Privacy Policy
Last Updated: April 1, 2026
Welcome to the Brandmar Receipt Scanner ("we", "our", or "us"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application to scan, process, and export receipt data to Google Sheets.
1. Information We Collect
Because our application acts as a conduit between your device, AI processing, and your Google Account, we handle specific types of data:
- Google Account Information: When you log in via Google OAuth, we receive an authentication token that allows us to verify your identity and access authorized Google Drive files. We do not have access to your Google password.
- Receipt Images: When you use the app to capture or upload receipts, we process these image files.
- Extracted Financial Data: Our system processes the images to extract specific financial figures (e.g., Gross Sales, GST/HST, Total Cash, Gross Profit) and dates.
- Usage Data & Cookies: We use an HTTP-Only, Secure cookie to maintain your active session while you use the app.
2. How We Use Your Information
We use the information collected strictly to provide the core functionality of the application:
- Processing OCR (Optical Character Recognition): Your receipt images are compressed on your device and sent to our secure backend, which forwards them to Google Gemini AI to extract the relevant financial text.
- Exporting to Google Sheets: We use your Google OAuth access token to list available "Brandmar Holdings" workbooks, duplicate template sheets when a new month begins, and write the extracted financial data directly into your selected Google Sheet.
- the application only accesses Google Sheets specifically selected by the user through the secure Google Picker interface and does not have access to any other files in the user's Google Drive.
- Session Management: We use securely stored tokens to keep you logged in without requiring you to repeatedly authenticate.
Google API Services Disclosure
Brandmar Receipt Scanner's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, we request the https://www.googleapis.com/auth/drive.file scope. This restricts our access to only the files you explicitly open or create using our application. We do not use your data for advertising, nor do we sell your data to third parties.
3. Data Sharing and Third-Party Subprocessors
To operate the application, we utilize secure, industry-standard third-party services. Your data is routed through these services strictly for processing, not for their independent use:
- Cloudflare (Hosting & Backend): The application is hosted on Cloudflare Pages. Cloudflare Workers handle the API requests, and Cloudflare KV is used to temporarily and securely store your Google Access Token during your active session.
- Google Generative AI (Gemini): Receipt images are transmitted via API to Google Gemini specifically for data extraction (OCR). Images are analyzed strictly based on our system instructions and are not used by us or Google to train general AI models outside of the standard API enterprise agreements.
- Google Sheets & Drive API: Your extracted data is transmitted to your own Google Account to be saved in your spreadsheets.
4. Data Retention and Deletion
We practice strict data minimization:
- Images: Receipt images are held in memory only for the duration of the OCR processing request. They are not saved to any permanent database or file storage system on our servers.
- Extracted Data: The JSON data extracted from your receipts is returned to your browser for review and then passed to Google Sheets. We do not permanently log or store your financial data on our servers.
- Authentication Tokens: Your Google OAuth access token is stored in Cloudflare KV storage with a strict expiration time (Time-To-Live). Once the session expires, the token is automatically deleted from our backend.
5. Security
We implement robust security measures to protect your data:
- All data in transit is encrypted using HTTPS (TLS/SSL).
- Authentication state is protected using randomized CSRF tokens to prevent cross-site request forgery attacks.
- Session cookies are marked as
HttpOnly and Secure, ensuring they cannot be accessed by malicious client-side scripts and are only transmitted over encrypted connections.
- Client-side image compression reduces the payload size before any data leaves your device.
6. Your Rights and Choices
You maintain full control over your Google Account data. You can revoke our application's access to your Google Account at any time by visiting your Google Account Security settings (https://myaccount.google.com/permissions). Revoking access will immediately prevent our application from viewing or editing your Google Sheets.
7. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices or relevant laws. We will notify you of any significant changes by updating the "Last Updated" date at the top of this policy.
8. Contact Us
If you have any questions or concerns regarding this Privacy Policy or how your data is handled, please contact the application administrator or development team directly at: