Privacy Policy
ReturnScribe is a native iOS app that helps you track purchases — return windows and subscription renewals — by scanning purchase confirmation emails. This policy describes exactly what data we collect, what we don't, how it's processed, and the rights you have over it. It is written specifically for ReturnScribe and is not a generic template.
1. Who this policy applies to
This policy applies to the ReturnScribe iOS app (the "App") and the returnscribe.com website. The App is operated from the Commonwealth of Virginia, United States.
2. Data we collect
- Email address. Used for account creation, authentication, and product communication you opt into (such as launch announcements or other product updates). ReturnScribe supports four sign-in methods: Sign in with Apple, Sign in with Google (for app authentication, separate from Gmail data access), magic link, and email + password.
- OAuth tokens for Gmail and Microsoft Outlook. When you connect a mailbox, the App stores OAuth refresh tokens for that provider. Tokens are stored encrypted on your device, in the iOS Keychain, with the accessibility attribute
kSecAttrAccessibleWhenUnlockedThisDeviceOnly. They are never synced to iCloud and are never transmitted to our servers. - Structured purchase data extracted from email. The App parses purchase confirmation and subscription receipt emails and persists structured fields only — for example: merchant name, purchase amount, currency, purchase date, return window, order identifier, subscription renewal date, billing cadence, and trial-end date.
- Email content transmitted for AI parsing (receipt emails). AI-based parsing is a core, integral part of how ReturnScribe works and cannot be disabled separately; if you do not want receipt emails processed this way, do not connect a mailbox. Here is exactly what happens: an on-device prefilter first identifies emails that appear to be purchase or subscription receipts — email that is not identified as a receipt never leaves your device. For an email identified as a receipt, the sender address, subject line, and email body (capped at 256 KB before processing) are transmitted over TLS to a server-side Edge Function operated by ReturnScribe. Before this content is forwarded, your own email address is redacted from it; the receipt details the parser needs — such as merchant, item descriptions, amounts, and dates — are included. The Edge Function forwards the redacted content to OpenAI's API for parsing and returns only the extracted structured fields to your device. You are informed of this processing when you create an account. Cloud AI parsing is subject to a per-user monthly spending cap, described in our Terms of Use. We may add on-device parsing paths (including on-device foundation-model parsing) in future releases; if and when we do, we will update this Policy. See §6 for the Limited Use disclosure governing this transfer.
- AI parsing usage and spending data. When Cloud AI Parsing is used, we record the count of API calls and the approximate dollar cost per user per month, to enforce the monthly cap. We do not retain the email content sent to the AI service beyond what is needed to complete parsing (see the Note on AI parsing in §3 regarding brief retry-queue retention on transient failures).
- Device push notification token. If you enable push notifications, an APNs (Apple Push Notification service) device token is collected so we can send reminder notifications.
- Basic operational logs. Server-side request logs (timestamps, error codes, IP address) are retained for 30 days for debugging and abuse prevention.
3. Data we do not collect
- Raw email bodies on our servers (long-term). Raw email content is never written to long-term storage — neither on our servers nor in long-term on-device storage. After parsing, raw email text is discarded from local memory. On your device, an email body is capped at 256 KB before processing; unusually large messages are skipped entirely rather than partially processed.
- Note on AI parsing. When receipt content is sent for parsing, it is transmitted to OpenAI's API solely to return structured fields (such as merchant, order date, item, total, return-window hint, and renewal-date hint). OpenAI is a sub-processor; its handling of data submitted via its API — including any retention period and whether inputs may be used to train its models — is governed by OpenAI's own API terms and privacy policy in effect at the time of processing, which you can review at openai.com/policies. In normal operation, our Edge Function returns only the extracted fields and does not store the receipt content. If a parse cannot be completed immediately — for example, because of a transient error — the redacted receipt content may be held briefly in a retry queue so the parse can be re-attempted, and is then deleted automatically (on a successful retry or by a scheduled cleanup job). ReturnScribe does not use any receipt content to train a model, and never transmits email content that the on-device prefilter has not identified as a receipt.
- Email metadata beyond purchase confirmations. We do not index, store, or analyze general inbox metadata (sender lists, thread maps, calendar invites, etc.).
- Contacts, calendar, files, photos, location, or any non-purchase email content. The App does not request these permissions.
- Advertising identifiers. We do not collect IDFA, do not integrate any ad SDKs, and do not perform any cross-app or cross-site tracking.
