Last updated: March 2026
Vault Receipt ("we", "us", "our") operates the vaultreceipt.com website and service. This policy describes how we collect, use, store, and protect your information.
When you use Vault Receipt, we collect:
Account information: company name, email addresses, and hashed passwords for each user on your team.
Receipt data: images you upload, plus extracted fields (vendor name, amount, tax, currency, date, suggested category). These fields are extracted automatically using AI-powered OCR.
Usage data: expense reports, categories, projects, splits, and approval history created within the platform.
Integration credentials: OAuth tokens for QuickBooks Online and connection details for Odoo, stored encrypted and used only to sync your approved expenses.
Receipt images are sent to Anthropic's Claude API for OCR extraction under Anthropic's Commercial Terms of Service. Under these terms:
No training on your data. Anthropic does not use your receipt images or extracted data to train AI models.
Inputs deleted within 30 days. Anthropic automatically deletes API inputs and outputs within 30 days of processing.
You own the outputs. All extracted data (vendor, amount, date, etc.) belongs to you.
We send only the image and a processing prompt to the API. No personally identifying information about your company or users is included in the API request.
Database: your account data, receipt records, expense reports, and team information are stored in a PostgreSQL database on our servers.
Receipt images: uploaded images are stored on our server's filesystem.
Encryption: all data is transmitted over HTTPS (TLS). Passwords are hashed with bcrypt. API keys are hashed with SHA-256.
Vault Receipt is a multi-tenant system. Each company's data is strictly isolated:
Every database query filters by your company ID. Users can only access receipts, reports, categories, and projects belonging to their own company. Receipt images are served through authenticated endpoints that verify company membership.
Vault Receipt integrates with QuickBooks Online and Odoo. These integrations are entirely opt-in:
Data is only shared with these services when your company admin explicitly connects the integration. You can disconnect at any time from the Settings page. Disconnecting removes stored credentials but does not affect data already synced to the third-party system.
While your account is active: all receipt data, images, and reports are retained for as long as you need them. You can export your data at any time via CSV from the Reports page.
On account deletion: when a company admin deletes the account, all data is permanently removed from our systems. This includes all receipt images, database records (receipts, users, categories, projects, expense reports, API keys, integration connections), and sync logs. This action is irreversible.
Data already synced to third-party integrations (QuickBooks, Odoo) remains in those systems and is not affected by account deletion.
Subscription billing is handled by Stripe. We do not store credit card numbers. Stripe's privacy policy applies to payment processing. We store only your Stripe customer ID and subscription status.
We use a single HTTP-only cookie to maintain your login session (JWT authentication token). We do not use tracking cookies, analytics cookies, or advertising cookies. We do not sell your data to third parties.
We protect your data with: HTTPS encryption in transit, bcrypt password hashing, SHA-256 API key hashing, HTTP-only secure cookies, rate limiting on authentication endpoints, CORS restrictions, and per-company data isolation enforced at the database query level.
You can: export all your receipt data at any time, delete your account and all associated data, disconnect third-party integrations, and update your password or transfer admin rights to another team member.
For questions about this privacy policy or your data, contact us at privacy@vaultreceipt.com.
We may update this policy from time to time. Material changes will be communicated via the app or email. Continued use of the service after changes constitutes acceptance of the updated policy.