Privacy Policy

1. Introduction

Receipt360 ("we", "us", "our") is operated by AWO PTY LTD, an Australian company. We are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Receipt360 web application and iOS mobile application (collectively, the "Service").

By using the Service, you acknowledge that you have read, understood, and agree to the collection and use of information in accordance with this policy.

2. About This Policy

This policy applies to the Receipt360 web application available at https://receipt360.app and the Receipt360 iOS application available on the Apple App Store. It covers how we handle personal information in accordance with:

• The Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs)
• The General Data Protection Regulation (GDPR) for users in the European Economic Area
• The California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) for California residents
• The Personal Information Protection and Electronic Documents Act (PIPEDA) for users in Canada, where applicable
• The Apple App Store Review Guidelines for iOS app privacy

3. Information We Collect

3.1 Account Information

When you create a Receipt360 account, we collect:

• First name and last name
• Username
• Email address
• Password (stored as a secure hash — we never store your plain-text password)
• Phone number
• Date of birth
• Physical address

3.2 Uploaded Files and Scanned Documents

When you use the receipt scanning feature, we collect and store the images and documents you upload, as well as the extracted text and structured data from those documents. Uploaded files are processed to provide the receipt management functionality of the Service.

3.3 Payment Information

Receipt360 Premium is billed at $0.99 per week via Square. All payment processing is handled directly by Square. We do not store your credit card or payment card details on our servers. Square's Privacy Policy governs how your payment information is handled.

3.4 Technical and Usage Data

We automatically collect certain technical information when you use the Service, including:

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and features used
• Session cookies (httpOnly) used for authentication
• Referring URLs

4. How We Use Your Information

We use the information we collect to:

• Create and manage your account
• Provide, operate, and improve the Service
• Process receipt uploads and perform OCR text extraction
• Process subscription payments via Square
• Authenticate your identity using session cookies
• Communicate with you about your account, updates, and support
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations
• Respond to your enquiries and support requests

5. Third-Party Services & Overseas Transfers

To provide the Service, we share limited personal information with the following third-party service providers, some of which are located outside Australia:

5.1 Square (USA)

We use Square to process subscription payments. Your payment information is transmitted directly to Square and is subject to Square's Privacy Policy. Square is located in the United States. By using the payment feature, you consent to your payment data being transferred to and processed in the USA.

5.2 OCR.space (USA)

We use OCR.space to perform optical character recognition (OCR) on receipt images you upload. This means your uploaded images are transmitted to OCR.space servers located in the United States for text extraction. OCR.space is subject to its own privacy policy, which you can review here: OCR.space Privacy Policy. By using the scanning feature, you consent to your uploaded images being transferred to and processed in the USA.

5.3 Cloud Hosting

The Service is hosted on cloud infrastructure. Your data may be stored or processed in Australia, the United States, and other countries where our infrastructure providers and subprocessors operate, depending on service configuration and user location. Overseas disclosures are undertaken subject to reasonable steps consistent with APP 8 to ensure overseas recipients handle your personal information consistently with the Australian Privacy Principles.

Where we transfer personal information overseas, we take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information (APP 8).

6. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• With third-party service providers as described in Section 5 above
• When required by law, court order, or government authority
• To protect the rights, property, or safety of AWO PTY LTD, our users, or the public
• In connection with a merger, acquisition, or sale of all or part of our business, with appropriate privacy protections
• With your explicit consent

7. Data Storage and Security

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Passwords stored as secure cryptographic hashes
• HTTPS/TLS encryption for all data in transit
• Encrypted data storage
• httpOnly session cookies to prevent client-side script access
• Regular security reviews

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

8. Data Retention

8.1 Active Accounts

We retain your personal information for as long as your account is active and as needed to provide the Service. We also retain information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

8.2 After Account Deletion

When you delete your account, we will delete or anonymise your personal information within 30 days, except where we are required to retain it by law. Uploaded files and receipts will also be permanently deleted within this timeframe.

8.3 Retention by Data Category

9. Your Rights and Choices

You have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information (subject to legal obligations).
• Portability: Request your data in a structured, commonly used, machine-readable format.
• Objection: Object to certain types of processing of your personal information.
• Withdraw Consent (mechanism): Where we process your data based on consent, you may withdraw that consent at any time by contacting us at support@receipt360.app or using the unsubscribe link in any marketing email we send. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us at support@receipt360.app. We will respond to your request within 30 days.

