Security & data practices

Encryption in transit and at rest

All data sent between your browser and our servers is encrypted using TLS 1.3. At rest, your database records and uploaded documents are encrypted using AES-256. These are standard practices for any SaaS product that handles personal data.

Receipt photos

When you upload a receipt, we strip EXIF metadata (GPS location, device info) before processing. Free tier photos are permanently deleted immediately after text extraction — only the extracted data is kept. Pro tier users can store photos persistently in encrypted object storage.

No third-party tracking

We don't use Google Analytics, Facebook Pixel, or any tracking software that sends your data to third parties. Our analytics are cookieless and anonymized. We don't sell or share your purchase data with anyone.

Account deletion

When you delete your account, there's a 30-day grace period (cancellable). After that: permanent deletion from our database and from all backups within 90 days. You can export a CSV of all your data before deletion. We don't soft-delete and call it good.

Infrastructure

We run HeresNext on standard cloud infrastructure with the following building blocks:

• Database and object storage — encrypted at rest, hosted in the US
• Email provider — for reminders and account emails
• Hosting — edge-deployed for low latency
• Analytics — cookieless and anonymized