Start free trial
Legal

Privacy Policy

We built DeductSam to help you find money, not to sell your data. Here is exactly what we collect, why, and how it is protected.

Last updated: May 2026  ·  Effective: May 2026

This Privacy Policy describes how DeductSam, Inc. ("DeductSam," "we," "us," or "our") collects, uses, and shares information when you use our website at deductsam.com and our application at app.deductsam.com (collectively, the "Service"). By using the Service, you agree to the collection and use of information as described in this policy.

1. Information We Collect

Information you provide directly

When you create an account or use the Service, we collect:

  • Account information — your name, email address, and password (stored as a secure hash — see Section 4).
  • Business profile — the type of business you operate, whether you use a home office or vehicle for work, number of employees, state of operation, and other context you share during the onboarding interview. This is used exclusively to personalize Sam's guidance.
  • Expense data — merchants, amounts, dates, categories, notes, and business purpose descriptions you enter for your expenses.
  • Receipts and documents — images and PDFs you upload. Receipt files are stored in encrypted cloud storage and accessed only to perform optical character recognition (OCR) and match them to your expenses.
  • Invoice data — client names, email addresses, amounts, and line items for invoices you create inside the Service.
  • Payroll and contractor data — if you use the payroll tracking feature, you may enter wage, salary, and contractor payment information.

Information collected automatically

  • Usage data — pages visited, features used, and general interaction patterns. This is used to improve the product, not to build advertising profiles.
  • Error reports — if the application crashes or encounters an error, an anonymized error report (including the error message and stack trace, but not the content of your data) is sent to our error monitoring provider, Sentry.
  • Authentication tokens — short-lived session tokens managed by Supabase Auth. We do not store your password in plaintext at any point.

Information from connected services

If you choose to connect third-party services, we collect data from those services on your behalf:

  • Plaid (bank and credit card sync — Core and Pro plans) — with your explicit authorization, Plaid provides us read-only access to your transaction history. We receive transaction amounts, dates, merchant names, and categories. We do not receive your full account number, routing number, or login credentials — Plaid handles that directly. You can revoke access at any time from Settings.
  • Google (Gmail sending — Core and Pro plans) — if you connect Gmail to send invoices, we store OAuth tokens that grant DeductSam the ability to send email on your behalf. We use this permission only to send invoices you explicitly initiate. We do not read your inbox or access any emails beyond the send operation.
  • Square (revenue sync — Pro plan, coming soon) — Square integration is not yet available, so we do not currently receive any data from Square. When it launches, connecting Square will let us receive your sales and payment data to populate your income ledger. We will not access customer data, refund information, or employee records from Square beyond what is needed to calculate your revenue.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the Service
  • Power Sam's AI analysis — identifying potential deductions, generating Tax Health scores, creating Year-End Packets, and responding to your questions
  • Perform OCR on receipts you upload so they can be automatically matched to expenses
  • Send invoices to clients on your behalf when you use the Gmail or email send features
  • Process payments and manage your subscription via Stripe
  • Send you transactional emails (receipt confirmations, subscription renewals, security alerts)
  • Diagnose and fix technical errors
  • Comply with applicable legal obligations

We do not use your data to train AI models for external use, sell your information to advertisers, or build advertising profiles.

3. How We Share Your Information

We share your information only as necessary to operate the Service:

Service providers

We work with the following companies to deliver the Service. Each receives only the minimum data necessary to perform their function:

  • Supabase — database and file storage. Your data is stored in Supabase-managed PostgreSQL databases and object storage, encrypted at rest.
  • OpenAI — powers Sam's AI capabilities. We send expense descriptions, merchant names, receipt text, business profile details, and invoice line items to OpenAI's API to generate Sam's responses. We do not send Social Security numbers, bank account numbers, government IDs, or your email address to OpenAI. OpenAI processes this data under their API data usage policy.
  • Stripe — payment processing. Stripe collects and processes your payment information directly. DeductSam does not store full card numbers or CVV codes.
  • Plaid — bank data access. Plaid acts as the intermediary between DeductSam and your financial institution. Your banking credentials go directly to Plaid, not to us.
  • Sentry — error monitoring. Sentry receives anonymized error reports. Error reports do not include your financial data.
  • Vercel — application hosting. Your requests pass through Vercel's infrastructure to reach our servers.

Google API Services Limited Use

DeductSam's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. The Gmail access you grant is used only to send invoices you explicitly initiate. We do not use Gmail data for advertising, we do not allow humans to read it, and we do not sell it or transfer it to anyone except as necessary to provide this feature, to comply with applicable law, or in connection with a merger or acquisition.

Legal requirements

We may disclose your information if required by law, legal process, or government request — for example, in response to a court order or subpoena. We will notify you of any such request if permitted to do so.

Business transfers

If DeductSam is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your data is subject to a different privacy policy.

With your consent

We will share your information with additional parties only with your explicit consent.

4. How We Protect Your Data

  • Encryption at rest — all data stored in Supabase databases and file storage is encrypted using AES-256.
  • Encryption in transit — all connections to DeductSam use TLS 1.2 or higher. HSTS headers ensure browsers enforce HTTPS for all future visits.
  • Row-level security (RLS) — Supabase RLS policies enforce that every database query is scoped to your authenticated user ID. You cannot query another user's data.
  • Passwords — we never store your password in plaintext. Authentication is managed by Supabase Auth, which uses bcrypt hashing.
  • Two-factor authentication — you can enable TOTP-based two-factor authentication from Settings. Recovery codes are hashed before storage.
  • API keys — all third-party API keys (Plaid, OpenAI, Stripe) live only on our servers. They are never bundled into the frontend application code.
  • Rate limiting — all API endpoints are rate-limited to protect against abuse.

No method of transmission over the internet is 100% secure. We take reasonable precautions, but cannot guarantee absolute security.

5. Data Retention

We retain your data for as long as your account is active. If you delete your account:

  • Your personal data is deleted from our production database within 30 days.
  • Receipt and document files are deleted from storage within 30 days.
  • Backup copies may persist for up to 90 days before being overwritten.
  • Anonymized, aggregated usage data (with no personally identifiable information) may be retained indefinitely for product analytics.

6. Your Rights

You have the right to:

  • Access your data — you can export all your expense data and invoices from Settings at any time.
  • Correct your data — you can edit any expense, business profile field, or account detail directly in the app.
  • Delete your account — you can delete your account from Settings › Account. Deletion is permanent and cannot be undone.
  • Revoke third-party access — you can disconnect Plaid or Gmail connections at any time from Settings › Integrations. (Square support is coming soon and will be similarly revocable.)
  • Opt out of AI processing — you can choose not to use Sam's AI features. Expense entry without AI assistance is available on all plans.

If you are a resident of California, the EU, or another jurisdiction with specific privacy laws, you may have additional rights. Contact us at deductsam@gmail.com to exercise any of these rights.

7. Children's Privacy

The Service is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

8. Cookies and Tracking

We use a minimal set of cookies:

  • Session cookies — required for authentication. These expire when you close your browser unless you select "Remember me."
  • Preference cookies — stores your cookie consent choice and billing preference (monthly/annual). Stored in localStorage, not transmitted to our servers.

We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that build profiles across the web.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the app at least 14 days before the change takes effect. Continued use of the Service after a change constitutes your acceptance of the updated policy.

10. Contact Us

If you have questions, concerns, or requests regarding your privacy, please contact us at:

DeductSam, Inc.
Email: deductsam@gmail.com

We will respond to all privacy inquiries within 10 business days.