What we store

  • Your receipts — the original file or email exactly as received, the data extracted from it (vendor, total, date, line items), the categories and notes you add, and the edit history. Stored on servers we control, in Australia.
  • Your account — name, email, hashed password (we can't read it, only reset it), country and timezone.
  • Operational logs — whether processing jobs succeeded, how many receipts came in. Health monitoring, nothing else.

There are no analytics services, tracking pixels or third-party monitoring tools anywhere on the site. One session cookie keeps you signed in; that's the complete cookie list.

What inbox access really means

Connecting an inbox is the part worth being clear-eyed about, so here is exactly what happens:

  • Gmail connections are read-only OAuth. The Paper Keep can search for and read receipt-shaped emails. It cannot send mail as you, delete anything, or change your account. You can revoke access from your Google account at any time, independently of us.
  • IMAP connections use app-specific passwords — a separate credential you generate at your provider that can be revoked on its own without touching your real password. You choose which folders are scanned during setup.
  • Credentials are stored encrypted. OAuth tokens and app passwords alike are encrypted at rest; they're used to fetch mail for scanning and for nothing else.
  • Non-receipt email isn't kept. Scanning looks for receipt-shaped messages; your correspondence isn't stored or indexed. Emails that are imported as receipts are kept in full — that's the product.
  • Disconnecting is one click in Settings → Receipt sources. Receipts already imported stay; the access stops.

If connecting an inbox still feels like too much access, forwarding gives you the same pipeline with you in control of every message that leaves your mailbox.

The AI step

Each receipt is read and parsed by Claude (Anthropic's AI model): the file or email is sent to Anthropic's API in a single call that does the OCR, extracts the fields, and suggests a category. Two commitments matter here:

  • Anthropic's API terms prohibit training models on customer data — your receipts don't teach anyone's AI.
  • Receipt content isn't retained by Anthropic beyond the duration of the API call.

This is the only place receipt content leaves our servers, and it exists because it's what turns a photo into searchable, categorised data. Every AI-written value is editable, and the audit history records what the AI set versus what you set.

Who can see your data

  • You. Everything, always — including the untouched originals.
  • The Paper Keep's staff (currently one person) can technically access the database, and will look at your account only to fix a problem you've reported, chase an error our logs flagged, or meet a legal requirement. Not otherwise, and never out of curiosity.
  • Stripe handles payments and sees your name, email and card details — we never see your card number. Stripe is the only third party we share anything with (besides the AI processing described above).
  • Nobody else. Your data is not sold, shared, or used for advertising. There are no data brokers, ad networks or marketing platforms involved.

Exporting and leaving

No lock-in is a design goal, not a slogan:

  • Export any time. The tax-year CSV covers the accountant handover; the full archive export in Settings is a zip of every receipt's data plus every original file, exactly as you submitted it.
  • Deleting a receipt moves it to Trash (recoverable), and permanent deletion is a real deletion — see Delete a receipt.
  • Closing your account is requested from Settings and runs on a 30-day grace period — time to change your mind or grab a final export — after which receipts, files and account data are permanently removed.

Questions this page doesn't answer: [email protected] for privacy, [email protected] for vulnerabilities. The formal detail lives in the privacy policy.