Privacy Policy

Last updated — April 28, 2026

1. Data controller

Publisher: Silvio Rota, natural person residing in Switzerland. Contact: privacy@moneydocs.app

2. Data storage

Local storage by default. All your financial data (expenses, projects, reports, categories, merchants) is stored on your device in a database encrypted with SQLCipher (AES-256). MoneyDocs has no central server and stores no user data on its own infrastructure.

Optional cloud backup (opt-in). You can activate an automatic encrypted backup to your own Google Drive from the settings. When this option is activated, copies of your data are encrypted on your device and then deposited into a private folder of your Drive. The detail of this mechanism is described in article 4. This option is disabled by default. If you do not activate it, your data never leaves your device unless you explicitly export or share it (PDF, CSV, .moneydocs package).

No MoneyDocs account. The application creates no user account with the Publisher. No data is associated with your identity on our side.

3. Data sent to our OCR backend

When you scan a receipt, the following information is transmitted to our extraction backend over an encrypted HTTPS connection, through a server-side proxy (Supabase):

  • The receipt image (resized). Currently, the image is not retained after processing. We may in the future retain it in an anonymous form to improve the quality of the OCR engine — if this option is activated, this policy will be updated and you will be notified within the application.
  • A random, persistent device identifier (device_id) — does not contain your name, email, phone number or advertising identifier. It is used to manage your usage quotas and to associate your corrections with your extractions.
  • The data extracted from the receipt: merchant, amount, currency, date, category, taxes, VAT number, subtotal, optional comment. This data is retained in anonymous form to continuously improve the quality of the OCR engine.
  • Other technical metadata printed on the receipt: invoice number, store loyalty card number (when printed), point-of-sale code, payment type (“card”, “cash”, “check”, etc.), as well as the raw output returned by our OCR provider, for diagnostic and service improvement purposes.
  • Text region coordinates (bounding boxes) and detected text.
  • Your corrections, if any: when you correct a misrecognized merchant, category or amount, your correction is transmitted and retained in anonymous form to improve future extractions for all users.

What we NEVER collect, even if printed on your receipt:

  • No digits of your bank card number, including the last 4 digits that are sometimes printed by certain terminals. This data is intentionally excluded from collection and purged from historical records.
  • Your name, email, personal phone number, or home address.

No human reviews individual receipts.

4. Cloud backup (optional feature)

If you activate cloud backup, the following mechanism applies:

4.1 Destination

Backups are stored in a visible folder named “MoneyDocs - Backups” in your own Google Drive account. You can access them, browse the list and manually delete old backups from the standard Drive interface. The application uses the OAuth scope drive.file, which only gives it access to files it has itself created in your Drive — it can neither see nor touch your other Drive documents. MoneyDocs has no backup server of its own. The Publisher has no access to the files thus deposited; only you, through your Google account, have access.

4.2 Content backed up

Each backup contains a complete snapshot of your local database: expenses, projects, reports, categories, merchants, as well as the image files of receipts and projects. The format is the same as the .moneydocs packages exported manually.

4.3 End-to-end encryption

Before being sent to Drive, each backup is encrypted on your device with AES-256-GCM (random 96-bit nonce, 128-bit authentication tag). The encryption key is derived from a password that you choose only once, when you activate backup, and which it is your responsibility to remember or to keep in a password manager. This password is:

  • chosen by you at activation (at least 8 characters);
  • derived into an AES-256 key by the PBKDF2-HMAC-SHA256 function with 600,000 iterations, on your device only;
  • never transmitted to or stored by the Publisher or by Google — it leaves your device only under your control (memory or password manager).

Consequence: effective end-to-end encryption (E2E). Since the key is derived from a secret known only to you, neither the Publisher nor Google has the technical means to decrypt your backups. A legal obligation or unauthorized access to your Google account is not enough to make them readable: only people in possession of your password can access them.

