El Nota ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our service.
Summary: We collect only what's necessary to provide the service. Your receipt images are processed but not stored. We never sell your data.
1. Data Controller
El Nota ("we", "our", or "us") is operated by an individual developer based in Spain and is the data controller for personal data processed under this Privacy Policy.
- Controller name: El Nota (operated by an individual developer)
- Country: Spain
- Data protection contact: [email protected]
- Data Protection Officer (DPO): Not appointed
2. Information We Collect
Account Information
- Email address - Used for account identification and important notifications
- Name - Optional, for personalization
- Authentication data - Managed securely by Clerk (our authentication provider)
Receipt Data
- Receipt images - Processed in memory for text extraction, then immediately discarded. We do NOT store your receipt images.
- Extracted information - Shop names, item names, prices, dates, and categories are stored to provide the service
Usage Data
- Browser type and version
- Pages visited and features used
- Error logs for debugging
3. How We Use Your Information
- Provide the service - Process receipts, track expenses, generate insights
- Improve the service - Understand usage patterns to build better features
- Communicate with you - Send important updates about your account or the service
- Ensure security - Detect and prevent fraud or abuse
4. Legal Bases for Processing (GDPR)
We process personal data under one or more of the following legal bases:
- Contract - To provide the service you request (account access, receipt processing, analytics)
- Legitimate interests - To secure, maintain, and improve the service (fraud prevention, debugging)
- Consent - Where required for optional features or non-essential cookies (you can withdraw consent at any time)
- Legal obligation - To comply with tax, accounting, or regulatory requirements
5. Third-Party Services
We use the following third-party services to provide our functionality:
Clerk (Authentication)
Handles user authentication securely. Clerk may set cookies necessary for login functionality. Clerk Privacy Policy
OpenAI / Google Gemini (AI Processing)
Receipt images are sent to AI services for text extraction. These services:
- Do NOT use your data for model training (API usage)
- May retain data for up to 30 days for abuse monitoring
- Process data in accordance with their enterprise terms
OpenAI Privacy Policy | Google Privacy Policy
Paddle (Payment Processing)
Payment transactions are securely processed by Paddle. We do not store your payment card information. Paddle handles all billing, invoicing, and payment data in compliance with PCI DSS standards. Paddle Privacy Policy
6. Data Storage & Security
- All connections use HTTPS/TLS encryption
- We implement industry-standard security practices
- Access to data is restricted to essential personnel only
- We notify affected users and regulators of qualifying data breaches as required by law
7. Your Rights
You have the right to:
- Access - Request a copy of your data
- Correction - Update inaccurate information
- Deletion - Request deletion of your account and data
- Portability - Download your data in a portable format
- Restriction - Ask us to limit processing in certain cases
- Object - Opt out of certain data processing
- Withdraw consent - Where processing is based on consent
- Complain - Lodge a complaint with your local data protection authority
To exercise these rights, contact us at [email protected]. We aim to respond within 30 days.
8. Cookies
We use only essential cookies required for:
- Authentication (keeping you logged in)
- Security (preventing cross-site request forgery)
- Billing flows handled by Paddle
We do NOT use advertising or marketing cookies. Clerk and Paddle may set essential cookies for login and billing functionality. If we add non-essential cookies in the future, we will request consent where required.
9. Data Retention
- Account data - Retained while your account is active
- Receipt data - Retained until you delete it or close your account
- Receipt images - Not retained (processed in memory only)
- Logs - Retained for 90 days for debugging purposes
- Account deletion - We delete your account and receipt data when you request deletion
- Billing records - Retained by Paddle as required by law
10. International Transfers
We do not intentionally process personal data outside the EEA. However, Clerk and Paddle may process data outside the EEA to provide authentication or billing services. Where required, they rely on recognized transfer safeguards, such as adequacy decisions or standard contractual clauses (SCCs).
11. Automated Decision-Making
We use automated tools to extract receipt data, but we do not make decisions that produce legal or similarly significant effects about you without meaningful human involvement. You can review and correct extracted data in your account.
12. Children's Privacy
Our service is not intended for users under 16 years of age. We do not knowingly collect information from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the service.
14. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
- Email: [email protected]