Last updated: May 12, 2026
ReceiptMe ("we", "us", "the extension") is a Chrome extension that automatically finds and organizes receipts and invoices from your connected email and cloud-storage accounts. This policy explains what data we access, what we do with it, and what we don't.
ReceiptMe is operated by ReceiptMe LLC, a limited liability company organized under the laws of the State of Missouri, United States of America. ReceiptMe LLC is the data controller responsible for personal data processed in connection with the ReceiptMe Chrome extension and the receiptme.ai website. Our registered address for legal service and data-subject correspondence is:
ReceiptMe LLC
c/o Northwest Registered Agent Service, Inc.
117 S Lexington Street, Suite 100
Harrisonville, MO 64701
United States
For any question about this Privacy Policy or to exercise any of the rights described below — including access, correction, deletion, portability, or objection to processing — email privacy@receiptme.ai. We respond to verified requests within 5 business days and complete deletion within 30 calendar days, consistent with GDPR Article 12 and CCPA §1798.130.
We built ReceiptMe to do as much processing as possible inside your browser. The principle below isn't aspirational — it's how the code is written:
Email message bodies never leave your device. When ReceiptMe scans your inbox for receipts, the message body is read locally inside the Chrome extension. We send only (a) image/PDF attachments that need OCR and (b) up to 2,000 characters of extracted text used for category inference to our processing server. Raw email bodies are never transmitted to ReceiptMe servers or to any third party.
When you connect a Google account, ReceiptMe requests these OAuth scopes:
| Scope | Why we ask | What we do with it |
|---|---|---|
gmail.readonly |
Read your inbox to find receipts | Locally in the extension only — bodies never sent to our servers |
gmail.modify |
Apply a "ReceiptMe / Saved" label to messages whose receipts have been saved to your ReceiptMe receipts table, so you can find tracked receipts directly in Gmail | Used only to add or update the ReceiptMe label on messages you've saved a receipt from. We do not modify the message body, headers, attachments, or any other property, and we do not delete or move messages. |
drive.readonly |
List and download receipt-shaped files from a single Drive folder you designate for automatic receipt import | Read-only. Used solely to enumerate and download files (PDFs and common image types) from the one folder you pick in Settings → Google Drive Auto-Import. Subfolders are not traversed. Downloaded files are run through the same OCR / classification pipeline as your email attachments. We do not list, index, transmit, or otherwise access any other content in your Drive. The picker dialog used to choose the folder lists folder names only while the dialog is open. You can disable auto-import or clear the configured folder at any time in the extension's Settings, and revoking access at myaccount.google.com/permissions immediately ends all use of this scope. |
drive.file |
Save receipt PDFs and CSV exports to your Drive and read existing receipt PDFs you select via the Google Picker | Read/write limited to (a) files our extension creates (Drive PDF uploads, "Export to Google Sheets") and (b) individual files you explicitly select with the Google Picker. This scope alone does not let us see or list any other content in your Drive. |
email, profile |
Identify which Google account the receipts came from | Stored locally to label receipts in your dashboard |
We comply with the Google API Services User Data Policy, including the Limited Use requirements:
ReceiptMe's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
When you connect a Microsoft account, ReceiptMe requests these scopes:
| Scope | Why we ask |
|---|---|
openid, email, profile | Identify which Microsoft account the receipts came from |
offline_access | Refresh your access without making you sign in repeatedly |
User.Read | Read your basic profile (name, email) for display |
Mail.Read | Read your inbox to find receipts |
Mail.ReadWrite | Apply an Outlook category to messages whose receipts have been saved to your ReceiptMe receipts table, so you can find tracked receipts directly in Outlook. We do not modify message content, headers, or attachments. |
Files.ReadWrite | Save receipt PDFs you choose to back up to your OneDrive, and (when enabled) list and download files from a single OneDrive folder you designate for automatic receipt import |
MailboxSettings.ReadWrite | Create the Outlook category used to mark messages whose receipts have been saved (Outlook requires this scope to create new master categories) |
The same locality principle applies: Outlook message bodies are processed inside the Chrome extension and never sent to ReceiptMe servers.
chrome.storage) so we can verify your subscription tier on each scan.When ReceiptMe needs to OCR a receipt image or classify an expense, the extension sends specific data to our processing endpoint at https://capture.receiptme.ai:
We do not send: full email bodies, contact lists, message threading metadata, your inbox contents, OAuth tokens, or anything we don't need for the specific OCR/classification call.
