Privacy Policy

SnapCost is operated by BroCode Studio, a company registered in Portugal. We act as the data controller for the personal data processed through our expense tracking platform.

Contact: hello@brocode.studio

Account information: When you register, we collect your email address, name, and authentication credentials. If you sign in via Google, we receive your name, email, and profile picture from Google.

Invoice and expense data: When you upload invoices or receipts, we store the uploaded files (PDFs, images) and the extracted data including amounts, dates, provider names, categories, and billing periods.

Payment information: If you subscribe to a paid plan, Stripe (our payment processor) collects and processes your payment details. We do not store credit card numbers on our servers. We receive from Stripe your subscription status, plan type, and billing history.

Usage data: We collect analytics data through PostHog (hosted in the EU) including pages visited, features used, and general interaction patterns. This data is used to improve the Service and is not sold to third parties.

Technical data: We automatically collect your IP address, browser type, device type, and operating system for security and service optimization purposes.

We use your data to: provide and maintain the Service, including processing and storing your invoices; authenticate your identity and secure your account; process payments and manage subscriptions; extract data from uploaded documents using AI; generate expense summaries, statistics, and visualizations; send service-related communications (account notifications, billing updates); improve the Service based on aggregated usage patterns; and comply with legal obligations.

We do not sell your personal data to third parties. We do not use your invoice data for advertising or marketing purposes.

Contract performance (Art. 6(1)(b)): Processing your account data and invoices is necessary to provide the Service you signed up for.

Legitimate interest (Art. 6(1)(f)): We process usage analytics and technical data to improve service quality and security. You can opt out of analytics at any time.

Consent (Art. 6(1)(a)): Where required, we obtain your consent before processing data for specific purposes such as marketing communications.

Legal obligation (Art. 6(1)(c)): We may process data to comply with tax, accounting, or regulatory requirements.

When you upload an invoice or receipt, the document content is sent to OpenAI's API (GPT-4o) for automated data extraction. The following data may be transmitted to OpenAI: the visual content or text of the uploaded document, including any personal or financial information contained therein.

OpenAI processes this data solely to extract structured information (amounts, dates, provider names, billing periods) and returns it to SnapCost. According to OpenAI's API data usage policy, API inputs and outputs are not used to train their models.

The AI processing is essential to the core functionality of the Service. If you do not wish to have your documents processed by AI, you may enter expense data manually without uploading files.

Your data is stored in Supabase (cloud infrastructure powered by AWS). Database and file storage are encrypted at rest. All data transmission between your browser and our servers uses TLS encryption.

We implement appropriate technical and organizational measures to protect your data, including: encryption at rest and in transit, row-level security policies in our database, secure authentication with password hashing, regular security reviews of our infrastructure, and access controls limiting employee access to personal data.

While we take security seriously, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security of your data.

We share your data with the following service providers (sub-processors), each for specific purposes:

Supabase (USA/EU) — Database hosting, user authentication, and file storage. Stores all account data, expense records, and uploaded documents.

OpenAI (USA) — AI-powered invoice data extraction. Receives uploaded document content for parsing. Does not retain data after processing per their API policy.

Stripe (USA) — Payment processing. Handles credit card transactions and subscription management. Stores payment methods and billing history.

PostHog (EU) — Product analytics. Collects anonymized usage patterns to help us improve the Service. Hosted in the EU region.

Vercel (USA/EU) — Application hosting and content delivery. Processes HTTP requests and serves the web application.

Active accounts: We retain your data for as long as your account is active and you continue to use the Service.

Account deletion: When you delete your account (via Settings), all personal data, uploaded files, and expense records are permanently deleted from our systems within 30 days. Backup copies may persist for up to an additional 30 days before being purged.

Inactive free accounts: Free accounts inactive for more than 12 months may be scheduled for deletion. We will notify you by email at least 30 days before any deletion.

Payment records: Billing and transaction records may be retained for up to 7 years as required by Portuguese tax and accounting regulations.

Aggregated data: We may retain anonymized, aggregated data (that cannot identify you) indefinitely for statistical and service improvement purposes.

As a user in the EU, you have the following rights regarding your personal data:

Right of access: You can request a copy of all personal data we hold about you.

Right to rectification: You can correct inaccurate personal data at any time through the Service or by contacting us.

Right to erasure: You can delete your account and all associated data from the Settings page, or request deletion by contacting us.

Right to data portability: You can export your expense data from the Service. Contact us for a complete data export in a machine-readable format.

Right to restrict processing: You can request that we restrict processing of your data in certain circumstances.

Right to object: You can object to processing based on legitimate interest, including analytics. Contact us to opt out.

Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@brocode.studio. We will respond within 30 days as required by the GDPR. If you are not satisfied with our response, you have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) or your local supervisory authority.

SnapCost uses a minimal set of cookies:

Essential cookies: Authentication cookies managed by Supabase to keep you signed in. These are strictly necessary and cannot be disabled.

Analytics cookies: PostHog may set cookies to track anonymized usage patterns. These are hosted in the EU and can be blocked without affecting core functionality.

We do not use advertising cookies, social media tracking pixels, or any third-party marketing trackers.

Some of our sub-processors (OpenAI, Stripe, Vercel) are based in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the European Commission are used for transfers to US-based processors.

We select sub-processors that participate in recognized data protection frameworks and maintain robust security practices.

We regularly review our sub-processors' data protection practices to ensure ongoing compliance.

SnapCost is not intended for users under the age of 18. We do not knowingly collect personal data from children. If you believe a child under 18 has provided us with personal data, please contact us and we will promptly delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect.

We encourage you to review this policy periodically. The "last updated" date at the top indicates when the policy was last revised.

For any questions about this Privacy Policy or to exercise your data protection rights, contact us at:

Email: hello@brocode.studio

BroCode Studio, Portugal.

You may also contact the Portuguese Data Protection Authority (CNPD) at www.cnpd.pt if you have concerns about our data processing practices.