TrackHSA – Privacy Policy

1. Information We Collect or Process

Account Information

When you create an account using Sign in with Apple or Google, the authentication provider shares the account information needed to sign you in, such as a unique user identifier and, depending on the provider and your choices, your email address. If you use Apple's email-relay feature, we receive a relay address instead of your real email. We also store your subscription tier and related billing status metadata to manage your access to Premium features.

Receipt Data and HSA Records

Receipt images, OCR text, vendor names, totals, categories, and line items are stored in your account on our secure cloud database (Supabase). This enables multi-device sync so your data is available across all your devices. Your data is associated with your account and is not shared with other users.

AI Analysis Data

When AI analysis is enabled, extracted receipt text and related fields (for example vendor, totals, category, and line items) are securely sent to OpenAI's API for processing. This is used only to return structured receipt details and HSA eligibility information to your app. We do not sell your personal data.

Advertising and Diagnostics

Free-tier users may see ads served by Google AdMob. AdMob may collect your device's advertising identifier (IDFA), IP address, and general location to serve relevant ads and measure ad performance. We may also collect limited diagnostics (for example, crash or reliability events) to improve app stability. This data does not personally identify you.

2. How We Use Your Information

• Authenticate and secure your account — using Sign in with Apple or Google so you can log in across devices.
• Sync your data across devices — storing and retrieving your HSA records via Supabase for multi-device access.
• Analyze receipts using AI — sending extracted receipt data to OpenAI's API for categorization and HSA eligibility determination.
• Manage your subscription — tracking your subscription tier to provide the correct feature access.
• Serve advertisements — on the free tier, using Google AdMob to display relevant ads.
• Improve the App — analyzing anonymized crash and usage data to fix bugs and improve features.
• Provide support — communicating important account or service-related messages when necessary.

3. Storage and Security

Your account data and HSA records are stored in Supabase, a secure cloud database, enabling multi-device sync across all your devices. All data is transmitted over encrypted connections (TLS/HTTPS). Supabase applies industry-standard access controls and encryption at rest.

We apply reasonable technical and organizational safeguards for all data handling. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

4. Third-Party Services

TrackHSA uses the following third-party services, each with their own privacy policies:

• Apple Sign In — Authentication. apple.com/legal/privacy
• Supabase — Cloud database and authentication backend. supabase.com/privacy
• OpenAI API — AI-powered receipt analysis and HSA categorization. openai.com/policies/privacy-policy
• Google AdMob — Advertising on the free tier. May collect device identifiers and usage data for ad personalization. policies.google.com/privacy

We do not sell your personal information to any third party.

5. Your Choices and Rights

• Access and portability — You can view all your HSA records within the App at any time.
• Correction — You can edit or update any receipt or HSA record in the App.
• Deletion — You can delete individual records or request full account deletion through in-app settings or by contacting support. Account deletion removes all your data from our servers within 30 days.
• Opt out of personalized ads — Go to iPhone Settings → Privacy & Security → Tracking, and disable tracking for TrackHSA. You can also reset your advertising identifier there.
• Email preferences — If you receive marketing emails from us, you can unsubscribe using the link in any email.

6. Data Retention

We retain your account data and HSA records for as long as your account is active or as needed to provide our services. If you delete your account, we will delete your personal data from our systems within 30 days, except where we are required to retain it for legal or tax purposes.

7. Children's Privacy

TrackHSA is not intended for children under the age of 13 and we do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

8. California Privacy Rights (CCPA)

If you are a California resident, you have the right to know what personal information we collect, disclose, or sell; the right to request deletion of your personal information; and the right to non-discrimination for exercising these rights. We do not sell personal information. To exercise your rights, contact us at the address below.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by an updated "Last Updated" date at the top of this page. If the changes are significant, we will notify you through the App or via email. Your continued use of TrackHSA after changes are posted constitutes your acceptance of the updated policy.