Privacy Policy

Trail (“Trail,” “we,” “us”) is built by an independent developer. This policy explains, in plain English, what we collect, why, who else touches it, and what control you have over it. If something here is unclear, email hi@mytrail.proand we'll fix the wording.

1. Data we collect

We collect only what Trail needs to function:

• Account information.If you sign in with Apple or Google, we receive your name, email address, and the stable provider account ID. We do not receive your Apple or Google password. Apple's “Hide My Email” relay address is accepted; we never see the underlying address in that case.
• Receipts and uploads. Images, PDFs, or text you submit so Trail can extract merchant, amount, date, line items, tax, and category. This includes anything you send via the share sheet, manual entry, the iOS Shortcut, or (on Android) bank-SMS automations you set up yourself. Trail never reads your SMS inbox directly — content reaches us only when an automation YOU configure forwards it to our endpoint.
• Voice recordings (transient). If you use voice logging, the audio is uploaded once to our backend, transcribed to text by our speech-to-text processor (Groq Whisper), and then discarded. The transcribed text is kept alongside the resulting receipt; the original audio is not retained.
• Derived structured data.The fields Trail's AI extracts from your receipt (e.g. “$42.10 at Whole Foods on May 7, food & drink”) plus any edits you make to those fields.
• Organisation data. Folder names, tags, budgets, categories, payment-source labels, currency preferences, and rename rules you create.
• Subscription state. If you subscribe, we receive the transaction ID, product ID, and expiration date from Apple or Google so we can verify your status server-side. We never see your card number, billing address, or full receipt.
• Push notification token.A device-specific token (from Apple Push Notification service or Firebase Cloud Messaging) so we can deliver the notifications you've opted into. Not used for tracking.
• Device + app metadata. Device model, OS version, app version, language, time zone, and basic crash diagnostics — used to triage bugs.

We do not collect: precise location, contacts, browsing history outside the app, microphone audio outside of explicit voice logging, the contents of your SMS inbox (Android), advertising identifiers, or biometric data.

2. How we use it

• Run the service — store and retrieve your receipts and folders.
• Run AI extraction so a photo becomes structured fields you can search, filter, and export.
• Personalise suggestions — e.g. matching a new receipt to a folder based on rules you've confirmed in the past.
• Send transactional messages (account, billing, security).
• Improve reliability — read aggregate crash diagnostics and latency metrics. We do not train AI models on your receipts.

We do not sell your data. We do not show ads. We do not share your receipts with any party except the processors listed below, and only to the extent each one needs to do its job.

3. Third parties

Trail uses a small set of vendors to run. Each one is bound by its own data-processing terms; we limit what we send to the minimum each needs.

• Apple Sign In + Google Sign-In— handle authentication. We receive name, email, and a stable user ID; neither provider gives us your password. If you use Apple's “Hide My Email” we see only the relay address.
• Firebase (Google Cloud) — backs the account database (Firestore), object storage for receipt images and PDFs, and push delivery (FCM on Android). Data is encrypted at rest and in transit.
• Apple Push Notification service — push delivery on iOS. We send Apple your device token and the notification payload; Apple does not see your receipt data.
• API server (Hetzner)— Trail's extraction and quota-management API runs on managed virtual servers in the European Union. Receipts pass through this layer on their way to the AI processors and back.
• AI processors — Google Gemini handles vision and receipt OCR; Groq handles text understanding, chat, and edits; Groq Whisper handles voice transcription. OpenRouter is a fallback for any model not on Groq or Gemini direct. None of these providers retain receipt content for model training under the terms we use.
• Payments — paid subscriptions are billed by Apple App Store (iOS) or Google Play Billing (Android). Trail never sees raw card numbers; we receive only the receipt / purchase token we need to verify your subscription status.
• Analytics — Firebase Analytics / Google Analytics 4 records aggregate, non-receipt usage events (screen views, feature taps, install source) so we can understand which flows are healthy. No receipt content is sent to analytics.
• Crash diagnostics — basic crash reports go to our diagnostics provider so we can fix bugs. Reports contain stack traces and device metadata; they do not contain receipts.
• Email — transactional email (account, security, support replies) goes through a third-party email provider; only your email address and the message body are shared.

4. AI processing

The core of Trail is an AI pipeline that turns a photo (or typed note, or voice memo, or forwarded SMS) into a clean record. Here's exactly what happens when you scan something:

1. Your device uploads the image (or text / audio) to our backend over HTTPS.
2. We downscale and re-encode images as JPEG to keep transit small.
3. We forward the content to the appropriate model with a structured prompt: Gemini for vision and OCR, Groq for text understanding / chat / edits, and Groq Whisper for voice transcription. We do not include other receipts or your account identity beyond what the model needs to produce the result.
4. The model returns JSON. We validate it, do honest math (sum of line items vs. stated total), and save the result alongside the original image. For voice input, the transcription is saved as the receipt's text note; the audio itself is discarded.

Receipts are notused to train or fine-tune any third-party model under the agreements we operate. If a provider changes their retention terms in a way that affects you, we'll update this page.

5. Retention

• Active accounts. We keep your data as long as your account exists so the app can show your history.
• Deleted receipts. Removed from active storage immediately; purged from backups within 30 days.
• Deleted accounts. All personal data is deleted within 30 days of an account-deletion request. We retain only the minimum logs we need for fraud prevention and legal compliance — and those expire on a rolling 90-day window.
• Diagnostics. Crash + latency logs are kept for up to 90 days then aggregated and discarded.

6. Your rights

You can, at any time:

• See your data — everything Trail holds about you is visible in the app, and structured exports are available on request.
• Edit or delete any individual receipt, folder, rule, or preference from within the app.
• Delete your whole account — see how to delete your account.
• Export — request a copy of your receipts and folders in JSON / CSV by emailing hi@mytrail.pro.
• Withdraw consent for any specific processing where consent is the basis, without affecting the lawfulness of past processing.

7. GDPR (EU + UK)

If you're in the European Economic Area or the United Kingdom, you have the rights listed above plus the right to lodge a complaint with your local supervisory authority.

Our legal bases for processing:

• Performance of a contract — running the Trail service you signed up for.
• Legitimate interests — keeping the service working, secure, and fraud-free. Balanced against your privacy rights.
• Consent — where the law requires it, e.g. for any optional analytics. You can withdraw at any time.
• Legal obligation — narrow cases where we have to retain something (tax records for paid plans, etc.).

The data controller is the developer behind Trail. Contact hi@mytrail.pro for any GDPR request — we respond within 30 days.

8. CCPA (California)

If you're a California resident, you have the right to know what personal information we have, to ask for it to be deleted, and to opt out of any “sale” or “sharing” of it. Trail does not sell or share personal information as those terms are defined under the CCPA. To exercise your rights, contact hi@mytrail.pro; we won't discriminate against you for asking.

9. Children

Trail is not intended for and is not marketed to children under 13 (or 16 where local law sets a higher age). We do not knowingly collect data from children. If you believe a child has signed up, email hi@mytrail.proand we'll delete the account.

10. Security

Data is encrypted in transit (TLS) and at rest. Access to production systems is restricted, audited, and protected by 2-factor authentication. We work in small surface area and ship often, which helps us patch quickly when issues are found. No service is 100% secure; if a breach occurs that affects you, we'll notify you as required by law.

11. Changes to this policy

When this policy changes materially we'll update the “Last updated” date and, if the change affects how your data is used, notify you in the app or by email before the new terms take effect.

12. Contact