Privacy Policy

1. Introduction

RevTrackr is operated by NFTeam s.r.o. (“we”, “our”, or “us”), a company registered in the Slovak Republic, with its seat at Hradná 168/2, 945 01 Komárno, Slovak Republic, IDČO: 50 599 500, DIČ: 21 2040 8719. We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our financial management platform (the “Service”).

By using RevTrackr, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide, including:

• Account information: name, email address, password (stored as a salted bcrypt hash), optional phone number, profile photo, an email-verification flag that records whether you have confirmed your address, and an email-preferences flag that records whether you have unsubscribed from broadcast / newsletter emails.
• Business information: business name, type, country, address, tax identification numbers, industry, contact details, team members you invite, and tax-related settings (currency, tax rate, tax brackets, thresholds).
• Financial data: transactions (income and expenses), categories, tags, recurring patterns, notes, receipts, tax deadlines, and any other financial records you enter or upload.
• Receipts and documents: images and PDF files you upload to the receipt store (“Shoebox”).
• Payment information: billing details are processed directly by our payment provider, Stripe. We receive only a customer identifier, your subscription status, and limited billing metadata — we do not receive or store your full card numbers.
• AI assistant conversations: the prompts you send to the AI assistant and the model’s responses are stored so you can revisit prior conversations.
• API keys: labels, permissions, the last four characters of the key (for identification), and a one-way SHA-256 hash of the full key value. The raw key is shown to you exactly once at creation and never stored. Optional webhook configuration (URL, subscribed events, and the signing secret) is stored alongside the key.
• Linked sign-in providers: if you sign in with Google or GitHub, or connect one of those providers to your account from settings, we store the provider name, the opaque account identifier the provider issues for you, the email address that provider returns, and when the link was created. We never receive your provider password and never request additional scopes beyond your basic profile.
• Push subscriptions: when you opt in to browser push notifications, we store the endpoint URL, encryption keys, and user-agent string provided by your browser.
• Notification preferences: your choices for reminders, alerts, and summary delivery.
• Communications: messages you send to our support team.

2.2 Information Collected Automatically

• Usage data: pages visited, features used, time spent, and interaction patterns — collected via Vercel Analytics on an aggregate, privacy-friendly basis.
• Device and log data: IP address, browser type, operating system, device identifiers, and access times, captured by our hosting provider as part of normal request logging.
• Cookies and local storage: used to keep you signed in, remember interface preferences, and dismiss one-time prompts (see Section 9).
• Email delivery metadata: for broadcast and transactional emails we send through Resend, we store the recipient address, the Resend message id, and the current delivery status (sent, delivered, delayed, bounced, complained, failed) so admins can debug deliverability. We do not enable open or click tracking.
• Diagnostic data: when the Service encounters an unhandled error, we forward a crash report to Sentry. The report contains the error message and stack trace, the URL, browser and operating system, the release version, and a short trail of breadcrumbs (recent navigation events and network requests). We configure the Sentry SDK to omit IP addresses, cookies, and request bodies by default. Where technically necessary to associate an error with the affected account, we may attach your user id.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Process payments, manage subscriptions, redeem subscription codes, and send related billing communications.
• Calculate tax estimates, generate reports, convert amounts between currencies, and surface financial insights.
• Power the AI assistant (available on the Pro and Ultra plans only) by sending an aggregated summary of your financial context and your prompt to our AI provider. Plus and Free accounts do not have AI features and no data from those accounts is sent to our AI provider.
• Power the AI receipt reader (available on the Pro and Ultra plans only) by sending the receipt image you choose to scan to our AI provider so it can extract the vendor, total, currency, and date.
• Send transactional emails such as registration confirmation links, password reset links, tax deadline reminders, account notifications, and administrative announcements. Confirmation and reset links are stored only as one-way hashes and expire automatically (confirmation links after seven days, reset links after one hour).
• Deliver web push notifications to browsers you have authorized.
• Authenticate API requests made with the keys you generate, and enforce the permissions you attach to them.
• Deliver outbound webhooks to URLs you configure on an API key, so external systems can react to changes in your business data.
• Improve, personalize, and expand the features of the Service.
• Detect, prevent, and address fraud, abuse, and security incidents, including suspending accounts where necessary.
• Comply with legal obligations.

4. How We Share Your Information

We do not sell your personal information. We share information only with the following categories of recipients:

• Service providers (sub-processors): trusted vendors who process data on our behalf:
  • MongoDB Atlas — hosted database where your account, business, transaction, receipt metadata, notification, and conversation records are stored.
  • Vercel — application hosting, deployment, edge delivery, request logging, and Vercel Analytics (page views and performance metrics).
  • Stripe — payment processing, subscription management, billing, and related webhooks.
  • Cloudinary — storage, optimization, and delivery of profile photos and receipt files you upload.
  • Resend — delivery of transactional and notification emails (used only when email delivery is configured for the deployment).
  • Web push services — if you opt in to push notifications, encrypted payloads are delivered through the push service operated by your browser vendor (such as Google, Mozilla, Microsoft, or Apple).
  • Groq — inference provider for our AI assistant (Papoy), the dashboard welcome message, and the AI receipt reader. We send your prompt plus a focused snapshot of your account context for the assistant, and the URL of a receipt image (hosted on Cloudinary) for the receipt reader.
  • Sentry — error monitoring and performance tracing. Receives crash reports, stack traces, navigation breadcrumbs, the affected URL, release version, and the user id of the affected account when available, so we can diagnose and fix bugs.
  • Google and GitHub — identity providers used only when you choose to sign in or connect an account through them. They receive the redirect back to RevTrackr and the standard OAuth grant; in return we receive a provider account id, your email, and (where available) your display name and avatar.
  • Open Exchange Rates API (open.er-api.com) — used to fetch publicly available currency conversion rates. We do not send any personal or financial data to this API.
• Other users you share a business with: if you add team members to a business, those members can view and (depending on their role) modify the business information, transactions, and receipts associated with that business.
• Third-party tools you authorize: any application that you connect by issuing an API key can access the data permitted by that key’s scope (for example, read or write access to transactions or business information). You can revoke API keys at any time.
• Webhook endpoints you configure: if you set a webhook URL on an API key, we will send signed POST requests to that URL when subscribed events occur on your business (for example, transaction or business changes). The request body contains the affected record. You control which events are subscribed and you are responsible for the security of the endpoint you provide. We log the outcome of each delivery attempt (HTTP status, timing, and any error message) and surface it in the API management page; we do not store the URL or its responses for any purpose other than helping you debug deliveries.
• Administrators: our staff with administrative access may view account, business, and transaction data strictly as needed to operate the Service, provide support, investigate abuse, or comply with legal obligations.
• Legal and regulatory authorities: when required by law, court order, or to protect our rights and the safety of others.
• Business transfers: in connection with a merger, acquisition, or asset sale, with notice to you.
• With your consent: any other party you authorize.

5. AI-assisted features

Papoy, our in-app AI assistant, and the dashboard’s welcome message are available on the Pro and Ultra plans only and rely on Groq as their inference provider. The Free and Plus plans do not include AI features, and no data from Free or Plus accounts is ever sent to Groq. When you send a question to the assistant from a Pro or Ultra account, we build a context object summarising your current financial situation — including totals for the current period, top income and expense categories, a small number of recent transactions, upcoming deadlines, and pinned notes — and forward it along with your prompt to Groq so it can generate a response. We do not send your full transaction history, your password, your payment details, or other users’ data.

The AI receipt reader, also available only on the Pro and Ultra plans, sends only the receipt image you explicitly choose to scan (either by tapping “Scan with AI” in the upload dialog, opening the camera scanner from the Shoebox, or selecting “Record as transaction” on a saved receipt) to Groq’s vision model. Groq extracts the vendor, total, currency, date, suggested category, and a short description and returns them as structured data. The image itself is hosted on Cloudinary; we transmit the URL of the image to Groq, and Groq fetches it directly. Receipt images are not sent to Groq automatically — only when you trigger a scan, and only when you are on a plan that includes the reader.

Per Groq’s terms, your prompts, images, and responses are not used to train their models. Conversations are stored in your account so you can revisit them; you can delete a conversation at any time and we will remove it from our database. Use of AI features is rate-limited. AI responses can be wrong — treat tax-critical answers as a starting point and verify with a licensed professional before filing.

6. Email and Push Notifications

We send a limited number of operational emails and, when enabled, push notifications. Examples include account and security notices, tax deadline reminders, large-transaction alerts, optional weekly summaries or monthly reports, and administrative announcements. Emails are delivered through Resend; push notifications are delivered through the push service operated by your browser vendor.

You can configure which reminders and summaries you receive from your account settings, and you can revoke browser push permission from your browser at any time. We do not use your email address for marketing campaigns by third parties.

7. Data Security

We implement industry-standard technical and organizational measures to protect your data, including encryption in transit (TLS), encryption at rest on our infrastructure providers, bcrypt-hashed passwords, JWT-based authentication with short-lived access tokens and longer-lived refresh tokens bound to server-side session records you can revoke at any time from the Security tab in your account settings, optional time-based one-time password (TOTP) two-factor authentication with single-use recovery codes (stored only as SHA-256 hashes), passkey support via WebAuthn, role-based access controls, scoped API keys, and isolated queries that prevent users from accessing data that does not belong to them or their businesses. We also maintain a 90-day per-account sign-in activity log (password / passkey / OAuth attempts and session revocations) so you can spot unauthorized access. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you the Service. Receipts and financial records are retained while your account is open so that you can refer back to historical periods. If your account is disabled by an administrator, your data is preserved but inaccessible to you until the account is re-enabled or permanently deleted. You may request deletion of your account at any time from the Security tab in your settings — the request is recorded against your account, we email you a confirmation, and an administrator processes the deletion after a short cancellation window during which you can withdraw the request. We may retain certain information after deletion to comply with legal obligations (including tax and accounting record-keeping rules that apply to us), resolve disputes, and enforce agreements.

9. Cookies and Local Storage

We use a small number of essential cookies and browser storage items, including an authentication token cookie that keeps you signed in, a cookie that remembers whether the sidebar is open or collapsed, and local-storage entries that store your access token and dismiss certain one-time prompts (such as the install or push-permission banners). We may also use analytics cookies set by Vercel Analytics to understand aggregate usage. You can control cookies through your browser settings, but disabling essential cookies will prevent you from staying signed in.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion of your data.
• Restrict or object to certain processing of your data.
• Receive a portable copy of your data.
• Withdraw consent where processing is based on consent.
• Unsubscribe from broadcast / newsletter emails at any time using the link in the footer of any such email, or via your email preferences in settings. Transactional emails (account verification, password reset, tax-deadline reminders you opted into) are kept separate from broadcast unsubscribe.
• Lodge a complaint with a supervisory authority.

To exercise any of these rights, contact us at hello@nfteam.eu.

11. International Data Transfers

We are based in the Slovak Republic. Several of our sub-processors (including Vercel, Stripe, Cloudinary, Resend, Groq, Sentry, and MongoDB Atlas) may transfer or process data outside the European Economic Area, including in the United States. Where such transfers occur, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, the EU–US Data Privacy Framework where applicable, or equivalent mechanisms.

12. Children’s Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us so we can delete it.

13. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing them with personal data.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the “Last updated” date. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: