Privacy Policy

1. Introduction

Welcome to TiCloud Receipt Management System. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, process, and protect your data when you use our mobile application, web application, and related services (collectively, the "Services").

By using TiCloud, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein. If you do not agree with this Privacy Policy, please do not use our Services.

2. Data Controller Information

Service Name: TiCloud Receipt Management System

Legal Entity: [Your Company Legal Name]

Registration Number: [Company Registration Number]

Registered Address: [Complete Business Address]

Email: privacy@ticloud.app

Data Protection Officer: dpo@ticloud.app

For EU/EEA residents, we act as the Data Controller for your personal information. For California residents, we are a Business under CCPA/CPRA.

3. Information We Collect

3.1 Information You Provide Directly

• Account Information: Name, email address, phone number (optional), password (encrypted)
• Profile Information: User preferences, settings, language preferences
• Receipt Data: Receipt images, merchant names, transaction amounts, dates, items purchased, payment methods, tax information
• QR/Barcode Data: Unique user identifiers generated for merchant interactions
• Communication Data: Support requests, feedback, correspondence with our team

3.2 Information Collected Automatically

• Device Information: Device type, operating system, device identifiers, mobile network information
• Usage Data: Features used, time spent, interaction patterns, error logs
• Location Data: IP address, general location (country/city level only, derived from IP)
• Camera Data: Receipt images captured through device camera (processed locally, then uploaded)
• Technical Data: Browser type, app version, crash reports, performance metrics
• Authentication Data: Biometric authentication hashes (stored locally on device only)

3.3 Information from Third Parties

• OAuth Providers: If you sign in through third-party services (future feature), we may receive basic profile information
• Payment Processors: Transaction confirmation data (we do not store complete payment card numbers)
• AI Service Providers: Processed receipt data from OpenAI Vision API (see Section 5)

4. How We Use Your Information

We process your personal information for the following purposes:

4.1 Service Provision

• Create and manage your account
• Process and store your receipts
• Extract data from receipt images using OCR and AI
• Generate QR codes and barcodes for merchant interactions
• Provide search and organizational features
• Enable merchant-customer interactions
• Synchronize data across your devices

4.2 Service Improvement

• Analyze usage patterns to improve functionality
• Troubleshoot technical issues
• Develop new features
• Enhance user experience
• Conduct quality assurance testing

4.3 Communication

• Send service-related notifications
• Provide customer support
• Send security alerts
• Notify about account changes
• Send verification emails
• Respond to inquiries

4.4 Security and Fraud Prevention

• Verify user identity
• Detect and prevent fraud
• Monitor for suspicious activity
• Enforce our Terms of Service
• Protect against security threats

4.5 Legal Compliance

• Comply with legal obligations
• Respond to legal requests
• Protect our legal rights
• Enforce agreements

5. AI Model Training and Data Analytics

5.1 Purpose of AI Training

We use receipt data to:

• Train machine learning models for improved receipt recognition
• Enhance OCR (Optical Character Recognition) accuracy
• Improve automatic merchant detection
• Develop better data extraction algorithms
• Create spending pattern analytics
• Generate aggregate market insights

5.2 Pseudoanonymization Process

Before any data is used for AI training, we apply strict pseudoanonymization:

• Personal Identifiers Removed: Names, email addresses, phone numbers, account IDs are stripped
• Images Processed: Receipt images are analyzed and converted to structured data; personal information visible in images is redacted
• UUID Replacement: All user identifiers are replaced with random UUIDs with no linkage to original users
• Date Generalization: Specific timestamps are generalized to month/year only
• Location Obfuscation: Precise locations are generalized to city or region level
• No Re-identification: Pseudoanonymized data cannot be reasonably linked back to you without additional information that we keep separate and secured

5.3 Third-Party AI Services

We currently use the following AI services:

• OpenAI Vision API: For receipt image analysis and text extraction
  • Data sent: Receipt images only (not linked to your identity)
  • Purpose: Extract merchant names, amounts, items, dates
  • Retention by OpenAI: According to OpenAI's data retention policy
  • Privacy Policy: https://openai.com/privacy

5.4 Your Control Over AI Training

You can opt out of AI training:

• Email us at ai-optout@ticloud.app with your account email
• We will mark your account for exclusion from AI training datasets within 30 days
• This will not affect your ability to use our core services
• Previously collected pseudoanonymized data cannot be removed from existing training sets as it's not linked to your identity

