LEGAL · PRIVACY

Privacy policy.

Plain-English summaries on top, formal language below. The whole document is also auditable in git — every change is traceable.

LAST UPDATED · MAY 01, 2026 VERSION 1.0 See what changed →
§01

What we collect

TL;DR

Your email, the receipts you scan, the prices and items derived from them, basic device telemetry, and Apple's subscription receipts. Nothing else.

To make AisleWatch work, we collect the following — and only the following:

What we collect Why Retention
Email & password hash Account creation, sign-in, household invitations, and transactional email (deletion confirmations, password resets). Until deletion
Receipt images Optical character recognition, debugging misreads, and your personal receipt history. 24 months
OCR-derived data Items, unit prices, store, and date — the price history that powers alerts and analytics. Until deletion
Household membership Optional. If you join a household pool, your receipts feed the shared price history. Until you leave
Subscription transaction IDs Apple-issued tokens we verify against the App Store to gate Plus features. We never see card numbers. 7 years (tax)
Device & usage telemetry iOS version, device model, app version, crash logs, anonymized event counts. No advertising IDs. 90 days

We do not collect: bank or credit-card numbers, contacts, location history, photo library, microphone audio, advertising identifiers, or browsing history outside the AisleWatch app.

§02

How we use it

TL;DR

Run the app, talk to you when needed, fix bugs, and keep the lights on. We do not sell, rent, or lend your data.

The data above is processed for the following purposes only:

  • 01 Operating the AisleWatch service — scanning, indexing, and serving your receipt and price history back to you.
  • 02 Generating price-jump alerts based on the thresholds you configure.
  • 03 Sending transactional email (deletion confirmations, password resets, subscription receipts). We do not send marketing email without separate, explicit opt-in.
  • 04 Debugging crashes, performance issues, and OCR errors — using the smallest data sample needed.
  • 05 Detecting abuse (spam, automated scraping, terms violations).

We do not use your data to train third-party machine-learning models. OCR models are improved using only receipts you have explicitly flagged as misread.

§03

Who else touches it

TL;DR

Three sub-processors: Google Cloud (OCR + storage), Apple (payments), and Postmark (email). They are bound by data-processing agreements and named here in full.

AisleWatch uses the following sub-processors, each contractually limited to the purpose listed:

What we collect Why Retention
Google Cloud Vision Optical character recognition on receipt images. Images leave the US region for processing only when the user is outside that region. No retention by Google
AWS S3 Receipt image storage (us-east-1 / eu-west-1). Mirrors AisleWatch retention
AWS RDS (Postgres) Account, receipt, and price-history database (us-east-1 / eu-west-1). Mirrors AisleWatch retention
Apple App Store Subscription billing, receipt verification. Apple is the merchant of record. Per Apple policy
Postmark Transactional email delivery — deletion confirmations, password resets. 30 days message archive
Plausible Analytics Aggregate, cookieless web analytics on aislewatch.app. No cross-site tracking. 24 months aggregated
§04

Your rights

TL;DR

Access, export, correct, delete — always free, always you-initiated, no support ticket required.

You can exercise the following rights at any time:

  • 01 Access. See everything we hold on you. Settings → Account → Download my data.
  • 02 Export. Receive a JSON archive of receipts, prices, and account metadata. Same screen.
  • 03 Correct. Edit OCR-derived items, prices, and stores directly in the app.
  • 04 Delete. Wipe everything. aislewatch.app/account/delete or in-app via Settings → Delete account. 14-day soft-delete window before permanent purge.
  • 05 Object & restrict. Tell us to stop processing for a specific purpose. Email privacy@aislewatch.app.

EU residents may also lodge a complaint with their local supervisory authority. UK residents: the ICO. We will not retaliate against you for exercising any right.

§05

California (CCPA / CPRA)

TL;DR

We do not sell or share personal information for cross-context behavioral advertising. Period.

Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have the right to:

  • 01 Know what personal information we collect, use, disclose, and (hypothetically) sell.
  • 02 Delete personal information held about them.
  • 03 Correct inaccurate personal information.
  • 04 Opt out of the sale or sharing of personal information for cross-context behavioral advertising.
  • 05 Limit the use and disclosure of sensitive personal information.
  • 06 Non-discrimination in service or pricing for exercising these rights.

We do not sell or share personal information for cross-context behavioral advertising. We have not done so in the prior 12 months, and we do not plan to. There is no opt-out signal to honor because there is nothing to opt out of.

To exercise California rights, contact privacy@aislewatch.app or use the in-app deletion / export flows linked above.

§06

EU & UK (GDPR)

TL;DR

The legal basis for processing is your contract with us, your consent (where applicable), and our narrow legitimate interests. Your data stays in EU regions when you do.

For users in the European Economic Area, United Kingdom, and Switzerland, AisleWatch, Inc. is the controller. Legal basis per processing activity:

What we collect Why Retention
Account & receipts Performance of contract — Art. 6(1)(b) GDPR. Without these we cannot provide the service. Until deletion
Telemetry & crash logs Legitimate interest in a working product — Art. 6(1)(f). Aggregated and anonymized. 90 days
Marketing email Consent — Art. 6(1)(a). Opt-in only, revocable at any time. Until withdrawn

EU users: data is stored in AWS eu-west-1 (Ireland). Transfers outside the EEA happen only when you travel and only via Standard Contractual Clauses. Our EU representative under Art. 27 GDPR is Mind Your Business GmbH, Berlin — contact eu-rep@aislewatch.app.

§07

Children

TL;DR

AisleWatch is not for children under 13. Signup is age-gated. If we learn we have a child's data, we delete it.

The service is intended for users 13 years of age or older. We comply with the Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe your child has created an AisleWatch account, please contact privacy@aislewatch.app and we will delete the account and associated data within 30 days.

§08

How we secure it

TL;DR

TLS in transit, AES-256 at rest, password hashes via Argon2id, two-person rule on production access, and an annual third-party audit.

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords are stored as Argon2id hashes — we cannot read them, even if we wanted to. Production access requires hardware-backed two-factor authentication and is reviewed quarterly. We undergo an annual independent security review and publish the summary at trust.aislewatch.app.

If we suffer a breach affecting your data, we will notify you by email within 72 hours of confirmation, in plain language, and we will tell you what happened.

§09

Changes to this policy

TL;DR

Minor edits get a quiet bump. Anything material gets an in-app notice and an email — and a 30-day notice period.

We may update this policy as the service evolves or laws change. Material changes — anything that meaningfully expands what we collect or how we use it — trigger an email to your account address and an in-app notice at least 30 days before they take effect. Continued use of AisleWatch after the effective date constitutes acceptance.

Non-material changes (typos, clarifications, processor name updates) are logged in the version history below and announced via the changelog.

——— END OF DOCUMENT ———
Questions: privacy@aislewatch.app