Privacy Policy
Effective: 2026-05-15 · Last updated: 2026-05-15
Receipts.law is a tool that helps employees organize evidence for workplace-retaliation cases before consulting a licensed attorney. The data you submit is some of the most sensitive personal information you'll ever generate — your employer's name, allegations of harassment, salary, medical references, attorney communications, racial slurs, HR-director admissions. This policy tells you exactly what we do with it.
1. What We Collect
Information you submit directly
- Intake form data: Your name, contact info, employer name, work location, hire date, job title, narrative of what happened, names of supervisors and HR contacts, and any other facts you choose to enter.
- Uploaded evidence: Files you choose to upload to your case vault — paystubs, emails, screenshots, write-ups, photos, recordings, PDFs.
- Real-time events: When you paste an email, voicemail transcript, or other event for analysis, that text is processed and stored as part of your case.
- Attorney-vetting inputs: When you submit information about an attorney for vetting, we store that information attached to your case.
Information collected automatically
- Request logs: Standard web server logs (IP address, user agent, page accessed, HTTP status, timestamp). Retained for 30 days for security and debugging.
- File metadata: When you upload a file, we compute its SHA-256 hash and extract any PDF metadata (creation date, author field) for forensic-anchor purposes. We display this back to you.
Information we do NOT collect
- We do not use cookies for tracking. There are no third-party advertising trackers on this site.
- We do not use Google Analytics or similar surveillance-style tracking.
- We do not collect biometric data, location data beyond IP-derived geolocation, or device-identification beyond what your browser sends.
- We do not create user profiles for advertising purposes.
- We do not share case content with any party other than the AI providers (see Section 3) required to generate the analysis you requested.
2. How We Store and Protect It
Encryption at rest
Every file in your case vault — your intake, evidence manifest, AI-generated analyses, attorney dossiers, event records, and generated deliverable PDFs — is encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256). The encryption key is stored in our infrastructure's secret store, never in the application code, never in version control, and never accessible to anyone outside the infrastructure-administration role.
If our underlying disk were to be exposed by a hosting-provider incident, the leaked data would be ciphertext.
Encryption in transit
All traffic between your browser and our servers is encrypted via HTTPS (TLS 1.2 or higher).
Access controls
The current version of Receipts.law is a private-beta tool. Case URLs are non-guessable and function as the access capability. We are working on adding email-based authentication. In the meantime, do not share your case URL with anyone you do not want to have access to your case.
3. AI Processing and Third Parties
When you request AI-generated analysis (case analysis, dot-connector, adversarial review, strategy-pattern matching, deliverable generation, attorney dossier, event analysis), the relevant portions of your case data are transmitted to:
- Anthropic (Claude API) — for the textual analysis. Anthropic's enterprise data policy applies: data submitted via the API is not used to train Anthropic models. See Anthropic Privacy Policy.
- OpenAI (image generation API, when used) — only for non-case-specific image prompts (e.g., blog hero images). Your case content is never sent to OpenAI.
We do not share your data with advertisers, data brokers, employers, or any other third party.
4. Your Rights
If you are a California resident (CCPA / CPRA)
You have the right to:
- Know what personal information we have collected about you
- Request deletion of your personal information
- Request correction of inaccurate personal information
- Opt out of the sale or sharing of personal information (we do not sell or share)
- Limit use of sensitive personal information
- Not be discriminated against for exercising these rights
If you are a New York resident (SHIELD Act)
We maintain reasonable administrative, technical, and physical safeguards as required. You will be notified if a security breach involving your personal information occurs.
If you are an EU/UK resident (GDPR / UK GDPR)
You have the right to access, rectify, erase, restrict processing of, port, and object to processing of your personal data. The lawful basis for our processing is your consent and the performance of the service you requested.
How to exercise your rights
To delete your case data, request a copy, or otherwise exercise your rights, contact the address in Section 9. We will respond within 45 days (or sooner where required by law).
5. Data Retention
Case data is retained as long as your case folder exists in our system. If you ask us to delete your case, we will permanently delete the case folder (including encrypted file content). Backups that include your data are rotated on a 30-day cycle; full deletion across all backups completes within 30 days of your deletion request.
Request logs are retained for 30 days then purged.
6. Children's Privacy
Receipts.law is intended for adults dealing with workplace situations. We do not knowingly collect data from anyone under 18. If you believe a minor has submitted data through our site, contact us and we will delete it.
7. International Transfers
Our infrastructure is hosted in the United States. If you access Receipts.law from outside the US, your data will be transferred to the US for processing.
8. Changes to This Policy
We may update this policy. The "Last updated" date at the top reflects the most recent change. Material changes will be announced on the homepage and, where required by law, communicated to affected users.
9. Contact
Privacy inquiries and rights requests can be sent to the contact address listed in our Terms of Service. We respond to legitimate inquiries within 5 business days.