Privacy Policy for Billig
Last Updated: April 25, 2026
Welcome to Billig ("we", "us", or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "App"). If you do not agree with this policy, please do not use the App.
1. Overview
Billig provides receipt capture, habit tracking, and AI-powered spending insights. We handle your
data responsibly in accordance with the App Store Review Guidelines,
Google Play Policies, and the EU General Data Protection Regulation
(GDPR). This policy applies to the iOS and Android apps and the backend services at
api.getbillig.com.
2. Information We Collect
a. Information You Provide
- Receipt images and the structured data extracted from them (merchant, items, amounts, dates, categories).
- Account details: email address, display name, OAuth identifiers if you sign in with Google or Apple.
- Text inputs you enter in the app (chat questions, edits to receipt fields, notes).
- Feedback or bug reports you voluntarily submit, including optional contact details.
b. Automatically Collected
- Device model, OS version, app version, and screen interactions.
- App activity logs and crash diagnostics.
- Usage analytics via PostHog, linked to your account after sign-in (anonymous before sign-in, then retroactively associated when you authenticate).
- APNs device tokens for iOS push notification delivery (stored against your user ID).
c. From Third Parties
- OAuth profile data via Google Sign-In or Apple Sign-In (email, name, profile picture; Apple users may relay an anonymous email).
- AI processing results from Google Gemini for receipt extraction and chat responses.
3. Third-Party Services
We use the following third-party services to operate the App:
| Service | Purpose | Data Shared |
|---|---|---|
| PostHog (EU host) | Product analytics, linked to your user ID after sign-in | Events, device type, screen views, email, name |
| Cloudflare Workers | Backend API infrastructure | All API requests and responses (TLS-encrypted) |
| Cloudflare D1 & R2 | Database and image storage | User profile, receipts, chat history, receipt images |
| Google Gemini | Primary AI provider — receipt parsing & chat | Receipt images, chat questions, recent conversation context |
| OpenAI | Optional AI fallback (not active in production today) | Receipt images |
| Mistral AI | Optional AI fallback (not active in production today) | Receipt images |
| Resend | Transactional email (magic links, deletion confirmations, feedback notifications) | Email address, email content |
| Google Sign-In | Authentication | Email, name, profile picture |
| Apple Sign-In | Authentication | Email (or Apple Private Relay), name as shared |
| Apple Push Notification Service (APNs) | iOS push notifications | Device token, notification title and body |
In the current production deployment Google Gemini is the only AI provider in use. OpenAI and Mistral AI are optional alternatives that may be enabled server-side; if and when they are, this section will be updated.
All third-party services use TLS-encrypted connections. Vendors that are GDPR-relevant operate under their own published data processing terms.
4. How We Use Your Information
- Provide receipt scanning, parsing, and spending insights — receipt images are sent to Google Gemini for extraction.
- Power the AI chat assistant — your question, recent conversation history, and aggregated query results from your receipts are sent to Google Gemini.
- Authenticate you and protect your account (credentials stored in the device Keychain on iOS or Keystore on Android).
- Detect crashes and improve app performance.
- Send push notifications about completed receipt processing or important updates.
- Measure product usage and feature adoption via PostHog.
We do not sell your personal data, share it with advertising networks, or use it for advertising profiling.
5. Data Storage and Transfer
- Receipt rows, account data, and chat history are stored in Cloudflare D1.
- Receipt images are stored in Cloudflare R2 and served only to authenticated owners.
- All client-server transmissions use HTTPS / TLS 1.2+.
- AI processing involves data transfer to Google Cloud (Gemini API). When fallback providers are enabled, transfer may also reach OpenAI or Mistral AI.
- Analytics data is processed by PostHog in the EU
(
eu.i.posthog.com). - Outbound transactional email is sent via Resend.
6. Retention and Deletion
- You may delete your account at any time via Settings → Privacy → Delete account & data. You may also delete individual receipts from the receipt detail view.
- Account deletion permanently removes all receipts, receipt images from R2, all chat conversations and messages, APNs device tokens, your user record, and email tokens used for magic-link sign-in.
- A minimal audit log entry is retained — containing only a one-way SHA-256 hash of your user ID, the deletion timestamp, and counts of objects deleted — for compliance proof. It contains no personal data and cannot be reversed to identify you.
- Encrypted backups in Cloudflare's normal cycle may retain residual data for up to 30 days before being purged.
- We do not retain "anonymized receipts for aggregate analytics" after deletion.
- PostHog retention is governed by the project's PostHog plan and current settings; you may request a copy or removal of your PostHog data at any time by contacting privacy@getbillig.com.
7. Your Rights (GDPR)
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data (you can edit receipts directly in the app, or contact us).
- Erasure — delete your account and all associated data via Settings → Privacy → Delete account & data.
- Portability — request a portable JSON export of your data via Settings → Privacy → Export my data.
- Restriction & Objection — limit or object to specific processing.
- Analytics opt-out — currently handled by request: contact privacy@getbillig.com and we will remove your PostHog data and disable future analytics association.
- Withdraw consent — at any time, by deleting your account.
To exercise any of these rights, contact privacy@getbillig.com. We will respond within 30 days (extendable to 90 days for complex requests, with notification).
8. Security
- Authentication tokens and sign-in credentials are stored using the device Keychain (iOS) or Keystore (Android).
- All API communication uses TLS 1.2 or higher.
- Receipt images stored in R2 are not publicly accessible; every request is JWT-authenticated and ownership-verified server-side.
- Magic-link tokens are single-use and expire 15 minutes after issue.
- Production access is restricted to authorized personnel via Cloudflare 2FA.
- Security disclosures: please contact security@getbillig.com (see also our security.txt).
9. Children's Privacy
The App is not directed to children under 13 (or the equivalent local age of digital consent). We do not knowingly collect personal data from children.
10. International Transfers
Cloudflare's edge infrastructure may serve requests from data centres outside the EU, and AI providers (e.g. Google Gemini) process data on US infrastructure. These transfers rely on Standard Contractual Clauses or equivalent GDPR-approved safeguards.
11. Changes to This Policy
We may update this Privacy Policy. Material changes will be highlighted in-app and on this page. The "Last Updated" date at the top indicates the current effective version.
12. Contact
| Purpose | |
|---|---|
| Privacy / data subject requests | privacy@getbillig.com |
| Data Protection Officer (EU) | dpo@getbillig.com |
| Security disclosures | security@getbillig.com |
| General support | support@getbillig.com |
| Legal / IP / takedown | legal@getbillig.com |
Billig
🌐 getbillig.com
📧 privacy@getbillig.com