5.5 AI Training Data Retention

• Pseudoanonymized training datasets are retained indefinitely for model improvement
• Original linkage tables connecting pseudonymized data to real identities are deleted after 90 days
• Once pseudoanonymized, data is considered non-personal under GDPR Article 11

6. Commercial Use and Metadata Sales

6.1 Types of Metadata We May Sell

Aggregate, anonymized insights only (never individual data):

• Market Trends: Spending patterns by category, geography, time period
• Merchant Analytics: Popular merchants, average transaction sizes, customer visit frequency (aggregated)
• Consumer Behavior: Shopping patterns, seasonal trends, category preferences (anonymized)
• Price Intelligence: Average prices for products/services across regions
• Industry Reports: Retail analytics, market share estimates, consumer spending indices

6.2 What We Never Sell

We do NOT sell:

• ❌ Individual user profiles or personally identifiable information
• ❌ Your name, email, phone number, or contact details
• ❌ Individual receipt images or transaction details
• ❌ Data that can be traced back to specific individuals
• ❌ Sensitive personal information (health data, financial account numbers, etc.)
• ❌ Data of users under 18 years of age
• ❌ Non-anonymized location tracking data

6.3 Aggregation and Anonymization Standards

Before any metadata is sold, we ensure:

• Minimum Aggregation: Data represents at least 100 unique users
• Statistical Disclosure Control: Prevents reverse engineering to identify individuals
• k-anonymity: Each data point is indistinguishable from at least k-1 other data points (k ≥ 5)
• No Linkage: Sold metadata cannot be combined with other datasets to re-identify users
• Expert Review: Independent privacy experts review anonymization processes quarterly

6.4 Opt-Out of Commercial Data Use

You have the right to opt out:

• Email: metadata-optout@ticloud.app
• Include your account email address
• We will exclude your data from future commercial metadata aggregations within 30 days
• For California residents, this is your right to "opt-out of sale" under CCPA/CPRA
• For other US states, this satisfies your right to opt-out of targeted advertising and profiling

6.5 Metadata Purchasers

We may provide anonymized metadata to:

• Market research firms
• Consumer insights companies
• Retail analytics platforms
• Business intelligence services
• Academic researchers (for non-commercial research)
• Government agencies (for economic statistics, anonymized only)

All purchasers must sign agreements prohibiting re-identification attempts and ensuring compliance with applicable privacy laws.

7. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data based on the following legal grounds:

Legitimate Interest Assessment: We have conducted a Legitimate Interest Assessment (LIA) for AI training and commercial data use. Our legitimate business interests are balanced against your privacy rights, and we provide easy opt-out mechanisms.

8. Data Sharing and Third Parties

8.1 Service Providers

We share personal information with third-party service providers who perform services on our behalf:

• Cloud Hosting: AWS, Google Cloud, or similar (for data storage)
• FTP Storage: Secure FTP servers for receipt image storage
• AI Processing: OpenAI (for receipt text extraction)
• Email Services: Email delivery providers (for verification and notifications)
• Analytics: Usage analytics platforms (anonymized data only)
• Security Services: reCAPTCHA (Google) for fraud prevention

All service providers are contractually bound to:

• Process data only per our instructions
• Implement appropriate security measures
• Delete or return data upon request
• Comply with GDPR, CCPA, and other applicable laws
• Execute Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs)

8.2 Merchants

When you scan a QR code at a merchant:

• We share your unique user identifier (UUID) with the merchant
• Merchants can create receipts linked to your account
• Merchants can view receipts they created for you
• We DO NOT share your name, email, phone, or other personal details with merchants unless you explicitly authorize it

8.3 Legal Requirements

We may disclose personal information if required by law:

• Court orders, subpoenas, or legal process
• Law enforcement or government requests (when legally obligated)
• Protection of our rights, property, or safety
• Investigation of fraud or security issues
• Enforcement of our Terms of Service

We will notify you of legal requests unless prohibited by law.

8.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets:

• Your personal information may be transferred to the successor entity
• We will notify you via email and prominent notice on our Services
• You will have the opportunity to opt-out or delete your account
• The successor entity must honor this Privacy Policy

8.5 Metadata Purchasers (See Section 6)

Anonymized, aggregated metadata only - never personal information.

9. International Data Transfers

TiCloud operates globally. Your data may be transferred to and processed in countries outside your country of residence, including the United States, European Union member states, and other jurisdictions.

