Privacy Policy
Last updated: May 8, 2026
This Privacy Policy (the "Policy") governs the processing of personal data by Tangerine ("Tangerine", "we", "us", or "our") in connection with the Tangerine mobile application and related online services (the "App"). By downloading, installing, or using the App, you acknowledge that you have read and understood this Policy.
1. Definitions
1.1 "App" means the Tangerine mobile application and any associated online services operated by us.
1.2 "Personal Data" means any information relating to an identified or identifiable natural person.
1.3 "Processing" means any operation performed on Personal Data, including collection, storage, transmission, and deletion.
1.4 "You" or "User" means the natural person who accesses or uses the App.
2. Data Controller
Tangerine acts as the controller of Personal Data processed through the App. Inquiries concerning this Policy or the exercise of your rights may be addressed to hi@tangerineapp.co.
3. Categories of Data We Process
3.1 Receipt images and extracted text. When you scan a receipt, on-device computer-vision processing may first be performed locally on your device for the sole purpose of detecting the boundary of the receipt within the captured image; no image data leaves your device as part of this step. The resulting image and its extracted contents are then transmitted, through a secure relay operated on our behalf, to third-party artificial-intelligence processing providers for the sole purpose of parsing line items and totals. Neither we nor our processing providers retain such images or extracted text after the parsing response has been delivered, and, under our contractual arrangements with those providers, your submissions are not used to train or improve any artificial-intelligence model.
3.2 Receipt records saved by you. Saved receipts and bill-splitting records are stored within the private storage associated with your device-platform account (for example, your Apple account). We have no access to the contents of that private storage.
3.3 Collaborative session data. When you initiate or join a bill-splitting session, temporary data (including participant display names, item assignments, and amounts) is processed on our infrastructure for the limited duration of the session.
3.4 Device and application data. We process limited technical information including operating-system version, application version, and a randomly generated device identifier, for purposes of analytics, stability, and abuse prevention.
3.5 Pseudonymous usage analytics. We process pseudonymous event data in order to understand product usage and to improve the App. Such data comprises (a) feature interactions, screen views, and other behavioural signals, and (b) limited per-receipt fields produced by our parsing pipeline, namely merchant name, item descriptions, item quantities, item unit prices, currency, and total amount, capped at twenty (20) line items per record and processed under a not-linked, not-tracking model. For the sole purpose of producing accurate user counts across reinstalls and devices, we may associate such events with a stable internal profile identifier derived from your device-platform account. This identifier is not your real-world identity and cannot reasonably be used to identify you. Where you participate in a collaborative session via our web client without installing the App, a separate temporary pseudonymous identifier is generated for the limited duration of your participation and is not retained beyond the lifetime of that session.
3.6 Device name (local only). The App may read your device name locally in order to pre-populate a display name for use within the App. This value is not transmitted to our servers.
3.7 Device permissions. The App requests access to your device's camera and photo library solely so that you may capture or select an image of a receipt for scanning. We do not enumerate, index, or otherwise access the contents of your photo library, and we do not retain any image obtained through such access except where you expressly choose to save the resulting parsed receipt within the App.
3.8 Crash and diagnostic data. We process limited diagnostic information generated by your device's operating system in the event of an application crash or significant performance issue, including (without limitation) stack traces, exception types, device model, and application version. Such data is processed for the sole purpose of identifying, reproducing, and remediating defects, and does not include the contents of your receipts or any directly identifying information.
3.9 Device attestation. In order to prevent abuse of our parsing infrastructure and to enforce fair-use limits, each request transmitted to our servers is accompanied by a cryptographic attestation produced by your device's secure enclave. Such attestation includes a device-derived key identifier and a per-request signature. The key identifier is not associated with your real-world identity, is rotated upon reinstallation of the App, and is processed solely for the purposes of integrity verification, rate-limiting, and fraud prevention.
