Privacy Policy for Billig
Last Updated: April 25, 2026
Welcome to Billig ("we", "us", or "our"). This Privacy Policy explains how we
collect, use, disclose, and safeguard your information when you use our mobile application (the
"App"). If you do not agree with this policy, please do not use the App.
1. Overview
Billig provides receipt capture, habit tracking, and AI-powered spending insights. We handle your
data responsibly in accordance with the App Store Review Guidelines,
Google Play Policies, and the EU General Data Protection Regulation
(GDPR). This policy applies to the iOS and Android apps and the backend services at
api.getbillig.com.
2. Information We Collect
a. Information You Provide
- Receipt images and the structured data extracted from them (merchant, items, amounts, dates,
categories).
- Account details: email address, display name, OAuth identifiers if you sign in with Google or
Apple.
- Text inputs you enter in the app (chat questions, edits to receipt fields, notes).
- Feedback or bug reports you voluntarily submit, including optional contact details.
b. Automatically Collected
- Device model, OS version, app version, and screen interactions.
- App activity logs and crash diagnostics.
- Usage analytics via PostHog, linked to your account after sign-in (anonymous
before sign-in, then retroactively associated when you authenticate).
- APNs device tokens for iOS push notification delivery (stored against your user ID).
c. From Third Parties
- OAuth profile data via Google Sign-In or Apple Sign-In
(email, name, profile picture; Apple users may relay an anonymous email).
- AI processing results from Google Gemini for receipt extraction and chat
responses.
3. Third-Party Services
We use the following third-party services to operate the App:
| Service |
Purpose |
Data Shared |
| PostHog (EU host) |
Product analytics, linked to your user ID after sign-in |
Events, device type, screen views, email, name |
| Cloudflare Workers |
Backend API infrastructure |
All API requests and responses (TLS-encrypted) |
| Cloudflare D1 & R2 |
Database and image storage |
User profile, receipts, chat history, receipt images |
| Google Gemini |
Primary AI provider — receipt parsing & chat |
Receipt images, chat questions, recent conversation context |
| OpenAI |
Optional AI fallback (not active in production today) |
Receipt images |
| Mistral AI |
Optional AI fallback (not active in production today) |
Receipt images |
| Resend |
Transactional email (magic links, deletion confirmations, feedback notifications) |
Email address, email content |
| Google Sign-In |
Authentication |
Email, name, profile picture |
| Apple Sign-In |
Authentication |
Email (or Apple Private Relay), name as shared |
| Apple Push Notification Service (APNs) |
iOS push notifications |
Device token, notification title and body |
In the current production deployment Google Gemini is the only AI provider in use. OpenAI and
Mistral AI are optional alternatives that may be enabled server-side; if and when they are, this
section will be updated.
All third-party services use TLS-encrypted connections. Vendors that are GDPR-relevant operate under
their own published data processing terms.
4. How We Use Your Information
- Provide receipt scanning, parsing, and spending insights — receipt images are sent to Google
Gemini for extraction.
- Power the AI chat assistant — your question, recent conversation history, and aggregated query
results from your receipts are sent to Google Gemini.
- Authenticate you and protect your account (credentials stored in the device Keychain on iOS or
Keystore on Android).
- Detect crashes and improve app performance.
- Send push notifications about completed receipt processing or important updates.
- Measure product usage and feature adoption via PostHog.
We do not sell your personal data, share it with advertising networks, or use it
for advertising profiling.
5. Data Storage and Transfer
- Receipt rows, account data, and chat history are stored in Cloudflare D1.
- Receipt images are stored in Cloudflare R2 and served only to authenticated
owners.
- All client-server transmissions use HTTPS / TLS 1.2+.
- AI processing involves data transfer to Google Cloud (Gemini API). When
fallback providers are enabled, transfer may also reach OpenAI or Mistral AI.
- Analytics data is processed by PostHog in the EU
(
eu.i.posthog.com).
- Outbound transactional email is sent via Resend.
6. Retention and Deletion
- You may delete your account at any time via Settings → Privacy → Delete account &
data. You may also delete individual receipts from the receipt detail view.
- Account deletion permanently removes all receipts, receipt images from R2, all chat
conversations and messages, APNs device tokens, your user record, and email tokens used for
magic-link sign-in.
- A minimal audit log entry is retained — containing only a one-way SHA-256 hash
of your user ID, the deletion timestamp, and counts of objects deleted — for compliance proof.
It contains no personal data and cannot be reversed to identify you.
- Encrypted backups in Cloudflare's normal cycle may retain residual data for up to 30
days before being purged.
- We do not retain "anonymized receipts for aggregate analytics" after
deletion.
- PostHog retention is governed by the project's PostHog plan and current settings; you may
request a copy or removal of your PostHog data at any time by contacting
privacy@getbillig.com.
7. Your Rights (GDPR)
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data (you can edit receipts directly in the
app, or contact us).
- Erasure — delete your account and all associated data via Settings → Privacy →
Delete account & data.
- Portability — request a portable JSON export of your data via Settings →
Privacy → Export my data.
- Restriction & Objection — limit or object to specific processing.
- Analytics opt-out — currently handled by request: contact
privacy@getbillig.com and we will remove your
PostHog data and disable future analytics association.
- Withdraw consent — at any time, by deleting your account.
To exercise any of these rights, contact
privacy@getbillig.com. We will respond within 30 days
(extendable to 90 days for complex requests, with notification).
8. Security
- Authentication tokens and sign-in credentials are stored using the device Keychain
(iOS) or Keystore (Android).
- All API communication uses TLS 1.2 or higher.
- Receipt images stored in R2 are not publicly accessible; every request is JWT-authenticated and
ownership-verified server-side.
- Magic-link tokens are single-use and expire 15 minutes after issue.
- Production access is restricted to authorized personnel via Cloudflare 2FA.
- Security disclosures: please contact
security@getbillig.com (see also our
security.txt).
9. Children's Privacy
The App is not directed to children under 13 (or the equivalent local age of
digital consent). We do not knowingly collect personal data from children.
10. International Transfers
Cloudflare's edge infrastructure may serve requests from data centres outside the EU, and AI
providers (e.g. Google Gemini) process data on US infrastructure. These transfers rely on Standard
Contractual Clauses or equivalent GDPR-approved safeguards.
11. Changes to This Policy
We may update this Privacy Policy. Material changes will be highlighted in-app and on this page.
The "Last Updated" date at the top indicates the current effective version.
12. Contact
Billig
🌐 getbillig.com
📧 privacy@getbillig.com