- Advertising and behavioral-analytics SDKs. No advertising SDK and no third-party behavioral-analytics SDK (such as Google Analytics, Mixpanel, Amplitude, or Segment) is integrated in the App. We do use a crash- and performance-monitoring SDK (Sentry) and the RevenueCat and Supabase SDKs to operate the App; these are described in §5 and are not advertising or behavioral-tracking tools.
4. How data is processed
- Email scanning happens on your device (Gmail / Microsoft Graph fetch). The App fetches your messages over the Gmail or Microsoft Graph API directly from your device. Messages are not routed through our servers.
- Parsing path. An on-device prefilter identifies receipt-like emails; email not identified as a receipt is never transmitted off your device. Emails identified as receipts are parsed by a cloud AI service: the redacted receipt content (sender, subject, and body, capped at 256 KB) is sent over TLS to a ReturnScribe Edge Function (running on Supabase Edge Functions in the United States), which forwards it to OpenAI's API and returns only the parsed structured fields to your device. In normal operation the Edge Function does not retain this content; if a parse fails transiently, the redacted content may be held briefly in a retry queue and is then deleted automatically.
- Read-only mailbox access. ReturnScribe's access to your mailbox is read-only:
https://www.googleapis.com/auth/gmail.readonlyfor Gmail andMail.Readfor Microsoft Graph. These are the only scopes that grant access to the contents of your mailbox; any other scopes shown on the provider's consent screen are standard sign-in and identity scopes that do not read your mail. None of this access permits ReturnScribe to send, delete, label, or modify any message in your mailbox. - OAuth uses PKCE. Authorization Code flow with PKCE is used for both providers. We never see your provider password.
- On-device storage uses NSFileProtectionComplete. The structured purchase database (a SwiftData store) is encrypted at rest with the strongest iOS file protection class — meaning the file is unreadable while the device is locked.
- App lock. The App supports Face ID / Touch ID with passcode fallback to gate access to your data even when the device is unlocked.
- Cross-device sync via Supabase. When you sign in, the structured purchase data described in §2 is encrypted-in-transit (TLS) and stored in our Supabase project, in a United States region (currently AWS us-east-1). Row-level security policies restrict every row to the authenticated user who owns it. Raw email content is never transmitted to or stored in Supabase. We may relocate among United States regions for operational reasons; if we begin storing data outside the United States, we will update this Policy and provide notice.
- Cloud AI parsing transit. When a receipt email is parsed, redacted receipt content is transmitted over TLS to our Edge Function (hosted on Supabase), which forwards the request to the OpenAI API. Our Edge Function tracks per-user monthly spending to enforce the cap. As described in §3, the Edge Function does not retain the content in normal operation, and on a transient failure holds redacted content only briefly before automatic deletion.
- Rate limiting. A custom token-bucket rate limiter throttles outbound requests to email provider APIs to stay within their published limits.
5. Third-party services we use
- Google. Sign in with Google for app authentication, separate from Gmail data access. Gmail OAuth and read-only Gmail API for users who connect a Google mailbox. Google's handling of that data is governed by the Google Privacy Policy. ReturnScribe's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
- Microsoft. Microsoft Graph OAuth and read-only mail API for users who connect a Microsoft account. Governed by the Microsoft Privacy Statement.
- OpenAI. When a receipt email is parsed, redacted receipt content (sender, subject, and body, capped at 256 KB) is transmitted to OpenAI's API solely to return structured purchase fields. OpenAI acts as a sub-processor. OpenAI's data-handling practices for data submitted via its API — including retention periods and whether inputs may be used to train its models — are governed by OpenAI's API terms and privacy policy in effect at the time of processing (see openai.com/policies). ReturnScribe does not control, and does not warrant on OpenAI's behalf, those practices.
- Supabase. Authentication and cross-device sync of structured purchase data. Servers in the United States. Supabase also sends our authentication emails (such as magic-link sign-in) on our behalf via its email delivery. See the Supabase privacy policy.
- Sentry. Crash and performance monitoring. When the App encounters a crash or error, diagnostic data (such as stack traces, device model, OS version, and a pseudonymous identifier linked to your account's internal user ID) is sent to Sentry to help us diagnose and fix problems. Sentry does not receive your email content, OAuth tokens, or the purchase data extracted from your inbox; we filter out personal identifiers such as email addresses and tokens before transmission. See the Sentry privacy policy.