10. Australian Privacy Act 1988 & APPs Compliance

AWO PTY LTD is bound by the Australian Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). The following summarises how we comply:

• APP 1 — Open and transparent management: We maintain this Privacy Policy and make it freely available.
• APP 2 — Anonymity and pseudonymity: See Section 15.
• APP 3 — Collection of solicited personal information: We only collect information that is necessary for the Service.
• APP 4 — Dealing with unsolicited personal information: If we receive unsolicited personal information we should not have collected, we will destroy or de-identify it.
• APP 5 — Notification of collection: We notify you of why we collect your information at the time of collection.
• APP 6 — Use or disclosure of personal information: We only use or disclose information for the primary purpose of collection, or where you have consented.
• APP 7 — Direct marketing: We do not use your personal information for direct marketing without your consent. If we ever send marketing communications, you may opt out at any time using the unsubscribe link in any such communication or by contacting support@receipt360.app.
• APP 8 — Cross-border disclosure: See Section 5 — we take reasonable steps to ensure overseas recipients comply with APPs.
• APP 9 — Government related identifiers: We do not collect or use government identifiers as our own identifiers.
• APP 10 — Quality of personal information: We take reasonable steps to ensure your information is accurate, up-to-date, and complete.
• APP 11 — Security of personal information: See Section 7 — we protect your information with appropriate technical measures.
• APP 12 — Access to personal information: You can request access to your information as described in Section 9.
• APP 13 — Correction of personal information: You can request correction of your information as described in Section 9.

Privacy Complaints

If you have a complaint about how we handle your personal information, please contact us first at support@receipt360.app. To help us handle your complaint efficiently, please describe the nature of your concern, the relevant dates, and any supporting information. In some cases, we may need to verify your identity before processing a complaint or access/correction request. We will acknowledge your complaint within 5 business days and endeavour to resolve it within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Online: www.oaic.gov.au/privacy/privacy-complaints

11. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to individuals, we will comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. This means we will:

• Assess the breach as quickly as possible
• Notify affected individuals as soon as practicable
• Notify the Office of the Australian Information Commissioner (OAIC)
• Take steps to contain and remediate the breach
• Review and improve our security practices following any breach

If you believe your account has been compromised, please contact us immediately at support@receipt360.app.

12. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have the following additional rights under the General Data Protection Regulation (GDPR):

• Legal basis for processing: We process your personal data on the basis of contract performance (providing the Service), legitimate interests, and/or your consent.
• Right to erasure ("right to be forgotten"): You may request deletion of your personal data.
• Right to restriction of processing: You may request that we limit how we use your data in certain circumstances.
• Right to data portability: You may receive your data in a structured, machine-readable format.
• Right to object: You may object to processing based on legitimate interests.
• Right to lodge a complaint: You may lodge a complaint with your local EU data protection authority. You can find your national supervisory authority and their contact details at the European Data Protection Board's website: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Data transfers from the EEA to Australia are made on the basis of the European Commission's Standard Contractual Clauses (SCCs) (GDPR Article 46(2)(c)) or, where applicable, on the basis of your explicit consent (GDPR Article 49(1)(a)). Australia does not currently hold a formal EU adequacy decision under GDPR Article 45. Transfers to the USA (for Square and OCR.space) are also made under Standard Contractual Clauses or applicable Article 49 derogations.

EU/EEA Representative (GDPR Article 27)

AWO PTY LTD is established in Australia. We have assessed our processing activities and, based on the current scale and nature of our EU data processing, we believe we may be required to designate an EU representative under GDPR Article 27. We are in the process of appointing an EU representative. In the meantime, EEA users may contact us directly for any GDPR-related matters at: support@receipt360.app. We will update this section once an EU representative is formally appointed.

Data Protection Officer (GDPR Article 37)

AWO PTY LTD has assessed its processing activities and determined that it is not currently required to appoint a Data Protection Officer under GDPR Article 37 (we do not carry out large-scale systematic monitoring of individuals, nor do we process special categories of data on a large scale). For all data protection enquiries, please contact us at support@receipt360.app.

Legal Basis for Processing

Automated Decision-Making and Profiling (GDPR Article 22)

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you, as defined under GDPR Article 22. Our OCR text extraction is a purely technical process to provide the Service and does not involve any automated decisions about you as an individual.

13. CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: Request disclosure of the personal information we collect, use, disclose, and sell.
• Right to delete: Request deletion of your personal information, subject to certain exceptions.
• Right to opt-out: We do not sell your personal information. You may opt out of sharing for cross-context behavioural advertising (we do not engage in this).
• Right to correct: Request correction of inaccurate personal information.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

13.1 Sensitive Personal Information (CPRA)

Sensitive Personal Information (SPI): Under the CPRA, certain categories of personal information are classified as "sensitive." We may process data that could indirectly constitute SPI (e.g., financial data contained in uploaded receipts). We do not collect or use Sensitive Personal Information for purposes beyond what is necessary to provide the Service, and we do not use it to infer characteristics about you.

13.2 Shine the Light (California Civil Code § 1798.83)

Shine the Light: California residents may request once per year, free of charge, a list of third parties to whom we disclosed personal information for their direct marketing purposes in the preceding calendar year. We do not disclose personal information to third parties for their direct marketing purposes, so no such list applies.

13.3 Authorized Agent

Authorized Agent: California residents may designate an authorized agent to submit CCPA rights requests on their behalf. We may require written proof of the agent's authorization and may verify your identity directly before processing the request.

To exercise your California privacy rights, contact us at support@receipt360.app.