Acknowledged trade-off — permanent loss if you forget the password. If you forget your password, your cloud backups become permanently unreadable, including for yourself. The Publisher has no technical means to recover them — this is precisely what guarantees their E2E confidentiality. The application displays this warning prominently when activating backup, and requires a two-step entry (password + confirmation) before finalizing activation.

4.4 Deactivation, deletion and password change

At any time you can:

  • Disable cloud backup from the settings. Existing backups on your Drive are not automatically deleted (you can keep them if needed).
  • Delete backups directly from the Drive interface by deleting the “MoneyDocs - Backups” folder (the files go to the Drive trash, then are permanently deleted according to your Drive policy).
  • Revoke MoneyDocs’s access to your Drive from your Google security settings.
  • Change your password: deactivate then reactivate backup in the settings; the application will ask you to choose a new password and all future backups will be encrypted with that new key. Earlier backups, encrypted with the previous password, remain decryptable as long as you remember the previous one.

5. Third-party services and processors

  • Veryfi / Google Document AI — OCR processing of images through our backend proxy. Only the image and text needed for extraction are transmitted; your API keys are never embedded in the app.
  • Supabase, Inc. (Singapore) — hosts our OCR backend and technical databases.
  • ExchangeRate-API — real-time currency exchange rates.
  • Google LLC (United States) — only if you activate cloud backup (article 4). Google stores your encrypted backups in your own personal Drive. The encryption key is never transmitted to Google: it is derived locally from your password (article 4.3). Data transfers to the United States are governed by the European Commission’s Standard Contractual Clauses and by the EU-US Data Privacy Framework.

No analytics SDK, no Firebase, no crash reporting, no advertising framework.

6. Security and legal basis (GDPR / Swiss nFADP)

The processing described in article 3 is based on the publisher’s legitimate interest in improving the quality of their OCR service, balanced against your right to privacy through the following measures:

  • Retained data is not nominative: it is linked only to a random technical identifier (device_id).
  • It is retained for OCR model improvement for an indefinite period while the publisher operates the service; it can be purged at your request by simple email (see article 11).
  • It is not resold, not shared with advertisers, and not used for any commercial purpose other than improving the MoneyDocs service and its OCR engine.
  • The local database is encrypted with SQLCipher (AES-256).
  • Local receipt image files are stored in the app’s private sandbox, accessible only to MoneyDocs. They do not benefit from additional file-level encryption — this is a planned improvement for a future release.
  • Encryption keys are stored in your device’s secure hardware (Android Keystore).
  • All network traffic goes over HTTPS with certificate pinning on Supabase and ExchangeRate endpoints.
  • Optional PIN and biometric lock.
  • End-to-end encrypted cloud backups (if activated): the key only exists on your device and in your password; see article 4.3 for the algorithm and threat model.

Your right to opt out: you can always enter expenses manually to avoid any transmission to the OCR backend.

7. Your rights (GDPR / Swiss nFADP)

In accordance with the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nFADP), you have the following rights:

  • Access and rectification — data stored on your device is at your disposal; you access and modify it freely in the application.
  • Local erasure — uninstalling the app deletes all locally stored data.
  • Remote erasure — on simple request sent to privacy@moneydocs.app with your device_id (available in the app settings), we purge from the OCR backend all extractions, corrections and logs associated with it.
  • Cloud backup withdrawal — you can at any time deactivate and delete your Drive backups, and change your password (article 4.4).
  • Portability — you can export all your local data at any time (PDF, CSV, .moneydocs package).
  • Opt-out — enter expenses manually to avoid any transmission to the OCR backend.
  • No account to delete — there is no user account with us.

8. Children

MoneyDocs is not directed at children under 13 and does not knowingly collect data from children.

9. Changes

We may update this policy. The current version is always available on this page and in the app settings. In case of substantial modification (e.g. activation of image retention), you will be notified directly in the application.

10. Contact

For any question regarding this policy, or to exercise any of the rights mentioned in article 7, contact privacy@moneydocs.app.

11. Governing law

This policy is governed by Swiss law. Jurisdiction: Switzerland.