- Shippo. Carrier shipment tracking. If a receipt includes a shipment tracking number and the tracking feature is used, ReturnScribe sends the carrier name and tracking number to Shippo to retrieve delivery status. Shippo does not receive your email content or the rest of your purchase data. See the Shippo privacy policy.
- Apple. Sign in with Apple for app authentication, including Apple's "Hide My Email" relay if you choose it (relay addresses do not auto-link with other sign-in methods using your real email). Apple Push Notification service (APNs) for push delivery. See the Apple privacy policy.
- Cloudflare. Hosting and DNS for the returnscribe.com website, including this Privacy Policy and our Terms of Use. Cloudflare serves our website; it does not process the purchase data or email content handled by the App. See the Cloudflare privacy policy.
- Contact email forwarding. Email sent to addresses at returnscribe.com (for example, privacy@ and info@) is delivered to our operational inbox through an email-forwarding service. That service relays messages you send to us; it does not receive the purchase data or email content handled by the App.
- RevenueCat. Subscription management and entitlement tracking. When you start a free trial or purchase a subscription, RevenueCat receives a pseudonymous user identifier and the relevant Apple StoreKit transaction details. RevenueCat does not receive your email content or any purchase data extracted from your inbox. See the RevenueCat privacy policy.
We do not sell, rent, or share your personal data with any third party for advertising, marketing, profiling, or any other purpose outside the operational scope above.
6. Limited Use disclosure (Google API user data)
ReturnScribe's use of information received from Google Workspace APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular:
- We limit our use of Gmail data to providing and improving the user-facing receipt-tracking features visible in the ReturnScribe app.
- We do not transfer Gmail data except as necessary to provide those user-facing features — specifically, transmitting redacted receipt content to our cloud AI parsing sub-processor (OpenAI) to perform receipt parsing — or to comply with applicable law.
- We do not allow humans to read your Gmail data except (i) with your affirmative consent for specific messages, (ii) where necessary for security purposes, or (iii) where required by law.
- ReturnScribe does not use Gmail data to develop, improve, or train any generalized artificial intelligence or machine learning model, and does not transfer Gmail data to any third party for that purpose.
- We do not sell Gmail data, and do not use it for advertising of any kind.
7. Your rights
- Access. All purchase data ReturnScribe holds about you is viewable inside the App.
- Export / portability. You can export your purchase data from the App at any time as a structured file (JSON / CSV).
- Deletion. You can revoke a connected mailbox or delete your entire account from inside the App. Account deletion removes all server-side data and deletes OAuth tokens stored on your device. Where supported by the provider's API (Google), ReturnScribe also calls the provider's token revocation endpoint to invalidate access. Microsoft does not expose a public token revocation endpoint under the read-only mail scope ReturnScribe uses; you can fully revoke access at any time at https://account.live.com/consent/Manage. You can also revoke Google access directly at https://myaccount.google.com/permissions.
- Correction. You can edit the structured fields associated with any purchase (e.g., correcting a parsed amount or date) directly in the App.
- Withdraw consent. You can disconnect any mailbox at any time. This deletes the associated tokens from the Keychain, calls the provider's revocation endpoint where supported (Google), and stops further scanning.
- Privacy contact. Reach us at privacy@returnscribe.com for any privacy-related question or request. We will respond within the timeframes required by applicable law — generally within 30 days for GDPR/UK GDPR and PIPEDA requests and within 45 days for CCPA/CPRA requests, with extensions where permitted.
8. Data retention
When you delete your account, we mark your account data for deletion and begin purging it from production systems immediately. A scheduled purge job runs daily to remove soft-deleted records from production, and database backups containing them expire on their own retention schedule within the same 30-day window. As a result, your account data — including OAuth tokens, parsed purchase records, and any synced data — will be removed from our active production systems and from any backups in which it appears no later than 30 days after the deletion request.
- Local device data. Retained until you delete the App, sign out, or revoke the connected mailbox.
- Server-side synced data. Removed from active production systems immediately upon account deletion and from any backups within 30 days, as described above.
- Operational server logs. Contain only IP, timestamp, and request metadata (not email content); retained for 30 days, then deleted on a rolling basis.
Account deletion does NOT cancel App Store subscriptions; you must manage those in your Apple ID settings.