Other US State Privacy Laws: In addition to California, users in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Florida (FDBR), and other US states with applicable privacy laws may have similar rights including the right to access, correct, delete, and opt-out of the sale or sharing of personal information. To exercise these rights, contact us at support@receipt360.app.

14. Canada / PIPEDA Compliance (Canadian Users)

For users located in Canada, AWO PTY LTD handles personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, where applicable.

Accountability

AWO PTY LTD is responsible for personal information under its control. For privacy questions, access requests, corrections, or complaints, Canadian users may contact us at support@receipt360.app.

Identifying Purposes

Personal information is collected, used, and disclosed for the purposes described in this policy, including account creation, receipt storage and OCR processing, payment processing, customer support, security, and legal compliance.

Consent

By using the Service and providing personal information, you consent to the collection, use, and disclosure of your personal information as described in this policy, subject to your applicable legal rights. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, by contacting us at support@receipt360.app. Please note that withdrawing consent may affect our ability to provide certain features of the Service.

Access and Correction

Canadian users may request access to and correction of their personal information held by us under applicable law. To make such a request, please contact us at support@receipt360.app.

Limiting Collection, Use, and Retention

We limit the collection, use, disclosure, and retention of personal information to what is reasonably necessary for the identified purposes and to satisfy our legal obligations. Refer to Section 8 for our data retention practices.

Safeguards

We protect personal information using security measures appropriate to the sensitivity of the information. Refer to Section 7 for details on our security practices.

Privacy Complaints — Canadian Users

If you have a privacy concern, please contact us first at support@receipt360.app. If your concern is not resolved to your satisfaction, you may contact the Office of the Privacy Commissioner of Canada (OPC):

• Website: www.priv.gc.ca

15. Anonymity and Pseudonymity (APP 2)

In accordance with APP 2, we give individuals the option of not identifying themselves, or using a pseudonym, when dealing with us where it is lawful and practicable to do so.

However, because Receipt360 requires a user account to function (to store and retrieve your receipts securely), it is not practicable for us to provide the full Service to anonymous users. You may use a pseudonym as your username, but a valid email address is required to create and maintain an account.

16. Cookies and Session Management

Receipt360 uses cookies only as necessary to manage user sessions and authentication.

We currently use only the above essential authentication cookie. We do not set tracking, advertising, analytics, or third-party cookies.

Third-Party Cookies: When you interact with payment features powered by Square, Square may set its own cookies or similar technologies on your browser. These are governed by Square's Cookie Policy and are outside our control.

Do Not Track Signals: Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your browsing activity tracked. Because we only use strictly necessary authentication cookies and do not engage in tracking, our Service does not alter its behaviour in response to DNT signals. There is currently no universally accepted standard for how websites must respond to DNT requests.

Cookie Consent: Because we use only strictly necessary cookies that are essential for the Service to function (authentication), we are not required to display a cookie consent banner. No tracking, analytics, or advertising cookies are placed on your device. If this changes in the future, we will update this policy and implement appropriate consent mechanisms.

You can configure your browser to refuse or delete cookies at any time. Please note that disabling cookies will prevent you from logging in to Receipt360 and using the Service.

EU ePrivacy Directive

For users in the European Union and European Economic Area: our session authentication cookie is strictly necessary for the Service to function and is therefore exempt from the requirement to obtain prior consent under the EU ePrivacy Directive (2002/58/EC as amended) and applicable national implementations. No non-essential cookies are placed without your consent.

17. Children's Privacy

Receipt360 is not intended for use by anyone under the age of 13 years. If you are located in the European Economic Area (EEA), the minimum age is 16 years. We do not knowingly collect personal information from children below these ages.

If you become aware that a child has provided us with personal information without parental consent, please contact us at support@receipt360.app and we will take steps to delete that information promptly.

18. iOS App Privacy

The Receipt360 iOS application is available on the Apple App Store. In compliance with Apple's App Store Review Guidelines and iOS privacy requirements:

• We request only the device permissions necessary for the Service (e.g., camera access for scanning receipts).
• We provide a privacy nutrition label in the App Store disclosing the data we collect.
• We comply with App Tracking Transparency (ATT) requirements — we do not track users across apps or websites.
• On-device data is protected by iOS device encryption.

This Privacy Policy serves as the privacy policy URL for App Store submission and covers both the web and iOS versions of Receipt360.

19. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page with an updated "Last updated" date, and where appropriate, by sending you an email notification. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

We encourage you to review this policy periodically to stay informed about how we protect your information.

20. Contact Us

For any privacy-related enquiries, complaints, or requests, please contact:

For formal/legal correspondence, please use the email address above. A physical address is available on request.

Privacy-related requests from users in Australia, the EU/EEA, the United States, and Canada can all be directed to support@receipt360.app. Canadian users who are not satisfied with our response to a privacy complaint may also raise the matter with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

EU Representative: We do not currently have a designated EU representative. EEA users may contact us directly at support@receipt360.app for any GDPR-related enquiries.