Privacy Policy

Crowcery — last updated 14 June 2026

1. Who we are

Crowcery is operated by Marton Hever as an individual (no incorporated entity as of this writing), based in Nova Scotia, Canada. Contact: support@crowcery.com.

2. Scope

This policy covers the Crowcery app (Android app / web) and the backend service it talks to. It does not cover third-party services you may reach from the app (for example, Google Play).

3. What we collect and why

3.1 Account information

• Email address and (optionally) display name — received from Google Identity Platform when you sign in. Used to identify your account and to contact you about the service.
• Sign-in metadata — session identifiers and cookies used to keep you signed in.

3.2 Receipt data

• Receipt photos you upload. Stored in encrypted Google Cloud Storage in Canada (Montréal, northamerica-northeast1 region), and automatically deleted within 7 days of upload (along with the diagnostic and preview images derived from them). We keep only the structured data extracted from each photo, not the photo itself.
• Structured data extracted from those photos — store name, date, line items, prices, taxes, and similar fields produced by our OCR/parse pipeline. Stored in Google Cloud SQL in Canada (Montréal region).
• Corrections and flags you submit on parsed receipts. Used to improve accuracy for you and, in aggregate, to identify systemic parsing errors.

The OCR process reads all text visible on the receipt so it can extract the fields we use. Before anything is stored, customer-identifying details that sometimes appear on receipts — loyalty / membership / account numbers and any customer phone, email, or street address — are redacted, and masked payment-card rows are dropped entirely. What we then keep is: the store's identity (name, address, phone, and store number — these identify the merchant, not you, and are used to group purchases by location and compare prices across stores), the purchase date, the line items, prices, and taxes, plus a redacted plain-text transcription of the receipt used to power parsing and to diagnose extraction errors.

3.3 Service usage data

• Quota counters — how many receipts you've processed in the current period, used to enforce your plan limits.
• LLM call counts and costs — used internally to operate cost caps and detect abuse.
• Server logs — standard HTTP access logs and application logs. Retained 30 days.
• Approximate region: when you sign in, we derive a coarse region code (for example "CA-NS" for Nova Scotia, or just a country code) from your connection's IP address using a local copy of the DB-IP Lite database. Only the region code is kept (one per account, overwritten at each sign-in); the IP address itself is never stored for this purpose. It is a best-effort guess used to understand roughly where Crowcery is being used, and it is deleted with your account. (IP Geolocation by DB-IP.)
• Device characteristics — coarse, non-identifying technical details about the device you use the app on: screen and window size, pixel ratio, number of CPU cores, available memory, connection type, and a measured upload speed. We use these to tune the app's layout and on-device image processing for the hardware our users actually have. This is device-class data, not personal information, and is not used to track you across sites.

4. Legal basis

Under Canadian privacy law (PIPEDA and provincial equivalents), we process your personal information with your consent, given when you sign in and use the service. You can withdraw consent at any time by deleting your account (see Section 8).

5. Where your data is stored and processed

Primary storage stays in Canada; automated LLM processing currently leaves Canada briefly before the results come back:

• Google Cloud (Montréal, northamerica-northeast1) — receipt images, parsed data, account records. This is where your data lives at rest.
• Google Vertex AI — "global" endpoints — we use Google's Gemini models (currently Gemini 3.5 Flash and Gemini 3.1 Flash-Lite) for OCR, classification, and parsing. We use Google's global Vertex AI endpoints for these calls because these models are not available from the Montréal (northamerica-northeast1) Vertex AI region. That means your receipt photos and the text extracted from them are sent to Google for processing and the work may happen in the United States or other Google regions before the parsed result is returned to our Canadian database. Google does not use this data to train its models (Vertex AI contractual default). We do not send any data to the Gemini consumer API. If these models become available from a Canadian Vertex AI region we may switch endpoints and update this section.
• Google Identity Platform — authentication. Your email and sign-in events are processed by Google.

Other than the Vertex AI processing described above, your data does not leave North America under normal operation. If that ever changes, this policy is updated and you are notified.

6. Third parties we share data with

We share personal information only with service providers operating on our behalf:

• Google — Google Cloud hosting (storage, database, compute; all in Montréal, Canada), Google Identity Platform (authentication), Vertex AI (LLM processing, via the global endpoint as described above), and, once the paid tier launches, Google Play Billing (subscription management).

