Privacy Policy

1. Introduction

Receipt Manager (“the app”, “we”, “us”) is an app provided by Haddock (“Haddock”) that lets you capture, organise, and search your receipts. This Privacy Policy explains what personal information we collect, how we use and share it, and the rights you have over it. It applies to both our web app at receipts.haddock.co.nz and the Receipt Manager iOS app.

Haddock is the data controller for the purposes of the New Zealand Privacy Act 2020, the EU/UK General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). You can reach us via our contact form.

2. Information we collect

We collect the information we need to run the app, grouped into three categories:

• Account data — information used to create and access your account, including your email, name, preferences, authentication credentials, and any identifiers needed to deliver notifications to your devices.
• Receipt data — the content you enter or upload about your purchases, including images and the structured fields we or you extract, derive, or add.
• Technical data — cookies, security tokens, device and request metadata, and your IP address, used to operate the service and protect it from abuse.

3. How we use your data

• To provide, operate, maintain, and improve the service.
• To process, extract data from, enrich, convert, organise, and present the content you upload or enter.
• To secure the service, detect and prevent abuse, and investigate incidents.
• To send you notifications and service messages that you have opted into or that are necessary to provide the service.
• To develop new features, understand how the service is used, and carry out research and analysis on our own systems.
• To comply with legal obligations and enforce our terms.

4. Service providers we share data with

We use service providers (“processors”) to run the app. We list them by category so this policy remains stable as providers change. You can request the current list of named vendors at any time via our contact form.

• Cloud hosting and storage providers — host the service and store the content you upload, including receipt images. Processed in the United States or other countries.
• Authentication and database providers — store your account record and application data. Processed in the United States or other countries.
• Optical character recognition and generative AI providers — receive receipt images and/or extracted text to convert them into structured data. We select AI providers whose terms do not permit use of customer content to train their foundation models, and we review those terms periodically. Processed in the United States or other countries.
• Data enrichment providers — receive lookup data such as merchant names, locations, dates, and currency codes to return public reference information like logos, addresses, and exchange rates.
• Transactional email providers — deliver messages you send via our contact form and service emails we send to you. Processed in the United States or other countries.
• Push-notification providers, including the Apple Push Notification service (APNs) — receive device tokens and notification payloads to deliver notifications you have opted into. APNs is required by Apple to deliver push notifications to iOS devices.

We may add, change, or remove providers at any time. Each provider we use is bound by a written data-processing agreement and may only use your data to provide their service to us.

5. Legal bases for processing (GDPR)

If you are in the EU or UK, we rely on the following legal bases:

• Performance of a contract — to deliver the app’s core features to you.
• Legitimate interests — to secure the service, prevent abuse, and improve reliability.
• Consent — for push notifications, which you can withdraw at any time from your device settings or the app.
• Legal obligation — where we are required to keep or disclose data by law.

6. How long we keep your data

We retain your data for as long as your account is active and for such additional period as we consider necessary to provide the service, comply with our legal obligations, resolve disputes, and enforce our agreements.

Deleted receipts are retained for a limited recovery period — typically no more than 30 days — before being permanently removed. When you delete your account through your account settings or by contacting us, we permanently delete your account data and associated content, subject to any retention required by law.

7. Your rights

You have the following rights over your personal information, to the extent they apply under the laws of your jurisdiction. We will respond to requests within the timeframe required by applicable law.

• Access and correction — ask for a copy of the information we hold about you and correct anything that is wrong. Most data is also directly viewable and editable in the app.
• Deletion — delete your account and data through your account settings or by contacting us.
• Portability — request a copy of your data in a commonly used, machine-readable format.
• Restriction and objection — ask us to pause certain processing, or object to processing based on legitimate interests.
• Withdraw consent — for anything we do based on your consent, such as push notifications.
• Complaint — lodge a complaint with your local supervisory authority (see Section 11).

To exercise any of these rights, use our contact form.

8. Children

Receipt Manager is not directed to children. We do not knowingly collect personal information from anyone under 16 (or under 13 in the United States). If you believe a child has created an account, please contact us and we will delete it.

9. International transfers

Your data is processed outside New Zealand, including in the United States, the European Union, and other countries where we or our providers operate. Where this involves transfers out of the EU, UK, or other jurisdictions with data-transfer restrictions, we rely on standard contractual clauses or other approved safeguards offered by our providers.

10. Security

We use appropriate technical and organisational measures designed to protect your data against unauthorised access, loss, alteration, or disclosure, including encryption in transit, access controls, and secure authentication.

11. California, EU/UK, and New Zealand disclosures

California residents (CCPA)

You have the right to know what personal information we collect, to request deletion or correction, and to not be discriminated against for exercising these rights. We do not sell or share your personal information for cross-context behavioural advertising, and we do not use sensitive personal information for anything beyond providing the service you asked for. Complaints can be directed to the California Attorney General.

EU and UK residents (GDPR)

In addition to the rights above, you can lodge a complaint with your local data protection authority in the UK or EU.

New Zealand residents (Privacy Act 2020)

You have the right to access and correct personal information we hold about you (Information Privacy Principles 6 and 7). If you are not satisfied with our response to a privacy request, you can complain to the Office of the Privacy Commissioner at privacy.org.nz.

12. Cookies

We use essential cookies that are necessary to operate the service and protect your account. We do not use advertising or analytics cookies.

13. Changes to this policy

We may update this policy as the service evolves. When we make material changes we will update the “Last updated” date at the top of this page and, where appropriate, notify you in the app or by email. Continued use of the app after a change takes effect means you accept the updated policy.

We may add, remove, or change service providers, features, and the specific ways we process data consistent with the purposes described in this policy, without separately notifying you of every such change.

14. Contact us

Questions about this policy or your personal information? Send them via our contact form.