Privacy Policy

Who we are

Slipwise is a receipt-management product operated by Vast Dynamic Software Development Limited(“we”, “us”, “our”), a company incorporated in Hong Kong. This policy explains what personal data we collect when you use Slipwise, how we use it, and the rights you have over it under the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”).

For the purposes of the PDPO, Vast Dynamic Software Development Limited is the data user in respect of personal data that you provide to us through Slipwise.

Data we collect

We collect only the data we need to make Slipwise work for you:

• Account information. Your email address and a hashed password (or, if you sign in via Google or another provider, the email and provider id returned by that provider). We never see or store your provider password.
• Profile and settings. Optional first/last name, organisation name, country, default currency, language, and timezone — only what you choose to enter during onboarding or in Settings.
• Receipts and the data extracted from them. The image or PDF files you upload, along with the supplier name, date, amount, currency, tax, line items, and category extracted from each receipt. If you forward receipts via email, we receive the email and parse it the same way.
• Cloud-sync tokens. If you connect Google Drive or OneDrive, we store an encrypted access + refresh token so we can write your receipts into your own cloud folder. The token is encrypted at rest with AES-256-GCM and is never returned to your browser.
• Operational data. Usage counters (number of chat messages, number of receipts processed this month) used only to enforce subscription limits, and a per-account audit log of administrative actions.
• Logs. Server-side request logs (IP address, user-agent, route, response code, timestamp) retained for up to 30 days for debugging and abuse detection. We do not run third-party analytics or advertising tags on the app.

How we use your data

• To provide the Slipwise service: store your receipts, run extraction, surface them in your dashboard, sync to your cloud folder.
• To answer your questions through the in-app assistant. The assistant runs on OpenAI’s API; we send only the question, your conversation history, and relevant metadata about your own receipts. We do not use your data to train our or any other party’s models.
• To send you transactional emails — sign-up confirmations, invitations, password resets, receipt-saved notifications. You can disable receipt-saved emails in Settings.
• To enforce subscription limits and detect abuse.
• To respond when you contact us at support@vastdynamic.io.

We do not sell your data. We do not use your data for behavioural advertising.

Where your data is stored

Slipwise data lives in Supabase’s ap-northeast-1 region (Tokyo, Japan). The Slipwise application runs on Vercel (also in the Tokyo region for our serverless functions). Email is delivered through Resend. Receipt extraction uses OpenAI’s API; the request is processed in the United States. Cloud sync writes copies of your receipts to your own Google Drive or OneDrive account at your direction.

Where data is transferred outside Hong Kong, we rely on the recipient’s contractual undertakings to apply protection of a standard comparable to that required under the PDPO.

How long we keep it

• Account, settings, and receipt data: until you delete the receipt, the account, or your profile.
• Soft-deleted receipts: kept in the recycle bin for 30 days, then purged from storage and the database.
• Operational logs: up to 30 days.
• Audit log: 12 months for administrative actions.
• Backups: rolling 7-day point-in-time snapshots from our database provider.

Sharing

We share data only with the third parties we need to run the service:

• Supabase — database, file storage, auth.
• Vercel — application hosting.
• OpenAI — receipt extraction and the in-app assistant.
• Resend — transactional email.
• Google / Microsoft — only if you choose to connect cloud sync, and only to write to the folder you authorise.

We do not share your data with anyone else except where compelled by law, where you explicitly direct us to (e.g. inviting another user to your account), or where we are involved in a merger or acquisition (in which case your rights under this policy transfer to the successor entity).

Your rights under the PDPO

You have the right to:

• Ask us to confirm whether we hold personal data about you.
• Request a copy of that data.
• Ask us to correct any data that is inaccurate.
• Ask us to delete your account and all associated data. Most of this you can do yourself in Settings; for anything not exposed there, email support@vastdynamic.io.
• Withdraw consent for any processing that relies on your consent — for example by disconnecting cloud sync from Settings.

We will respond to data-access or correction requests within 40 days as required by the PDPO. There is no charge for a request from a data subject about their own data.

Direct marketing

We do not use your personal data for direct marketing of third-party products. Where we send you product updates from Slipwise itself, you can opt out from any such email or by writing to support@vastdynamic.io, and we will stop within a reasonable period.

Cookies

Slipwise uses cookies that are strictly necessary for the service to work — your authentication session, your active-account selection, and a couple of small performance hints. We do not use advertising or third-party analytics cookies.

Children

Slipwise is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child has registered, contact us and we will remove the account.

Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent change. For material changes we’ll notify you by email or in-app before the change takes effect.

Contact

Vast Dynamic Software Development Limited
Email: support@vastdynamic.io