Privacy Policy

1. Summary

• We collect the minimum information needed to run a subscription product: an email address, billing metadata from Stripe, and basic server logs.
• We do not sell your personal information, and we do not use it for behavioral advertising.
• The "creator" data shown on the Service is built from publicly available posts on X (Twitter); we don't pull anything private.
• The Service is informational only. It is not financial advice, and we are not a broker-dealer, investment adviser, or financial planner. See our Terms of Service for the full disclosure.

2. Information we collect

Information you give us

• Account credentials. When you create an Receipts account we use Google Sign-In via Firebase Authentication. Google passes us your verified email address, a Firebase user ID, your display name, and your profile photo URL. We do not see your Google password.
• Date of birth. At signup we collect your date of birth so we can confirm you are at least 18 years old. We store the date you submitted along with the timestamp at which you cleared the age check, so we can demonstrate compliance with our minimum-age requirement. We do not share your date of birth with third parties.
• Subscription email. When you subscribe, Stripe shares the email you used at checkout so we can grant access and contact you about your subscription.
• Search input. When you submit a handle or URL through the search box, we use that input to fetch the corresponding public X account.
• Support correspondence. If you contact us by email, we keep the message and reply.

Information Stripe collects on our behalf

Payments are processed by Stripe, Inc. We do not see or store your full card number, CVV, or bank credentials. Stripe sends us a customer ID, subscription status, and the email used at checkout. Stripe's own privacy practices apply to their handling of your payment information.

Information we collect automatically

• Server logs. Standard request logs (timestamp, request path, response code, IP address, user agent) for security, debugging, and abuse prevention. Logs are short-lived.
• Access cookie. A single signed cookie ("ot_access") that carries your subscriber email so we don't have to ask you to log in on every page. The cookie is signed with a server-side secret; it is not a tracking cookie and is not shared with third parties.

Information we do not collect

• We do not run third-party advertising trackers, fingerprinting scripts, or social-media pixels.
• We do not collect government IDs, brokerage logins, account numbers, holdings, or trading activity.
• We do not request location data.

3. Public information about analyzed accounts

Receipts is built to score the public posting history of stock-pick accounts on X. When you look up a handle, we fetch their public cashtag-bearing tweets via the X API and run an automated extraction to identify the ticker and sentiment of each post. We then simulate a hypothetical $1,000-per-call trade against publicly available end-of-day price data.

All such content is, by its nature, already public on X. We treat the underlying tweet text, the timestamp, the linked ticker, and the resulting simulation as factual reporting of public statements. We do not claim copyright over the original tweets, and the analyzed account holders are not customers of Receipts merely by virtue of having a profile generated on the Service. An analyzed creator can request removal at any time. See Section 9.

4. How we use information

• Provision access to the Service and the leaderboard / per-creator views.
• Process payments and manage subscriptions through Stripe.
• Send transactional emails (receipts, password-reset analogues, security notices, material policy changes).
• Monitor and protect the Service from abuse, fraud, and unauthorized access.
• Improve the Service. Debugging, capacity planning, performance optimization.
• Comply with applicable law and respond to legal requests.

We do not use your personal information to train large language models or to sell to data brokers.

5. Third-party processors

We rely on a small set of vendors to operate the Service. Each receives only the information needed to perform its function.

• Google / Firebase Authentication. Handles the Google Sign-In flow and issues the session identity we associate with your account. Google's Privacy Policy applies to their handling of your Google identity.
• Stripe, Inc.. Subscription billing.
• X Corp.. Read-only access to public tweets via the X API.
• Anthropic, PBC. Automated classification of tweet content via the Claude API. Tweet text submitted to Anthropic is processed per Anthropic's enterprise/API terms; we have configured the integration so that prompts are not used to train their models.
• Google Cloud (Firestore, Cloud Run, Cloud Scheduler). Hosting, storage, and scheduling.
• Yahoo Finance / yfinance. Publicly available historical price data for backtesting.
• unavatar.io. Avatar images for analyzed X handles.

6. Cookies

We use a single first-party cookie, "ot_access", to maintain your signed-in subscription state. The cookie is signed (HMAC) with a server-side secret, does not contain tracking identifiers, and is not shared with third parties. We do not use third-party analytics or advertising cookies.

7. Data retention

• Subscriber email and subscription status are retained for as long as your account is active and for up to 24 months afterward for tax, billing, and dispute purposes.
• Server logs are retained for up to 30 days.
• Cached analyses of public X accounts may be retained indefinitely as part of the Service's research corpus; on request from the analyzed account holder, we will remove or anonymize their profile within a reasonable time.

8. Security

We use industry-standard practices to protect the Service: TLS in transit, encrypted storage at rest via Google Cloud, least-privilege access controls, and signed session cookies. No method of electronic storage or transmission is perfectly secure; we cannot guarantee absolute security.

9. Your rights and choices

Depending on where you live, you may have the right to access, correct, port, delete, or restrict the processing of your personal information, and to object to certain uses. To exercise any of these rights, email privacy@checkreceiptsai.com. We will respond within a reasonable time and may need to verify your identity.

If you are an analyzed creator and would like your profile removed from the Service, email privacy@checkreceiptsai.com from the email on your X account (or DM us from that handle), and we will remove your cached analysis within 7 business days.

You can cancel your subscription at any time from the Stripe billing portal linked from the leaderboard page.

10. Children's privacy

The Service is not intended for individuals under 16 and we do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us information, contact us and we will delete it.

11. International users

The Service is operated from the United States. If you access the Service from another jurisdiction, you understand that your information will be transferred to, stored, and processed in the United States. Where required by law, we rely on appropriate transfer mechanisms.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced on the Service and, where appropriate, by email at least 7 days before they take effect. The "Effective" date at the top of this page reflects the latest version.

13. Contact

Questions about this policy? Email privacy@checkreceiptsai.com.