Privacy Policy
Last updated: June 3, 2026
GetGuac is built so your receipts and spending stay private to you. Below is exactly what we collect, who else can see it, and how to take it back.
1. What We Collect
- Account basics β username, email, hashed password (never the plain password), birth date, and optional fields like phone number you choose to add.
- Receipts you give us β the photo or email, the parsed items, totals, dates, store names, and any tags / categories you assign.
- Rewards & memberships β only what's printed on receipts you upload, plus loyalty numbers you enter yourself.
- Household + chat β when you create or join a household, the membership record + chat messages you send.
- Usage data β basic logs (which API endpoint, response time, error counts) tied to your account, kept 30 days for debugging and abuse prevention.
We do NOT collect: bank credentials, social-security numbers, biometrics, your contacts, your location (beyond a receipt's store address), or your browsing history outside GetGuac.
2. Who Can See What
- You see all of it.
- Your household members see only: the shared shopping list rows you mark as shared, the household chat messages, and other members' display names. They do not see your receipts, rewards, totals, categories, or any analytics.
- Other GetGuac users can find you by email to start a 1:1 chat β same disclosure surface as a password reset. They cannot see any of your data unless you send them a message.
- GetGuac employees β only on-call engineers, only when investigating a specific issue you reported, only the minimum needed to fix it. Every read is logged.
- Nobody else. We don't sell data. We don't share it with advertisers. We don't train external AI models on your receipts.
3. How It's Protected
Database rows are protected by per-user Row Level Security β even a bug in our application code can't return one user's receipts to another. Connections are HTTPS-only. Passwords are hashed with bcrypt. Storage URLs (the actual receipt photos) are time-limited and signed.
The Security page has the technical breakdown β what's encrypted, what RLS policies exist, what we audit-log.
4. Email & Notifications
We email you for: account confirmation, password reset, security alerts (e.g. new sign-in from a new device), and household invites. Marketing emails are off by default. You can disable everything except security alerts from your profile page.
The free @getguac.app address that comes with your username is for receiving merchant receipts. We parse incoming messages to extract receipts; we do not read message bodies for any other purpose, and we don't send anything from your address without your explicit action.
5. Retailer Connections (Beta)
If you choose to link a retailer account (Connections page β "Link account"), you sign into that retailer's own website inside an isolated browser session on your device. We never see your credentials. Username and password are typed into the retailer's own HTML form, on the retailer's own origin.
What we do see, only after you've signed in and only on the retailer's order-history page: the order metadata our extractor reads (store name, date, total, line items). We store these as receipts in your account, the same way email-forwarded receipts are stored.
The browser session β including any auth cookies the retailer set β is discarded when you close the linking screen. We don't store passwords, tokens, or any persistent credential. To pull receipts again later, you sign in again.
This feature is in beta and may break without notice. Some retailers' Terms of Service prohibit automated access to their sites; by using this feature you accept that risk. If a retailer requests that we disable a linker, we will do so promptly.
6. Deleting Your Data
You can delete your entire account from your profile page. One click. Hard delete in 24 hours. Backups age out within 30 days.
You can also delete individual receipts, rewards, household memberships, and chat messages at any time β those deletes are immediate.
7. Your Rights
If you're in the EU/UK/California or another jurisdiction with data-protection laws, you can request: a copy of your data, correction of inaccurate data, deletion, or a portable export. Most of this is already self-serve in the app (profile β export / delete). For anything else, email us.
We respond within 30 days. We don't charge for these requests.
8. Cookies & Tracking
We use exactly one cookie: your sign-in session. No analytics cookies, no advertising pixels, no cross-site trackers. The few server-side analytics we collect (page-view counts, error rates) are aggregated and not tied to your identity in the dashboards we look at.
9. Third Parties We Use
- Supabase β our database + auth + storage host. They cannot read your row-level-security-protected data; they hold the encrypted-at-rest copy.
- Google Gemini / Groq β receipt parsing. Only the receipt photo + text is sent, no account identifiers, and Anthropic's and Google's terms forbid them from training on this data.
- Vercel β runtime hosting + CDN. They see request metadata, not response bodies.
- Sentry β crash + error reporting. We send the error stack and a coarse user identifier (so a single user's repeated crashes group together). No receipt content, no balances.
- PostHog β behavioral analytics. We send screen-view events and product-action events (e.g. "smashed a list item"). No receipt content, no PII beyond the user ID.
10. Children
GetGuac is not directed at children under 13. If we learn we have a sub-13 account, we delete it.
11. Changes to This Policy
If we change what we collect, who can see it, or how it's protected, we'll post the new policy here with a new "last updated" date and email you before the change takes effect for any data we already hold.
12. Contact
Privacy questions go to privacy@getguac.app. Security reports (please) to security@getguac.app.
Terms of Service Β· Security Β· Home