9. Children's privacy
ReturnScribe is a general-audience product directed to adults. It is not designed for, marketed to, or directed at children. We do not knowingly collect personal information from any individual under the age of 13 in the United States, or under the minimum age of digital consent in their country of residence (16 in many EEA member states unless that state has set a lower age between 13 and 16). Per our Terms of Use, you must be at least 13 to use ReturnScribe, and if you are between 13 and the age of majority in your jurisdiction, you may use ReturnScribe only with the consent and supervision of a parent or legal guardian. If we learn we have collected personal information from a child under 13 (or under the applicable minimum age in their country), we will delete it promptly. Parents or guardians who believe their child has provided personal information may contact privacy@returnscribe.com.
10. International users
ReturnScribe is operated from the United States. If you use the App from outside the United States, you understand that any data synced to our servers is processed and stored in the US. See §13 for region-specific disclosures (California, EEA/UK, Canada, Australia, New Zealand).
11. Security
ReturnScribe is designed so that your raw email content is not stored on our servers. The on-device prefilter never transmits email content off your device — email that is not identified as a receipt never leaves it. When a receipt email is parsed, redacted receipt content transits our Edge Function over TLS to OpenAI's API; in normal operation the Edge Function returns only the parsed fields and does not retain the content. The only email-derived content that may briefly reside on our servers is redacted receipt content held in a retry queue when a parse fails transiently, which is deleted automatically once the retry completes or by a scheduled cleanup job. Accordingly, a compromise of our database or storage would not expose stored raw email content.
We implement reasonable security measures: read-only OAuth scopes, Keychain-stored tokens with device-only accessibility, encrypted on-device storage with the strongest iOS file protection class, TLS for all network transit, row-level security on the backend, and per-user data isolation (row-level security keyed to your account) so no user's data can collide with another's. However, no system is perfectly secure: an attacker who actively intercepted traffic to, or compromised, the Edge Function itself in real time could in principle observe in-transit or briefly-queued content before it is discarded, and you should not treat any cloud-based service as a substitute for end-to-end encryption.
Breach notification. If we become aware of a personal-data breach (as defined by applicable law in your jurisdiction) that affects your account, we will notify you and any regulator to which we are obligated to report, in each case as and when required by applicable law (for example, state breach-notification statutes in the United States, PIPEDA's "real risk of significant harm" standard in Canada, the Notifiable Data Breaches scheme in Australia, the Privacy Act 2020 in New Zealand, and, when EEA/UK service launches, GDPR/UK GDPR Articles 33–34).
12. Changes to this policy
If we make material changes to this policy, we will provide notice in-app or by email to active users at least 14 days before the change takes effect. Non-material changes (typo fixes, clarifications) may be made without notice. The effective date at the top of this page reflects the most recent version.
13. Regional rights
California residents (CCPA / CPRA)
California residents have the right to know what personal information we collect, request deletion of personal information, request correction of inaccurate personal information, and opt out of any "sale" or "sharing" of personal information as those terms are defined under California law.
Sensitive Personal Information. California Civil Code § 1798.140(ae)(4) defines the contents of mail, email, and text messages (where the business is not the intended recipient) as "sensitive personal information." We treat the contents of the receipt emails we read on your behalf as sensitive personal information. We do not use that information for any purpose other than (i) providing the receipt-tracking, return-window, and renewal-reminder features you signed up for, (ii) the limited internal-operations purposes permitted by California regulations (such as security, debugging, and short-term transient use to deliver the service), and (iii) AI-based parsing of receipt emails as described in §2, which is how the service's core feature is provided. Because our use of sensitive personal information is already limited to these statutorily permitted purposes, the CCPA does not require us to offer a separate "Limit the Use of My Sensitive Personal Information" link.
Do Not Sell or Share. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined in the CCPA/CPRA. We therefore are not required to display a "Do Not Sell or Share My Personal Information" link, but if our practices change, we will provide that mechanism before the change takes effect. We also recognize Global Privacy Control (GPC) browser signals on returnscribe.com as a valid opt-out signal if we ever process personal information in a manner that constitutes "sale" or "sharing" under the CCPA.
Notice at Collection. The categories of personal information we collect, the purposes for collection, the categories of recipients (sub-processors), and the retention periods are described in §§2, 4, 5, and 8 of this Policy, which together constitute our Notice at Collection under California Civil Code § 1798.100(a).
Non-Discrimination. We will not deny you the service, charge you different prices, or provide a different level or quality of service because you exercised any CCPA rights.
