Privacy Policy

Effective date: April 27, 2026 · Last updated: April 28, 2026

ReturnScribe is a native iOS app that helps you track purchases — return windows and subscription renewals — by scanning purchase confirmation emails on your device. This policy describes exactly what data we collect, what we don't, how it's processed, and the rights you have over it. It is written specifically for ReturnScribe and is not a generic template.

1. Who this policy applies to

This policy applies to the ReturnScribe iOS app (the "App") and the returnscribe.com website. The App is operated from the Commonwealth of Virginia, United States.

2. Data we collect

Email address. Used for account creation, authentication, and product communication you opt into (e.g., launch announcements, deadline reminders by email if enabled). ReturnScribe supports four sign-in methods: Sign in with Apple, Sign in with Google (for app authentication, separate from Gmail data access), magic link, and email + password.
OAuth tokens for Gmail and Microsoft Outlook. When you connect a mailbox, the App stores OAuth refresh tokens for that provider. Tokens are stored encrypted on your device, in the iOS Keychain, with the accessibility attribute kSecAttrAccessibleWhenUnlockedThisDeviceOnly. They are never synced to iCloud and are never transmitted to our servers.
Structured purchase data extracted from email. The App parses purchase confirmation and subscription receipt emails and persists structured fields only — for example: merchant name, purchase amount, currency, purchase date, return window, order identifier, subscription renewal date, billing cadence, and trial-end date.
Device push notification token. If you enable push notifications, an APNs (Apple Push Notification service) device token is collected so we can send reminder notifications.
Basic operational logs. Server-side request logs (timestamps, error codes, IP address) are retained for 30 days for debugging and abuse prevention.

3. Data we do not collect

Raw email bodies. Raw email content is never persisted to our servers and is never written to long-term on-device storage. After parsing, raw text is discarded — this is enforced in the codebase by a compile-time invariant on the storage model.
A 256 KB body cap is applied before parsing so that unusually large emails cannot be processed beyond what is necessary to extract structured purchase fields.
Email metadata beyond purchase confirmations. We do not index, store, or analyze general inbox metadata (sender lists, thread maps, calendar invites, etc.).
Contacts, calendar, files, photos, location, or any non-purchase email content. The App does not request these permissions.
Advertising identifiers. We do not collect IDFA, do not integrate any ad SDKs, and do not perform any cross-app or cross-site tracking.
Behavioural analytics. No third-party analytics SDK (Google Analytics, Mixpanel, Amplitude, Segment, etc.) is integrated in the App.

4. How data is processed

Email scanning happens on-device. When the App fetches your messages over the Gmail or Microsoft Graph API, parsing runs locally on your iPhone. Raw message bodies do not leave your device.
Read-only OAuth scopes. The OAuth scopes ReturnScribe requests are read-only (https://www.googleapis.com/auth/gmail.readonly for Gmail; Mail.Read for Microsoft Graph). The App cannot send, delete, label, or modify any message in your mailbox.
OAuth uses PKCE. Authorization Code flow with PKCE is used for both providers. We never see your provider password.
On-device storage uses NSFileProtectionComplete. The structured purchase database (a SwiftData store) is encrypted at rest with the strongest iOS file protection class — meaning the file is unreadable while the device is locked.
App lock. The App supports Face ID / Touch ID with passcode fallback to gate access to your data even when the device is unlocked.
Optional cross-device sync via Supabase. If you opt into account sync, only the structured purchase data described in §2 is encrypted-in-transit (TLS) and stored in our Supabase project (US region; us-east-1). Row-level security policies restrict every row to the authenticated user who owns it. Raw email content is never transmitted or synced.
Rate limiting. A custom token-bucket rate limiter throttles outbound requests to email provider APIs to stay within their published limits.

5. Third-party services we use

Google. Sign in with Google for app authentication, separate from Gmail data access. Gmail OAuth and read-only Gmail API for users who connect a Google mailbox. Google's handling of that data is governed by the Google Privacy Policy. ReturnScribe's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Microsoft. Microsoft Graph OAuth and read-only mail API for users who connect a Microsoft account. Governed by the Microsoft Privacy Statement.
Supabase. Authentication and (optionally) cross-device sync of structured purchase data. Servers in the United States. See the Supabase privacy policy.
Resend. Transactional email — magic-link sign-in and any email-based reminders. See the Resend privacy policy.
Apple. Sign in with Apple for app authentication, including Apple's "Hide My Email" relay if you choose it (relay addresses do not auto-link with other sign-in methods using your real email). Apple Push Notification service (APNs) for push delivery. See the Apple privacy policy.
Cloudflare. Hosting, DNS, and email forwarding for returnscribe.com via Cloudflare Pages and Cloudflare Email Routing. Email sent to addresses at returnscribe.com (e.g., privacy@, info@) is forwarded by Cloudflare to our operational inbox. See the Cloudflare privacy policy.
RevenueCat. Subscription management and entitlement tracking. When you start a free trial or purchase a subscription, RevenueCat receives a pseudonymous user identifier and the relevant Apple StoreKit transaction details. RevenueCat does not receive your email content or any purchase data extracted from your inbox. See the RevenueCat privacy policy.

