Privacy Policy

1. Data Controller

For the purposes of the UK General Data Protection Regulation (UK GDPR), Returno Ltd is the data controller of the personal information you provide directly (such as account registration details). For the data contained within the receipts you upload, Returno acts as a data processor, acting upon your instructions to extract and store data.

2. Information We Collect

We collect several types of information from and about users of our Service:

2.1 Personal Identification Information

• Account Data: Name, email address, physical address (for billing), and phone number.
• Financial Data: Credit card or payment details. Please note that all payments are processed through a secure third-party provider (e.g., Stripe); we do not store full credit card numbers on our servers.

2.2 Content Data (Receipts)

• Uploaded Files: Images (JPEG, PNG) and PDF files of receipts and return vouchers.
• Extracted Data: Information extracted via OCR, including vendor names, item descriptions, prices, currency, dates, and tax amounts.

2.3 Technical and Usage Data

• Log Data: IP address, browser type, operating system, referring URLs, and pages viewed.
• Device Information: Details about the device used to access the Service, including hardware model and unique device identifiers.
• Cookies: We use cookies and similar tracking technologies to track activity on our Service and hold certain information to improve user experience.

3. How We Collect Your Data

• Direct Interaction: You provide data when you register, subscribe, or upload documents.
• Automated Technologies: As you interact with our website, we may automatically collect technical data about your equipment and browsing patterns.
• Third Parties: We may receive data from payment processors or analytics providers (e.g., Google Analytics).

4. Legal Basis for Processing (UK/EEA Users)

Under the UK GDPR, we rely on the following legal bases to process your personal data:

• Performance of a Contract: To provide the Service and manage your subscription.
• Consent: Where you have given clear consent for us to process your data for a specific purpose (e.g., uploading receipts for AI analysis).
• Legitimate Interests: For our business interests, such as improving our AI algorithms, ensuring network security, and performing data analytics.
• Legal Obligation: To comply with tax, accounting, or regulatory requirements in the UK.

5. Use of Artificial Intelligence (OpenAI)

To provide the core functionality of Returno, we utilize OpenAI's API for Optical Character Recognition (OCR).

• Data Transmission: When you upload a receipt, the file (or a digital representation of it) is transmitted to OpenAI's servers.
• Processing Purpose: OpenAI processes the image/PDF solely to identify text and structure it into data fields.
• Data Privacy: We use OpenAI's enterprise/API tier, which, by default, does not use customer data to train their models. However, the data is stored by them temporarily for a period required to fulfill the request and for security monitoring.

6. Disclosure of Your Information

We may share information we have collected about you in certain situations:

• Service Providers: With third parties that perform services for us, including payment processing, data analysis, email delivery, hosting services, and customer service.
• Legal Requirements: If we believe the release of information is necessary to respond to legal process, to investigate potential violations of our policies, or to protect the rights, property, and safety of others.
• Business Transfers: In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

7. International Data Transfers

Returno is based in the United Kingdom. However, we use service providers (such as OpenAI and cloud hosting providers) located in the United States.

When we transfer data from the UK to the US, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• The use of Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO).
• Use of providers who are certified under the UK-US Data Bridge (the UK extension to the EU-U.S. Data Privacy Framework).

8. Data Security

We use administrative, technical, and physical security measures to help protect your personal information. These include:

• Encryption: Use of SSL/TLS encryption for data in transit and AES-256 for data at rest.
• Access Controls: Restricting access to personal data to employees and contractors who have a business "need to know."
• Regular Audits: Periodic reviews of our security practices and system vulnerabilities.

9. Data Retention

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

• Subscription Data: Retained for the duration of your active subscription.
• Account Deletion: Upon account deletion, we purge your data within 30 days, except for data we are legally required to keep (e.g., tax invoices).

10. Your Rights

10.1 UK and EEA Rights

Under the UK GDPR, you have the following rights:

• Access: The right to request copies of your personal data.
• Rectification: The right to request that we correct inaccurate information.
• Erasure: The right to request that we erase your personal data ("the right to be forgotten").
• Portability: The right to request that we transfer the data to another organization.
• Objection: The right to object to our processing of your data.

10.2 US State Rights (e.g., California CCPA/CPRA)

If you are a resident of California or other US states with comprehensive privacy laws, you have specific rights:

• Right to Know: What personal information we have collected, used, or shared.
• Right to Delete: Request the deletion of your personal information.
• Right to Opt-Out: While Returno does not sell your personal information, you have the right to opt-out of "sharing" for cross-contextual behavioral advertising.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

11. Children's Privacy

Our Service is not intended for children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to remove that information from our servers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

13. Contact Us

If you have questions or comments about this Privacy Policy, or if you wish to exercise your data rights, please contact our Data Protection Officer (DPO) at:

• Returno Ltd
• Email: privacy@returno.co.uk
• Address: [Insert UK Business Address]
• Phone: [Insert Business Phone Number]