9.1 Transfers from EU/EEA/UK

For transfers outside the EU/EEA/UK, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs with all non-EU processors
• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
• Binding Corporate Rules: For intra-company transfers (if applicable)
• Additional Safeguards: Encryption in transit and at rest, access controls, regular audits

9.2 Transfers from Canada

For Canadian users (PIPEDA compliance):

• We ensure foreign processors provide comparable protection
• Contractual agreements require PIPEDA-equivalent safeguards
• We inform you when data is transferred outside Canada

9.3 US-Based Processing

Some data processing occurs in the United States. We comply with:

• EU-US Data Privacy Framework (if certified)
• Swiss-US Data Privacy Framework (if certified)
• Standard Contractual Clauses as fallback mechanism

9.4 Your Rights Regarding Transfers

You have the right to:

• Request information about where your data is stored and processed
• Obtain copies of the safeguards in place (SCCs, BCRs, etc.)
• Object to international transfers (may limit service availability)

10. Data Retention

10.1 Active Accounts

• Receipt Data: Retained as long as your account is active, plus 90 days after deletion request
• Account Information: Retained for the duration of your account plus 3 years (for legal compliance)
• Transaction History: Retained for 7 years (tax and accounting requirements)
• Communication Records: Customer support records retained for 3 years

10.2 Deleted Accounts

• Personal Data: Deleted within 90 days of account deletion request
• Backups: May persist in backups for up to 180 days, then automatically purged
• Legal Hold Data: Data subject to legal hold retained until hold is lifted
• Anonymized Data: May be retained indefinitely (no longer considered personal data)

10.3 Inactive Accounts

• Accounts inactive for 5 years will receive email notification
• If no response within 90 days, account will be scheduled for deletion
• Anonymized usage statistics may be retained

10.4 AI Training Data (Pseudoanonymized)

• Pseudoanonymized datasets retained indefinitely for model training
• Linkage to original users destroyed after 90 days
• Complies with GDPR Article 89 (processing for archiving, research, and statistical purposes)

11. Your Rights (All Jurisdictions)

Regardless of your location, you have the following rights:

11.1 Right to Access

• Request a copy of all personal data we hold about you
• Receive data in a structured, commonly used, machine-readable format (JSON, CSV)
• Response time: Within 30 days
• Free of charge (first request per year)

11.2 Right to Rectification

• Correct inaccurate personal data
• Complete incomplete personal data
• Update account information directly in app settings

11.3 Right to Erasure ("Right to be Forgotten")

• Request deletion of your personal data
• We will comply within 30 days unless legal obligations require retention
• Exceptions: Legal compliance, pending transactions, fraud prevention
• Note: Anonymized/pseudoanonymized data cannot be deleted as it's not linked to you

11.4 Right to Restriction of Processing

• Temporarily limit how we use your data
• Applicable when accuracy is contested or processing is unlawful

11.5 Right to Data Portability

• Receive your data in machine-readable format
• Transfer your data to another service
• Export functionality available in app settings

11.6 Right to Object

• Object to processing based on legitimate interests
• Object to direct marketing (opt-out anytime)
• Object to AI training (see Section 5.4)
• Object to commercial metadata use (see Section 6.4)

11.7 Right to Withdraw Consent

• Withdraw consent for processing based on consent at any time
• Does not affect lawfulness of processing before withdrawal

11.8 Right to Lodge a Complaint

• File complaints with supervisory authorities (see Section 21)
• We encourage contacting us first to resolve issues

11.9 How to Exercise Your Rights

Contact us at:

• Email: privacy@ticloud.app
• In-app: Settings > Privacy > Data Rights Request
• Mail: [Physical Address]

We will respond within:

• 30 days (GDPR, most jurisdictions)
• 45 days (CCPA/CPRA, extendable to 90 days)
• We may request identity verification before processing requests

12. Additional Rights for US Residents

12.1 California Residents (CCPA/CPRA)

You have the right to:

• Know: Request disclosure of personal information collected, used, disclosed, or sold (past 12 months)
• Delete: Request deletion of personal information (subject to exceptions)
• Opt-Out of Sale/Sharing: Opt-out of sale of personal information and sharing for cross-context behavioral advertising
• Correct: Request correction of inaccurate personal information
• Limit Use of Sensitive Personal Information: If we use sensitive data beyond service provision
• Non-Discrimination: We will not discriminate against you for exercising your rights
• Authorized Agent: Designate an authorized agent to make requests on your behalf

Categories of Personal Information Collected (CCPA):

• Identifiers (name, email, IP address)
• Commercial information (receipt data, purchase history)
• Internet/network activity (usage data, device info)
• Geolocation data (approximate location from IP)
• Visual information (receipt images, photos)
• Inferences (spending patterns, preferences)

Do Not Sell My Personal Information:

We do not "sell" personal information as traditionally understood. However, sharing anonymized metadata may be considered a "sale" under broad CCPA definitions. To opt-out: donotsell@ticloud.app

Shine the Light Law (California Civil Code § 1798.83): California residents may request information about disclosure of personal information to third parties for direct marketing purposes. Contact: cashine@ticloud.app

12.2 Virginia (VCDPA)

Virginia residents have rights similar to CCPA, including:

• Access and portability
• Correction
• Deletion
• Opt-out of targeted advertising, sale, and profiling

12.3 Colorado (CPA)

Colorado residents have the right to:

• Opt-out of targeted advertising and sale of personal data
• Access, correct, and delete personal data
• Data portability

12.4 Connecticut (CTDPA)

Connecticut residents have similar rights to Virginia and Colorado residents.

12.5 Utah (UCPA)

Utah residents have the right to:

• Access and delete personal data
• Opt-out of sale and targeted advertising
• Data portability

12.6 Other US States

As additional states enact privacy laws, we will comply with their requirements and update this policy accordingly.

13. Additional Rights for Canadian Residents (PIPEDA)

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

• Know Why: Understand why we collect personal information before or at the time of collection
• Consent: Meaningful consent for collection, use, and disclosure
• Access: Access your personal information and know how it's been used
• Challenge Accuracy: Challenge the accuracy and completeness of your information
• Withdraw Consent: Withdraw consent at any time (subject to legal restrictions)
• Complaint: File complaints with the Office of the Privacy Commissioner of Canada

Quebec Residents (Law 25)

For Quebec residents, additional rights under Bill 64/Law 25:

• Right to portability of personal information
• Right to de-indexing (removal from search results)
• Enhanced consent requirements for minors (under 14)
• Mandatory data breach notifications

Contact for PIPEDA Requests: pipeda@ticloud.app

14. Additional Rights for UK Residents

Under the UK Data Protection Act 2018 and UK GDPR, you have rights equivalent to EU GDPR (Section 11), plus:

• Right to object to automated decision-making
• Right not to be subject to decisions based solely on automated processing
• Right to request human review of automated decisions

UK Supervisory Authority: Information Commissioner's Office (ICO)

Website: https://ico.org.uk

You have the right to lodge a complaint with the ICO.

UK Representative: [If you have UK operations, list UK representative contact]

15. Data Security

We implement industry-standard security measures to protect your personal information:

15.1 Technical Safeguards

• Encryption in Transit: TLS 1.2+ for all data transmission
• Encryption at Rest: AES-256 encryption for stored data
• Password Security: Bcrypt hashing with salt for password storage
• Secure FTP: Encrypted FTP connections for receipt image storage
• API Security: JWT tokens, rate limiting, DDoS protection
• Database Security: Encrypted PostgreSQL with access controls

15.2 Organizational Safeguards

• Access Controls: Role-based access, least privilege principle
• Employee Training: Regular privacy and security training for all staff
• Background Checks: For employees with data access
• Confidentiality Agreements: All staff and contractors sign NDAs
• Incident Response Plan: Documented procedures for data breaches
• Regular Audits: Quarterly security audits and penetration testing

15.3 Data Breach Notification

In the event of a data breach affecting personal information:

• EU/UK Residents: Notification to supervisory authority within 72 hours
• Affected Individuals: Direct notification without undue delay if high risk
• US Residents: Notification as required by state laws
• Canadian Residents: Notification to Privacy Commissioner and affected individuals
• Notification will include nature of breach, data affected, and remedial actions

15.4 Third-Party Security

• All third-party processors must meet our security standards
• Regular security assessments of vendors
• Contractual security obligations

16. Children's Privacy

Age Restrictions: TiCloud is not intended for children under 16 years of age (or 13 in jurisdictions where applicable).

• We do not knowingly collect personal information from children under 16
• If we discover we have collected data from a child under 16, we will delete it immediately
• Parents/guardians who believe their child has provided information should contact us immediately
• For EU residents: Parental consent required for children under 16 (or lower age set by member state)
• For US residents: COPPA compliance for children under 13
• For Quebec residents: Parental consent required for children under 14

If you are a parent/guardian: Contact childrenprivacy@ticloud.app to request deletion of a child's data.

17. Cookies and Tracking Technologies

17.1 Types of Cookies We Use

17.2 Mobile App Local Storage

• AsyncStorage: Stores authentication tokens and preferences locally on your device
• Biometric Data: Stored locally on your device only (never transmitted to our servers)
• Offline Cache: Temporary storage of receipt data for offline access

17.3 Third-Party Tracking

• reCAPTCHA: Google reCAPTCHA for bot detection (subject to Google's privacy policy)
• Analytics: We may use privacy-focused analytics (anonymized IP addresses)

17.4 Your Cookie Choices

• Browser settings: Disable non-essential cookies
• Cookie banner: Manage preferences (EU/UK users)
• Do Not Track: We respect DNT signals where legally required
• Global Privacy Control (GPC): We honor GPC signals for opt-out requests

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our practices
• New features or services
• Changes in legal requirements
• User feedback and best practices

Notice of Changes:

• Material Changes: Email notification + prominent in-app notice at least 30 days before effective date
• Minor Changes: Updated "Last Updated" date + in-app notification
• Continued Use: Continued use after changes constitutes acceptance (except where additional consent is required by law)

Version History: Previous versions available at: https://ticloud.app/privacy-history

19. Contact Information

20. Data Protection Officer

We have appointed a Data Protection Officer (DPO) as required by GDPR Article 37:

Name: Thomas Wyskiel

Email: dpo@ticloud.app

Responsibilities:

• Monitor compliance with GDPR and other data protection laws
• Advise on data protection impact assessments
• Cooperate with supervisory authorities
• Serve as point of contact for data subjects and authorities

21. Supervisory Authorities

You have the right to lodge a complaint with a supervisory authority, particularly in your country of residence, workplace, or where an alleged infringement occurred.

21.1 European Union

Find your local Data Protection Authority: https://edpb.europa.eu/about-edpb/board/members_en

21.2 United Kingdom

Information Commissioner's Office (ICO)

Website: https://ico.org.uk

Phone: 0303 123 1113

21.3 Canada

Office of the Privacy Commissioner of Canada

Website: https://www.priv.gc.ca

Phone: 1-800-282-1376

21.4 United States

Federal Trade Commission (FTC)

Website: https://www.ftc.gov

California Attorney General (CCPA/CPRA)

Website: https://oag.ca.gov/privacy

State-Specific Authorities: Contact your state Attorney General's office for privacy complaints.

Additional Legal Information

Automated Decision-Making and Profiling

We use automated processing for:

• Receipt Data Extraction: AI/OCR to extract merchant names, amounts, items from receipt images
• Merchant Matching: Fuzzy matching algorithms to link receipts to merchant database
• Spending Analytics: Automated categorization of expenses

These automated processes do not produce legal effects or significantly affect you. You have the right to request human review of any automated decision.

Data Protection Impact Assessments (DPIA)

We have conducted DPIAs for:

• AI model training using customer data
• Commercial metadata aggregation and sales
• Biometric authentication features
• International data transfers

Data Minimization

We collect only data necessary for stated purposes:

• Phone numbers are optional
• Location is approximate (IP-based) only
• We do not collect browsing history outside our Services

User Data Segregation

• User data is logically separated in our database
• Merchants can only access receipts they created
• Users can only access their own data
• Administrators have limited, audited access

Anonymization vs. Pseudonymization

Pseudonymized Data: Data with identifiers replaced by pseudonyms; linkage table destroyed after 90 days

Anonymized Data: Aggregated data representing 100+ users, impossible to re-identify

Only truly anonymized data is sold commercially (Section 6).

Transparency and Accountability

Records of Processing Activities

We maintain comprehensive records of all processing activities as required by GDPR Article 30.

Privacy by Design and Default

• Data protection measures integrated into all systems from inception
• Default settings provide maximum privacy
• Regular privacy impact assessments for new features

Third-Party Audits

We engage independent third parties to:

• Audit our privacy practices annually
• Verify anonymization effectiveness
• Test security controls
• Assess GDPR/CCPA compliance

Certifications and Frameworks

We strive to obtain and maintain:

• ISO 27001 (Information Security Management)
• SOC 2 Type II compliance
• Privacy Shield certification (where applicable)

Special Categories of Data

We do not intentionally collect sensitive personal information such as:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Health data (except if visible on receipts - see below)
• Sexual orientation

Incidental Sensitive Data on Receipts:

Receipts may inadvertently contain sensitive information (e.g., pharmacy purchases revealing health conditions). If you upload such receipts:

• We process this data only for service provision
• Sensitive fields are flagged and excluded from AI training
• Extra security measures apply
• You should redact sensitive information before uploading

Biometric Data:

• Face ID / Touch ID / Fingerprint data is processed ONLY on your local device
• Biometric templates never leave your device
• We only store a hash confirming biometric authentication is enabled
• Complies with GDPR Article 9, BIPA (Illinois), and other biometric laws

Your California Privacy Rights - Detailed

CCPA/CPRA Information Requirements

Personal Information Collected (Last 12 Months):

Business Purposes for Collection

1. Providing receipt management services
2. Processing and analyzing receipts
3. Customer support
4. Security and fraud prevention
5. Quality assurance and service improvement
6. Legal compliance

Right to Limit Use of Sensitive Personal Information

If we use or disclose sensitive personal information beyond service provision, you have the right to limit such use. Contact: sensitivelimit@ticloud.app

Authorized Agent Requests

To designate an authorized agent:

• Provide written authorization signed by you
• Agent must provide proof of authorization
• We may require direct verification from you

Accessibility

This Privacy Policy is designed to be accessible to all users:

• Available in multiple languages (English, French, Spanish, German)
• Screen reader compatible
• Plain language summaries provided
• Large print version available upon request
• Video explanation available at: https://ticloud.app/privacy-video

Request Alternative Format: accessibility@ticloud.app

Data Processing Addendum for Business Users

For merchant accounts processing customer data:

• Merchants act as Data Controllers for customer receipt data they create
• TiCloud acts as Data Processor on behalf of merchants
• Full Data Processing Agreement (DPA) available at: https://ticloud.app/dpa
• Includes Standard Contractual Clauses for international transfers
• Merchants must have legal basis to process customer data
• Merchants responsible for obtaining customer consent where required

Definitions

Personal Information/Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

Pseudoanonymization: Processing personal data so it can no longer be attributed to a specific individual without additional information, which is kept separately.

Anonymization: Irreversibly transforming data so individuals cannot be identified, directly or indirectly.

Controller: Entity that determines purposes and means of processing personal data.

Processor: Entity that processes personal data on behalf of the Controller.

Data Subject: Individual whose personal data is processed.

Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing.

Dispute Resolution

Informal Resolution

We encourage you to contact us first with any privacy concerns: privacy@ticloud.app

We will investigate and respond within 30 days.

Formal Complaints

If informal resolution fails:

• EU/UK Residents: Lodge complaint with supervisory authority (Section 21)
• US Residents: File complaint with FTC or state Attorney General
• Canadian Residents: File complaint with Privacy Commissioner

Arbitration (US Users)

For US users, disputes may be subject to binding arbitration as outlined in our Terms of Service, except where prohibited by law or for CCPA/CPRA rights requests.

Consent for Specific Purposes

By using TiCloud and accepting this Privacy Policy, you specifically consent to:

1. Receipt Image Processing: Upload and processing of receipt images using AI/OCR technology
2. Cloud Storage: Storage of your data on cloud servers (which may be located internationally)
3. OpenAI Processing: Transmission of receipt images to OpenAI for text extraction
4. Pseudoanonymized AI Training: Use of your pseudoanonymized receipt data for AI model training (subject to opt-out)
5. Anonymized Metadata Sales: Inclusion of your data in anonymized aggregate metadata sold commercially (subject to opt-out)
6. Email Communications: Receiving service-related emails

You may withdraw consent at any time by:

• Deleting your account
• Opting out of specific uses (AI training, metadata sales)
• Contacting privacy@ticloud.app

Compliance Certifications

TiCloud is committed to maintaining the following compliance standards:

• ✓ GDPR (General Data Protection Regulation - EU)
• ✓ UK Data Protection Act 2018
• ✓ CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
• ✓ VCDPA (Virginia Consumer Data Protection Act)
• ✓ CPA (Colorado Privacy Act)
• ✓ CTDPA (Connecticut Data Privacy Act)
• ✓ UCPA (Utah Consumer Privacy Act)
• ✓ PIPEDA (Personal Information Protection and Electronic Documents Act - Canada)
• ✓ Law 25 (Quebec, Canada)
• ✓ COPPA (Children's Online Privacy Protection Act - US)
• ✓ BIPA (Biometric Information Privacy Act - Illinois, US)

Questions and Concerns

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

Primary Contact: privacy@ticloud.app

Response Time: We aim to respond to all privacy inquiries within 5 business days

We take all privacy concerns seriously and will work diligently to address your questions and resolve any issues.