If you subscribe to ReceiptMe Pro or Business, payments are processed by LemonSqueezy (our merchant of record). LemonSqueezy collects your name, email, billing address, and payment-method details under their privacy policy. We receive only your subscription status and the email used at checkout — never your full card number or billing address.
We do not:
ReceiptMe shares Google user data only with the third-party processors listed in the table below, and only the specific data each processor needs to perform its function. We do not sell, rent, or trade Google user data, and we do not use it for advertising or for training AI/ML models.
| Processor | Located in | Function | Google user data they receive |
|---|---|---|---|
| Cloudflare, Inc. | United States | Hosts our capture.receiptme.ai Worker that proxies OCR/classification calls and stores transient queue entries in Workers KV |
All data described in Information We Access → From our processing server above passes through Cloudflare's edge network: image/PDF attachment bytes, OCR'd text snippets up to 6,000 characters sent to the extraction LLM, and email-derived text snippets up to 2,000 characters sent for category inference. No raw email bodies, no headers, no contact lists, no OAuth tokens. |
| Google LLC (Cloud Vision API) | United States | Performs OCR on receipt images and PDFs that do not contain embedded text | The same image/PDF bytes (re-transmitted from our Worker to Cloud Vision). Cloud Vision returns OCR'd text only. Google's handling of this data is governed by the Cloud Vision data usage terms. |
| Cloudflare Workers AI (Llama 3.3 70B) | Cloudflare's global network | LLM that extracts vendor / amount / date / category from OCR'd or in-PDF text | The text snippet only (≤6,000 characters for receipt extraction, ≤2,000 characters for category inference). No image bytes, no email metadata, no identifiers. Cloudflare's handling of prompt content is governed by the Workers AI privacy terms. |
| Resend, Inc. | United States | Sends transactional email (sign-up verification codes, refund confirmations) | Your email address and the message content of the transactional email. No Google user data is sent through Resend. |
| LemonSqueezy (Lemon Squeezy LLC) | United States | Subscription billing and merchant of record | Your billing details, collected by LemonSqueezy directly at checkout. No Google user data is sent to LemonSqueezy. |
We do not transfer Google user data to: advertising networks, analytics providers, data brokers, marketing platforms, or any party not named above. We do not currently use analytics, tag managers, or marketing pixels.
Government / legal disclosure. We will disclose Google user data to a government or legal authority only when (a) compelled by a valid legal process such as a subpoena or court order, (b) we have a good-faith belief that disclosure is necessary to investigate or prevent fraud, abuse, or a threat to user safety, or (c) you have given specific consent. We will, to the extent legally permitted, notify the affected user in advance.
Onward transfer / sub-processors. The processors above may rely on their own infrastructure sub-providers (e.g. Cloudflare's data-center operators, Google Cloud's regional data centers). Each processor is contractually bound by their own data-processing agreement with us or by their published terms of service to use Google user data solely to deliver the service we have engaged them for.
We treat the following as sensitive data: OAuth access and refresh tokens, the contents of receipt attachments (image/PDF bytes), OCR'd text from those attachments, and the email address of the connected Google account. The following protections apply:
Encryption in transit. All communication between the ReceiptMe Chrome extension and our processing endpoint at https://capture.receiptme.ai uses TLS 1.3 with modern cipher suites. We reject connections that cannot negotiate TLS 1.2 or higher. All traffic between our Cloudflare Worker and upstream APIs (Google Cloud Vision, Cloudflare Workers AI) is likewise encrypted with TLS.
Encryption at rest. Any data persisted server-side — currently limited to mobile-capture upload queue entries, OTP verification codes, subscription records, and (for Pro and Business subscribers) synced settings, category rules, and the monthly AI-extraction credit counter — is stored in Cloudflare Workers KV, which encrypts all values at rest with AES-256 using keys managed by Cloudflare.
OAuth-token isolation. Google OAuth access and refresh tokens are stored exclusively in chrome.storage.local inside your browser, which the Chrome extension platform encrypts at the OS level (DPAPI on Windows, Keychain on macOS, libsecret on Linux). The extension does not persist tokens anywhere else and does not transmit them to any third party. Because Google's "Web application" OAuth client type requires a client_secret that cannot safely live inside a browser extension, the initial authorization-code exchange and subsequent access-token refreshes transit through our Cloudflare Worker at https://capture.receiptme.ai, which holds the client_secret server-side and relays the request to Google's oauth2.googleapis.com token endpoint. During this relay the access and refresh tokens are held in Worker memory only for the duration of a single HTTP request (typically under 500 ms) and are never written to disk, KV, or logs.