We do not sell your personal information. We do not share it with advertisers or data brokers. We do not use it to target advertising.

Product photos shown to other users. If you contribute product photos and we approve them, we display them to other Crowcery users as shared catalogue images, with your account identity removed. This is use within the service, not a sale or transfer to a third party. We do not contribute your photos to any external or open database (such as Open Food Facts); if we ever offer that, it would be a separate, optional choice you opt into.

Anonymous community price observations. When you shop at a store location, the price, purchase date (day only), and optional quantity from your receipt items may be shown to other users of the same store as anonymous reference prices. These observations are also used as inputs to features such as spending insights. The entries exposed to other users contain no user identifier, email address, receipt identifier, or any field that could link the observation back to you or to any other purchase you have made. The store identity (banner name and store number) is included because it identifies the merchant, not you.

7. How long we keep your data

• Original receipt photos: automatically deleted from blob storage within 7 days of upload, including the diagnostic and preview images derived from them. We do not retain the original photo beyond that window — only the structured data extracted from it.
• Structured receipt data and account records: the data we extract from your receipts (store, date, line items, prices, taxes, insights) and your account record are retained while your account is active.
• After account deletion: a 7-day grace window, then all receipt data, insights, your account record, and any receipt photos still within their own 7-day auto-delete window are permanently deleted from the database and blob storage (most original photos are already gone, having auto-deleted within 7 days of upload). Contact support during the grace window if the deletion was a mistake. One exception: product photos you contributed that we approved as shared catalogue images are kept as part of the product catalogue, with your account identity permanently severed from them (we retain only a minimal consent record — image id, consent version, timestamp — containing no personal data). Item images that were pending or rejected are deleted with the rest.
• Server logs: 30 days.
• Billing records (Phase 3 paid tier only): retained for 7 years as required by Canadian tax law.

8. Your rights

Under PIPEDA you have the right to:

• Access the personal information we hold about you. You can export your data as JSON, CSV, or Excel from inside the app's Account page at any time.
• Correct inaccurate information. You can edit parsed receipts in-app, or email us for changes to account data.
• Delete specific receipts without deleting your account. You can remove individual receipts (and the uploaded photo, line items, and taxes) at any time, without affecting your account or other receipts. To do so:
  1. Sign in to Crowcery on the app or web at https://crowcery.com.
  2. Open the receipt you want to remove from the receipts list.
  3. Tap the Delete button on the receipt detail page and confirm.
  Deletion is immediate and permanent: the receipt, its line items, its taxes, and its uploaded photo (if it has not already been auto-deleted under the 7-day rule above) are erased from our database and from blob storage right away. Any product photo you contributed from that receipt that is still pending or was rejected is deleted too; a product photo you contributed that has already been approved into the shared catalog is kept (with its link to the deleted receipt removed), consistent with the contribution terms. Aggregated analytics (e.g. monthly total spent, per-category breakdowns) are recomputed on the next view so the deleted receipt no longer contributes. No human intervention is required, and no support request is needed.
• Delete your account and all data associated with it. Use the "Delete account" button on the Account page — no human intervention required.
• Withdraw consent for future processing by deleting your account.
• Complain to the Office of the Privacy Commissioner of Canada if you believe we've mishandled your personal information.

9. Security

We use industry-standard security practices: TLS for all data in transit, encryption-at-rest for storage, managed identities instead of long-lived API keys, hardware-key and app-based multi-factor authentication on operator accounts, and least-privilege access controls. No system is perfectly secure; if we learn of a breach affecting your data, we will notify you and the relevant regulator as required by law.

10. Cookies and tracking

We use only functional cookies needed for the app to work (session authentication, CSRF protection). We do not use analytics or advertising cookies. We do not embed third-party trackers on in-app pages.

11. Children

Crowcery is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, email us and we will delete it.

12. Changes to this policy

If we make material changes we will update the "last updated" date at the top and, where appropriate, notify you in-app or by email. Continued use of the app after a change means you accept the revised policy; if you don't, you can delete your account.

13. Contact

Questions or requests related to your privacy: support@crowcery.com.