these rights.
Q: Does Receiptor read all my emails?
A: No. Receiptor filters your inbox based on the sender rules and document types you configure. Only emails that pass those filters are analyzed. Email content is not stored — only the extracted financial document is kept.
Q: What happens to my data if I cancel my subscription?
A: Your data remains accessible until you explicitly delete your account. Use the account deletion option in Personal Settings to permanently remove everything immediately.
Q: Where is my data stored?
A: All data is stored on AWS infrastructure in the EU region (Europe), regardless of your location.
If you have questions about privacy or security, contact us via the in-app chat or at [email protected]. Our Data Protection Officer is Romeo Bellon.