We do not sell, rent, or share your personal data with any third party for advertising, marketing, profiling, or any other purpose outside the operational scope above.

6. Limited Use disclosure (Google API user data)

ReturnScribe's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: data accessed via Gmail API scopes is used only to provide the user-facing features of ReturnScribe (parsing purchase confirmation and subscription receipt emails for return-window and renewal-tracking), is not used for advertising, is not transferred to others except as necessary to provide or improve those user-facing features or to comply with applicable law, and is not read by humans except with the user's explicit consent for support, when required for security purposes, or to comply with applicable law. Data accessed via Gmail API scopes is not used to develop, improve, or train generalized AI and/or ML models, and is not transferred to others for that purpose.

7. Your rights

Access. All purchase data ReturnScribe holds about you is viewable inside the App.
Export / portability. You can export your purchase data from the App at any time as a structured file (JSON / CSV).
Deletion. You can revoke a connected mailbox or delete your entire account from inside the App. Account deletion removes all server-side data and deletes OAuth tokens stored on your device. Where supported by the provider's API (Google), ReturnScribe also calls the provider's token revocation endpoint to invalidate access. Microsoft does not expose a public token revocation endpoint under the read-only mail scope ReturnScribe uses; you can fully revoke access at any time at https://account.live.com/consent/Manage. You can also revoke Google access directly at https://myaccount.google.com/permissions.
Correction. You can edit the structured fields associated with any purchase (e.g., correcting a parsed amount or date) directly in the App.
Withdraw consent. You can disconnect any mailbox at any time. This deletes the associated tokens from the Keychain, calls the provider's revocation endpoint where supported (Google), and stops further scanning.
Privacy contact. Reach us at privacy@returnscribe.com for any privacy-related question or request. We will respond within the timeframes required by applicable law — generally within 30 days for GDPR/UK GDPR requests and within 45 days for CCPA/CPRA requests, with extensions where permitted.

8. Data retention

Local device data. Retained until you delete the App, sign out, or revoke the connected mailbox.
Server-side synced data (if you opt in). Retained until you delete your account, after which it is removed from primary storage immediately and from backups within 30 days.
Operational server logs. 30 days, then deleted.

9. Children's privacy

ReturnScribe is not directed to children under 13 (or under 16 where required by local law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact privacy@returnscribe.com and we will delete it.

10. International users

ReturnScribe is operated from the United States. If you use the App from outside the United States, you understand that any data synced to our servers is processed and stored in the US.

11. Security

We implement reasonable security measures: read-only OAuth scopes, Keychain-stored tokens with device-only accessibility, encrypted on-device storage with the strongest iOS file protection class, TLS for all network transit, row-level security on the backend, and per-account purchase ID namespacing to prevent cross-account collisions. No system is perfectly secure, but the architecture is designed so that a server compromise cannot expose your raw email content — because we don't have it.

12. Changes to this policy

If we make material changes to this policy, we will provide notice in-app or by email to active users at least 14 days before the change takes effect. Non-material changes (typo fixes, clarifications) may be made without notice. The effective date at the top of this page reflects the most recent version.

13. Regional rights

California residents (CCPA / CPRA). California residents have the right to know what personal information we collect, request deletion of personal information, request correction of inaccurate personal information, and opt out of any "sale" or "sharing" of personal information as those terms are defined under California law. ReturnScribe does not sell personal information and does not share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes that would require a separate right to limit. To exercise any California right, contact privacy@returnscribe.com. We will respond within the timeframes required by California law.

EEA, UK, and Switzerland users (GDPR / UK GDPR). If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the GDPR or UK GDPR including: access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right to lodge a complaint with your local supervisory authority. Our legal basis for processing the data described in §2 is your consent (which you can withdraw at any time by disconnecting a mailbox or deleting your account) and our legitimate interest in operating the App. Contact privacy@returnscribe.com to exercise any of these rights.

Note: ReturnScribe is currently available only in the United States App Store at launch. EEA/UK availability is planned for a future release.

14. Account deletion

You can delete your ReturnScribe account from within the app at Settings → Security → Delete Account. Account deletion permanently removes:

Your account and authentication data from our servers.
All purchase records, subscription tracking, and parser data we have stored on your behalf.
All synced data across your devices.

Account deletion completes within 30 days. Once deleted, your data cannot be recovered.

Important: Deleting your ReturnScribe account does not cancel any active App Store subscriptions. To manage or cancel App Store subscriptions, visit Settings → Apple ID → Subscriptions on your iOS device, or follow Apple's instructions at support.apple.com/en-us/HT202039.

15. Contact

Privacy questions or requests: privacy@returnscribe.com
General contact: info@returnscribe.com
Postal correspondence available on request.

← Back to home