Ephemeral processing. OCR and LLM classification request payloads (image bytes, OCR text) are held in Cloudflare Worker memory only for the duration of a single request — typically under 5 seconds — and are discarded when the response returns. They are never written to disk, never written to KV, and never logged.
Access control. Production access to the Cloudflare Worker, Cloudflare KV namespaces, and the Google Cloud Vision project is restricted to the engineering personnel responsible for operating ReceiptMe and is gated by hardware-key two-factor authentication on the underlying Cloudflare and Google Cloud accounts. There is no shared service account; no third party has standing access. No human reviews Google user data except in response to a specific abuse investigation, a security incident, or with the affected user's explicit consent — consistent with the Google API Services User Data Policy's Limited Use requirements.
Logging discipline. Cloudflare Worker logs record HTTP method, path, status code, response time, and a redacted request ID. They do not record request bodies, response bodies, OAuth tokens, file contents, OCR text, vendor names, or amounts. Logs are retained for 90 days and then auto-purged per Cloudflare's default retention.
Vulnerability response. Security reports may be submitted to security@receiptme.ai. We acknowledge reports within 2 business days and aim to remediate critical issues within 7 days. We do not currently operate a paid bug-bounty program.
ReceiptMe minimizes server-side retention of Google user data wherever technically possible. The table below lists every class of Google user data we touch, where it lives, how long it stays, and how to delete it.
| Data class | Storage location | Retention period | How to delete |
|---|---|---|---|
| OCR / classification request payloads (image bytes, OCR text) | Cloudflare Worker memory | Length of single HTTP request (typically <5 seconds) | Discarded automatically when the request completes — never persisted |
| OAuth access & refresh tokens | chrome.storage.local inside your browser |
Until you (a) click "Disconnect" in the extension's options, (b) uninstall the extension, or (c) revoke access at myaccount.google.com/permissions | Any one of (a)/(b)/(c); revocation at Google takes effect within minutes |
| Extracted receipts (vendor, amount, date, category, attached PDF reference) | Your browser's chrome.storage.local only — never uploaded |
Until you delete the receipt in the dashboard, "Disconnect" in the options, or uninstall the extension | Per-receipt delete in the dashboard; bulk delete via "Clear all data" in the options page |
| Mobile-capture uploads queued for processing | Cloudflare KV | 30 days, then auto-deleted by KV TTL | Email privacy@receiptme.ai to delete sooner |
| OTP verification codes (during sign-up) | Cloudflare KV | 10 minutes (then auto-deleted by KV TTL) | Cannot be deleted earlier — they expire automatically |
| Subscription records (license tier, subscription email) | Cloudflare KV | While your subscription is active, then 30 days after cancellation, then auto-deleted | Email privacy@receiptme.ai to delete immediately on cancellation |
| Synced settings (scan frequency, account preferences) — Pro and Business only | Cloudflare KV | While your subscription is active, then 30 days after cancellation, then auto-deleted | Disable cross-device sync in the extension's options, or email privacy@receiptme.ai for immediate deletion |
| Synced vendor exceptions and category rules — Pro and Business only | Cloudflare KV | While your subscription is active, then 30 days after cancellation, then auto-deleted | Disable cross-device sync in the extension's options, or email privacy@receiptme.ai for immediate deletion |
| Monthly AI-extraction credit counter (number of LLM extractions used in the current billing month) — Pro and Business only | Cloudflare KV | Reset at the start of each billing month; deleted 30 days after subscription cancellation | Email privacy@receiptme.ai for immediate deletion |
| Cloudflare Worker logs (no Google user data — see Protection of Sensitive Data above) | Cloudflare logging | 90 days, auto-purged | N/A — logs do not contain Google user data |
How to delete all Google user data we hold about you.
chrome://extensions deletes all locally stored data, including tokens, receipts, and settings.Account deletion email turnaround. We respond to deletion requests at privacy@receiptme.ai within 5 business days and complete deletion within 30 calendar days, in line with GDPR Article 17 and CCPA §1798.105.
You can:
EU and UK residents have additional rights under GDPR / UK DPA including the right to lodge a complaint with a supervisory authority. Our data protection contact is privacy@receiptme.ai.
California residents have additional rights under the CCPA, including the right to know what personal information we collect and the right to delete it. We do not sell personal information.
ReceiptMe is not directed at children under 13 (or under 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has used ReceiptMe, please email privacy@receiptme.ai and we will delete the account.
When we change this policy in a way that meaningfully affects how we handle your data, we will:
Past versions of this policy are available on request.