Privacy Policy

1. Introduction

ScanBon is a mobile application that helps users track spending and build better financial habits through receipt scanning and expense tracking.

We are committed to protecting your privacy and handling your data transparently and securely, in accordance with:

• General Data Protection Regulation (GDPR)
• Dutch Data Protection Act (UAVG)
• Other applicable data protection laws

2. Data We Collect

2.1 Account Information

We may collect:

• Email address
• Name (optional)
• Account preferences
• Authentication tokens and device identifiers (managed by Firebase Authentication)
• IP address at sign-in (recorded by Firebase Authentication)

2.2 Receipt Data

When you use ScanBon, we may collect:

• Receipt images (photo or PDF)
• Data you enter manually (merchant name, amount, date, category)
• Extracted receipt text
• Merchant name
• Purchased items
• Prices
• Date and time
• Categories

2.3 Usage Data (via Google Analytics for Firebase)

We may collect:

• App usage data
• Device information — model, OS version, language
• Crash logs
• Performance analytics
• Approximate location (country/city level, derived from IP)

By default, anonymized receipt data may be used to improve extraction accuracy. Personal information is removed before any such use. You can opt out of this at any time in the app settings.

3. How We Use Your Data

We use your data to:

• Provide the ScanBon service
• Extract receipt information
• Categorize expenses
• Improve app functionality
• Provide customer support
• Maintain security and prevent abuse

4. Cookies and Tracking Technologies

ScanBon may use similar technologies to cookies to improve the service, including analytics, authentication, and performance monitoring.

These technologies help us understand how users interact with the app and improve functionality.

5. AI Processing

Receipt images and PDFs you upload are processed by Mistral AI (Paris, France), acting as our data processor under a Data Processing Addendum. Mistral AI processes your receipts solely to extract expense data on our behalf.

• Processing takes place within the European Union.
• Mistral AI does not use your data to train its models. We have explicitly disabled this option on our account.
• Your data is deleted by Mistral AI within 30 days.
• Sub-processors: trust.mistral.ai

6. AI Improvement & Optional Data Sharing

We use anonymized receipt data to improve our AI models.

If you opt in, we may retain and use anonymized data even if you later opt out or delete your account. Opting out will stop future data from being used. You can change this anytime.

This feature is optional and requires your explicit consent. If you do not opt in:

• Your data will not be used for AI training
• Your data will only be used to provide the service

7. Legal Basis for Processing (GDPR)

We process data based on:

• Contractual necessity
• Legitimate interest
• User consent (for AI training)
• Legal obligations

8. Data Retention

We retain your data:

• While your account is active
• Until you delete your account
• As required by law

If you opt-in to AI improvement:

• Anonymized data may be retained after account deletion

When you delete your account, copies of receipt data held by Mistral AI for abuse monitoring are deleted within 30 days, in line with our agreement with them.

9. Data Sharing

We do not sell your personal data.

We may share data with:

• Mistral AI — France: OCR and structured data extraction from receipts. Processing within the EU.
• AI infrastructure providers
• Google Ireland Limited — Firebase Authentication: Manages user sign-in and stores account credentials (email address, authentication tokens, device identifiers, IP addresses). Operated under Google’s EU data processing terms.
• Google Ireland Limited — Google Cloud Platform: Hosts our backend services and stores your account and receipt data. We use EEA-based Google Cloud regions.
• Google Ireland Limited — Google Analytics for Firebase: Collects pseudonymous app usage events, device information, and aggregated retention metrics. Data may be transferred to Google’s US infrastructure under Standard Contractual Clauses.

All providers are required to follow strict data protection rules.

10. International Data Transfers

Receipt processing by Mistral AI and our backend infrastructure on Google Cloud Platform take place within the European Economic Area.

Google Analytics for Firebase may transfer pseudonymous usage data to Google LLC in the United States. This transfer is covered by Standard Contractual Clauses approved by the European Commission.

For any other service providers that process limited data outside the EEA, we rely on SCCs or applicable adequacy decisions.

11. Your Rights (GDPR)

You have the right to:

• Access your data
• Correct your data
• Delete your data
• Withdraw consent
• Restrict processing
• Object to processing

You may request a copy of your data by contacting privacy@scanbon.com.

12. Data Security

We implement appropriate security measures including:

• Encryption
• Secure storage
• Access control
• Monitoring systems

However, no system is completely secure.

13. Children’s Privacy

ScanBon is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes.

15. Contact