Privacy Policy

Introduction

PapayaLedger (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our expense tracking application and services (the “Service”).

Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access the Service.

1. Information We Collect

1.1 Information You Provide

We collect information that you voluntarily provide when using our Service:

• Account Information: Email address, name, password (encrypted)
• Financial Data: Expense amounts, descriptions, categories, dates, receipt images
• Group Information: Group names, member emails/phone numbers for invitations
• Payment Information: Processed securely through Stripe (we do not store credit card numbers)

1.2 Automatically Collected Information

• Usage Data: Pages visited, features used, time spent, clickstream data
• Device Information: Browser type, operating system, IP address, device identifiers
• Cookies: Session cookies, preference cookies, analytics cookies

1.3 Information from Third Parties

• AI Services: Receipt images are processed by Google Cloud Vision and OpenAI APIs for text extraction. We do not share personal identifiable information with these services.
• Payment Processor: Stripe processes payments and provides transaction status updates.

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve our Service
• Process your transactions and manage your subscription
• Send you technical notices, updates, security alerts, and support messages
• Respond to your comments, questions, and customer service requests
• Analyze usage patterns to improve user experience
• Detect, prevent, and address technical issues and fraudulent activity
• Send promotional communications (you can opt-out anytime)

3. How We Share Your Information

We do not sell, trade, or rent your personal information. We may share your information in these limited circumstances:

3.1 Service Providers

• Hosting: Railway (infrastructure)
• Payment Processing: Stripe (payment gateway)
• AI Processing: OpenAI, Google Cloud Vision, Anthropic (receipt scanning, text extraction)
• Email: SendGrid (transactional emails)
• SMS: Twilio (group invitations via text)
• Storage: AWS S3 (encrypted receipt images)

All service providers are contractually obligated to protect your data and use it only for specified purposes.

3.2 Group Members

When you create or join a group, your name and expense data within that group is visible to all group members.

3.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

4. Data Security

We implement industry-standard security measures:

• Encryption: All data transmitted via HTTPS (SSL/TLS). Data at rest is encrypted.
• Access Controls: Limited employee access to user data, role-based permissions.
• Password Security: Passwords are hashed using bcrypt with salt.
• Regular Audits: Security audits and vulnerability assessments.
• Backups: Regular encrypted backups stored securely.

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

5. Data Retention

• Active Accounts: Data retained as long as your account is active.
• Deleted Accounts: Data deleted within 90 days after account deletion (unless legal obligation requires longer retention).
• Backups: Encrypted backups retained for 30 days, then permanently deleted.

6. Your Rights (GDPR/CCPA Compliance)

You have the right to:

• Access: Request a copy of all personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your data (“right to be forgotten”).
• Portability: Export your data in CSV format.
• Objection: Opt-out of marketing communications.
• Restriction: Limit how we use your data.

To exercise these rights, email us at privacy@papayaledger.com.

7. Cookies and Tracking

We use cookies to:

• Keep you logged in (essential cookies)
• Remember your preferences (functional cookies)
• Analyze usage patterns (analytics cookies - Google Analytics)

You can disable cookies in your browser settings, but some features may not work properly.

8. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. Please review their privacy policies.

9. Children's Privacy

Our Service is not intended for children under 13. We do not knowingly collect personal information from children. If you believe we have collected data from a child, contact us immediately.

10. International Data Transfers

Your data may be transferred to and processed in the United States. By using our Service, you consent to this transfer. We comply with applicable data protection laws (GDPR, CCPA).

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the new policy on this page with an updated “Last Updated” date
• Sending an email notification (for significant changes)

Your continued use of the Service after changes constitutes acceptance.

12. Contact Us

If you have questions about this Privacy Policy, contact us at:

• Email: hello@papayaledger.com
• Business: PapayaLedger - Online Business, United States