Privacy policy

We collect the minimum data needed to run an alcohol-related price comparison service. Specifically:

• Account data: email address, display name, role (user / reviewer / owner), and a flag indicating whether two-factor authentication is enabled. Email is verified before upload, vote, and report actions.
• Age confirmation: a single timestamp recording when you confirmed you are legally allowed to view alcohol-related content in your location. We do not store date of birth.
• Receipt originals: the image or PDF you upload. Stored in a private Supabase Storage bucket; never made public; deleted when you delete the account.
• Contributed price data: the claim, AI extraction, your corrections, and the reviewer decision trail.
• Audit log: an internal record of every privileged action (reviewer decision, report resolution, account deletion, role change, receipt preview, etc.) for security and abuse-investigation purposes.

Account and contributed data power the public product. The audit log is accessible to owners and is not user-facing. We do not sell or rent any personal data. We do not use receipt originals for AI training unless you separately opt in (a future opt-in is not yet available).

We use PostHog for anonymous product analytics. The analytics SDK is only initialized after you click “Allow analytics” on the consent banner. Before consent, no analytics JS, cookies, or localStorage entries are set. Declining analytics does not affect the product.

We set one cookie for the consent decision itself (180 days, SameSite=Lax). Authentication cookies are managed by Better Auth.

You can, at any time:

• Access your data: download a JSON snapshot from your account page. The export covers your profile, receipts, contributed records, votes, reports, AI correction samples, and audit-log rows about you.
• Delete your account: the same page has a Delete-account section. Deletion anonymizes your profile, anonymizes your receipts, sets contributorAnonymized = true on any approved price observations (the prices remain visible but unattributed), and removes the stored receipt originals.
• Opt out of analytics: decline on the consent banner, or revisit your choice on the account page in a future release.

• Account data: retained while your account is active. On deletion, profile fields are anonymized; sessions are purged.
• Receipt originals: deleted on account deletion. While the account is active, originals are kept for the period the receipt is in review and for 30 days after the final reviewer decision, to support audit-trail queries and resubmission flows.
• Approved price observations:kept for 180 days as “current.” Older observations are marked stale and excluded from default search. Anonymized approved prices remain on the platform after account deletion (they are the public product).
• Audit log: retained for 24 months. Personal data in the log (IP address, user agent) is used for security investigations only.

For data-access, deletion, or any other privacy question, please use the account page or open an issue on the public repository.