Response Timeframe. We will confirm receipt of a verifiable consumer request within 10 business days and respond substantively within 45 calendar days, with one 45-day extension where reasonably necessary and with notice to you.
To exercise any California right, contact privacy@returnscribe.com.
EEA, UK, and Switzerland users (GDPR / UK GDPR)
Note: ReturnScribe is initially available in the United States, Canada, Australia, and New Zealand App Stores. The EEA, UK, and Switzerland are planned for a future release. The following describes how we will handle your data when service launches in those regions. We will finalize our EEA/UK legal-basis analysis and any required consent mechanics before making ReturnScribe available in those regions.
Data Controller and Contact. For users in the EEA, UK, and Switzerland, the data controller of personal data processed by ReturnScribe is the operator of ReturnScribe, reachable at privacy@returnscribe.com. EU/UK Representative under Article 27. When ReturnScribe launches in the EEA and the UK, we will appoint and identify here a representative established in the EU under GDPR Article 27 and a representative established in the UK under UK GDPR Article 27. Until that appointment is made and disclosed, ReturnScribe is not offered in the EEA or the UK, and we do not intend to target users in those regions.
Legal Bases. We process your personal data on the following bases: (a) performance of a contract (Art. 6(1)(b)) to provide the receipt-tracking service, including the AI parsing of receipt emails that is integral to it; (b) your consent (Art. 6(1)(a)) for optional communications such as launch announcements, which you may withdraw at any time without affecting the lawfulness of prior processing; and (c) our legitimate interests (Art. 6(1)(f)) in operating, securing, and improving the service. Where we read the contents of receipt emails, this may constitute processing of "special categories of personal data" (Art. 9) only in unusual cases (e.g., a receipt revealing health-related purchases); we rely on your explicit consent under Art. 9(2)(a) for such incidental processing.
International Transfers. Personal data is stored and processed in the United States. The United States does not currently benefit from a general European Commission adequacy decision, although an "EU–U.S. Data Privacy Framework" decision is in place for certified U.S. recipients. When we serve EEA/UK users, we will rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 and the UK ICO International Data Transfer Addendum) with our U.S. sub-processors, supplemented as required.
Your Rights. You have the rights of access, rectification, erasure, restriction, portability, objection, and the right not to be subject to solely automated decisions producing legal or similarly significant effects. You may lodge a complaint with a supervisory authority in your member state of residence, place of work, or place of the alleged infringement, or with the UK Information Commissioner's Office at ico.org.uk. Contact privacy@returnscribe.com to exercise any right.
Canada (PIPEDA)
Our Privacy Officer for purposes of PIPEDA is reachable at privacy@returnscribe.com. We will respond to access and correction requests within 30 days as required by PIPEDA. Personal information of Canadian users is stored and processed in the United States; we use contractual safeguards with our U.S. service providers to provide a comparable level of protection. If a breach of security safeguards creates a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and affected users.
Australia (Privacy Act 1988 / Australian Privacy Principles)
We are likely to disclose personal information to overseas recipients, primarily in the United States. You may complain to us at privacy@returnscribe.com; if you are not satisfied, you may complain to the Office of the Australian Information Commissioner (oaic.gov.au). Where required, we will notify affected individuals and the Commissioner under the Notifiable Data Breaches scheme.
New Zealand (Privacy Act 2020)
Personal information of New Zealand users is sent overseas to the United States for storage and processing by our service providers acting as our agents. We will notify the Office of the Privacy Commissioner and affected individuals of any notifiable privacy breach.
14. Account deletion
You can delete your ReturnScribe account from within the app at Settings → Security → Delete Account. Account deletion permanently removes:
- Your account and authentication data from our servers.
- All purchase records, subscription tracking, and parser data we have stored on your behalf.
- All synced data across your devices.
Account deletion completes no later than 30 days after the request (see §8). Once deleted, your data cannot be recovered.
Important: Deleting your ReturnScribe account does not cancel any active App Store subscriptions. To manage or cancel App Store subscriptions, visit Settings → Apple ID → Subscriptions on your iOS device, or follow Apple's instructions at support.apple.com/billing.
15. Contact
Privacy questions or requests:
privacy@returnscribe.com
General contact:
info@returnscribe.com
Postal correspondence available on request.
In-app access: A link to this Privacy Policy is available within the App at Settings → Privacy & Data → Privacy Policy.