Privacy Policy
Effective July 16, 2026
HSA Pocket operates the HSA Pocket receipt and reimbursement recordkeeping service. This policy explains what information we handle, why we handle it, and the choices available to you.
Information we collect
- Account information: your email address, authentication identifiers, verification status, and account-security events.
- Household information: household membership, roles, invitations, and the email addresses of people you invite.
- Records you provide: receipt files, emailed receipt attachments, extracted and corrected receipt details, expenses, reimbursements, reminders, notes, family-member labels, and exports.
- Subscription information: plan, subscription status, Stripe customer and subscription identifiers, and billing events. HSA Pocket does not store full payment-card numbers.
- Technical and security information: request metadata, IP-derived security signals, rate-limit events, service logs, and audit records used to operate and protect the service.
How we use information
We use information to authenticate users; provide encrypted receipt storage and recordkeeping workflows; process exports, reminders, invitations, and subscriptions; secure and troubleshoot the service; respond to support requests; and comply with applicable legal obligations.
Service providers and disclosures
HSA Pocket uses Cloudflare for application hosting, storage, email delivery, security, and processing; Auth0 for authentication; and Stripe for subscription billing. These providers process information on HSA Pocket's behalf under their own contractual and security terms. We may also disclose information when required by law, to protect users or the service, or as part of a business transfer. We do not sell personal information or use receipt contents for cross-context behavioral advertising.
Storage, retention, and deletion
Receipt files are encrypted before private cloud storage. Account records remain available while your account is active; canceling a paid subscription does not delete your records and preserves the documented view and export access. Generated export files expire after 24 hours. Verified encrypted database backups rotate after 35 days. When you request account deletion, access is revoked immediately and deletion is processed through the service's deletion workflow; residual encrypted copies may remain until the backup-retention cycle completes. Limited billing, security, or audit information may be retained when reasonably necessary for fraud prevention, dispute resolution, or legal compliance.
Your choices
You can review and correct extracted data, export supported records, rotate or disable an email-intake address, remove household access where authorized, cancel a subscription separately from deletion, and request account deletion from Settings. You may contact us to ask about access, correction, or deletion rights that apply in your jurisdiction.
Security
We use access controls, encryption, audit records, rate limits, and provider security protections designed to protect information. No online service can guarantee absolute security, so you should protect your login credentials and promptly report suspected unauthorized access.
Children and family records
HSA Pocket accounts are intended for adults. An adult account holder may keep authorized household records that identify a minor family member, but children should not create their own accounts.
Changes and contact
We may update this policy as the service changes. Material updates will be reflected by a new effective date. Questions or privacy requests can be sent to hello@hsapocket.com.