Gelato← Back to home

Privacy Policy

Effective date: April 9, 2026

Gelato ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and your rights in relation to it. By using Gelato, you agree to the practices described in this policy.

1. Information We Collect

Information you provide directly

  • Account information — your full name and email address when you register.
  • Receipt images — photos of grocery receipts you upload for scanning.
  • Spending and budget data — receipt line items, categories, quantities, prices, and budgets you create.
  • Household data — household names and the email addresses of members you invite.

Information collected automatically

  • Usage data — pages visited, features used, and actions taken within the app (for product improvement).
  • Device and browser information — browser type, operating system, and IP address for security and analytics.

Information from third parties

  • Payment information — if you subscribe, Stripe processes your payment details. We do not store credit card numbers; only a Stripe customer ID is stored on our servers.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Gelato service.
  • Process your receipt images using AI-powered OCR to extract spending data.
  • Generate spending analytics, budgets, and reports for you.
  • Process subscription payments and manage your billing.
  • Send transactional emails (account confirmation, password reset).
  • Detect and prevent fraud, abuse, or security incidents.
  • Comply with our legal obligations.

We do not sell your personal data to third parties, use your grocery data for advertising, or share your data with employers, insurers, or data brokers.

3. Third-Party Services

Gelato relies on the following trusted third-party services to operate. Each handles your data under their own privacy policies:

  • Supabase — database, authentication, and file storage. Your account data, receipt images, and spending records are stored on Supabase infrastructure hosted on AWS. Privacy policy →
  • OpenAI — AI-powered receipt OCR. When you upload a receipt, the image is sent to OpenAI's API to extract text. OpenAI may retain submitted data per their API data usage policy. We recommend not uploading receipts containing sensitive personal information beyond standard grocery items. Privacy policy →
  • Stripe — payment processing for web subscriptions. Stripe collects and stores your payment card details. We store only your Stripe customer ID. Privacy policy →
  • RevenueCat — in-app purchase management on iOS and Android. Privacy policy →

4. Data Storage and Security

Your data is stored on Supabase infrastructure hosted in the United States on Amazon Web Services (AWS). We implement row-level security policies to ensure users can only access their own data. Receipt images are stored in a private, access-controlled storage bucket — they are not publicly accessible.

While we take reasonable technical and organisational measures to protect your data, no internet transmission or storage system is 100% secure. We encourage you to use a strong, unique password for your account.

5. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g. transaction records required by tax law).

Receipt images are retained for as long as you keep them in the app. You can delete individual receipts at any time from within the app, which also removes the associated image from storage.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request that we correct inaccurate or incomplete data.
  • Deletion — request that we delete your account and associated data.
  • Portability — request your spending data in a machine-readable format.
  • Objection — object to certain processing of your data.

To exercise any of these rights, please contact us at privacy@gelato.app. We will respond within 30 days.

7. Cookies

Gelato uses cookies and similar technologies to maintain your login session and remember your preferences (such as your active household context). We do not use third-party advertising cookies or tracking pixels.

8. Children's Privacy

Gelato is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notice at least 14 days before the change takes effect. Your continued use of Gelato after that date constitutes acceptance of the updated policy.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us:

  • Email: privacy@gelato.app
Terms of Service← Back to home