Legal

Privacy Policy

Last updated: April 7, 2026

Itemized is built on a simple principle: your financial data belongs to you. This policy explains exactly what we collect, why we collect it, and how we keep it safe.

What We Collect

When you use Itemized, we collect the following categories of data:

  • Account information: Your email address and authentication credentials when you create an account.
  • Receipt images: Photos you scan or import from your camera roll. These are processed by AI to extract line-item data.
  • Receipt and transaction data: Merchant names, itemized products, prices, dates, and spending categories derived from your receipts and linked accounts.
  • Gmail receipt data: If you connect Gmail, we read emails matching receipt patterns (subject lines like "Your order," "Receipt for," etc.) to extract purchase data. We do not read or store other emails.
  • Bank and card transaction data: If you connect a financial account via Plaid, we receive transaction records including merchant name, amount, and date. We do not receive your account numbers or login credentials — those go directly to Plaid.
  • Usage data: How you interact with the app (features used, session length) to help us improve the product. This is not sold or shared with advertisers.
  • Billing information: Managed by Stripe. We store your subscription status but never your card numbers.

Why We Collect It

Everything we collect has a single purpose: to give you item-level visibility into your spending. Specifically:

  • Receipts and transactions are processed to categorize your spending at the line-item level.
  • Your email is used for account authentication and transactional communications (receipts for your Itemized subscription, important product notices).
  • Usage data helps us understand which features are working and where we can improve.

We do not build advertising profiles. We do not sell your data. We do not share personal data with third parties beyond the vendors listed below that power the service.

Third-Party Services

Itemized uses the following trusted third parties to deliver the service:

Google (Gmail OAuth & Gemini AI)

Gmail OAuth lets you connect your inbox for receipt extraction. Gemini AI processes receipt images and text to extract line items. Google's privacy policy governs their handling of data.

Plaid

Plaid is the industry-standard bank connectivity layer. Your bank credentials never touch our servers — they go directly to Plaid. We receive only the transaction data you authorize.

Stripe

Stripe handles all subscription billing. We store your plan status; Stripe stores your payment method.

Supabase

Our database and authentication provider. Your data is stored on Supabase's infrastructure, encrypted at rest, in US-based data centers.

Vercel

Our hosting and edge infrastructure provider. Vercel serves the application and processes web requests.

Your Rights and Controls

You have full control over your data:

  • Access: Request a copy of all data we hold on you at any time.
  • Delete: Delete your account and all associated data at any time from the app settings or by emailing us. Deletion is permanent and processed within 30 days.
  • Export: Export your receipt and transaction data in CSV format from your account settings.
  • Disconnect integrations: Revoke Gmail or Plaid access at any time from Settings → Connections. Existing data is retained until you delete it.
  • California (CCPA) and EU/UK (GDPR) residents have additional rights including right to know, right to opt-out, and right to non-discrimination. Contact us to exercise these rights.

Data Retention

We retain your data for as long as your account is active. When you delete your account, all associated data is permanently deleted within 30 days. Aggregate, anonymized analytics data (with no link to your identity) may be retained indefinitely to improve the product.

Security

We take security seriously:

  • All data is encrypted in transit via HTTPS/TLS 1.3.
  • Data at rest is encrypted using AES-256 on Supabase's infrastructure.
  • Authentication uses Supabase Auth with industry-standard JWT tokens and OAuth 2.0.
  • We are working toward SOC 2 Type II certification.

No system is 100% secure. If you discover a security vulnerability, please email jacob.h.trask@gmail.com and we will respond promptly.

Children's Privacy

Itemized is not designed for or directed at children under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us personal information, please contact us and we will delete it promptly.

Changes to This Policy

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top and, for material changes, notify you by email or in-app banner. Continued use of Itemized after changes take effect constitutes acceptance of the updated policy.

Contact

Questions, requests, or concerns about this policy? Email us at jacob.h.trask@gmail.com. We aim to respond within 5 business days.