4. Data We Do Not Collect
We do not collect your name, email address, postal address, telephone number, payment-card details, precise location, contact list, or the contents of your photo library outside of images that you expressly submit for scanning. The App does not require user registration or the creation of an account with us.
5. Purposes and Legal Bases of Processing
5.1 Provision of the App's core scanning and bill-splitting features, performance of a contract with you.
5.2 Security, abuse prevention, and enforcement of fair-use limits, our legitimate interests.
5.3 Pseudonymous analytics, research, and product improvement, our legitimate interests.
5.4 Compliance with applicable legal and regulatory obligations, compliance with a legal obligation.
6. Categories of Recipients
6.1 We share Personal Data only with the following categories of service providers, each bound by contractual data-protection obligations:
- device-platform providers, for application distribution and for private storage associated with your device-platform account;
- artificial-intelligence processing providers, for the parsing of receipt images and text;
- merchant-identification providers, for the limited purpose of retrieving brand assets (such as logos) corresponding to merchant names appearing on parsed receipts;
- analytics providers, for pseudonymous product analytics and crash diagnostics;
- cloud-infrastructure providers, for the hosting, delivery, and security of our services.
6.2 We do not sell Personal Data, and we do not share Personal Data for cross-context behavioural advertising.
7. International Transfers
Personal Data may be processed in jurisdictions outside your country of residence, including the United States and the European Economic Area. Where required by applicable law, such transfers are safeguarded by Standard Contractual Clauses or equivalent legal mechanisms.
8. Retention
8.1 Receipt images and text transmitted for parsing are discarded immediately after the parsing response is returned.
8.2 Receipts and records that you save are retained in the private storage associated with your device-platform account under your control; we cannot access or delete such data on your behalf.
8.3 Collaborative session data is deleted automatically within a limited period not exceeding sixty (60) minutes from the end of the session.
8.4 Shareable summary links expire, and the associated data is deleted, no later than thirty (30) days after creation.
8.5 Pseudonymous analytics data may be retained for up to twenty-four (24) months in aggregated or pseudonymised form.
8.6 Crash and diagnostic data may be retained for up to twenty-four (24) months in pseudonymised form for the sole purpose of defect identification and remediation.
8.7 Device-attestation key identifiers and associated abuse-prevention signals may be retained for up to twenty-four (24) months for the sole purposes of fraud prevention, integrity verification, and the enforcement of fair-use limits.
9. Your Rights
9.1 Subject to applicable law, you may have the right to (a) access, (b) rectification, (c) erasure, (d) restriction of processing, (e) data portability, (f) objection to processing, (g) withdrawal of consent (where processing is based on consent), and (h) lodging a complaint with a competent supervisory authority.
9.2 To exercise these rights, contact us at hi@tangerineapp.co. Because the App does not require registration and most of your data resides on your own device or within your device-platform account, many requests may be fulfilled directly by deleting the App or the relevant items from your device.
10. Security
We implement reasonable technical and organisational measures designed to protect Personal Data, including encryption in transit and access controls. No method of transmission or storage is fully secure, and we cannot guarantee absolute security.
11. Children
The App is not directed to, and is not intended for use by, children under the age of thirteen (13), or such higher minimum age as may be required in your jurisdiction. We do not knowingly process Personal Data from children. If you believe that a child has provided Personal Data to us, please contact us and we will take appropriate action.
12. Changes to this Policy
We may amend this Policy from time to time. Material changes will be reflected by updating the "Last updated" date above and will, where reasonably practicable, be brought to your attention by means of an in-app notice upon the next launch of the App following such amendment. Your continued use of the App following such amendment constitutes your acceptance of the updated Policy.
13. Contact
Questions, requests, or complaints relating to this Policy should be directed to hi@tangerineapp.co. If you submit a message through the contact form on the marketing website (tangerineapp.co), the form forwards your message to our email together with your IP address and browser User-Agent string for the limited purpose of moderating spam and abuse. These fields are retained only as part of the email correspondence and are not used to build a profile of you, sold, or shared with third parties.