Stacko

Privacy Policy

Last updated: March 31, 2026

Summary: We collect only what's needed to run Stacko. Your scanned documents and financial data are encrypted and never sold. You can export or delete your data anytime.

1. Who We Are

Stacko is an AI-powered document vault and expense tracking application developed by XORIK ("we", "us", "our"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Stacko mobile application.

Contact: hello@revolisapp.com

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

Name and email address (from Google Sign-In, Apple Sign-In, or email registration)
Profile photo (if provided by your sign-in provider)
Language and currency preferences

2.2 Financial Data

When you use Stacko's expense tracking features:

Expense records you create (amount, store name, category, date, notes, tags)
Budget settings and goals
Bill reminder information
Spending streaks and statistics

Important: Stacko does NOT connect to your bank account. All financial data is entered by you through manual input or receipt scanning. We never access your bank, credit card, or payment accounts.

2.3 Scanned Documents & Receipts

When you scan documents or receipts:

Photos of scanned items (stored encrypted in our cloud storage)
Text extracted from scans (OCR data)
AI-classified categories and metadata
Document expiry dates (if detected)

2.4 Device & Usage Data

Device type, operating system version
App version
Language and region settings
Anonymous usage analytics (screens visited, features used)
Crash reports

2.5 Data We Do NOT Collect

Bank account or credit card numbers
Social Security or national ID numbers (even if visible on scanned documents, we do not extract or store these)
Precise GPS location
Contacts, call logs, or messages
Browsing history

3. How We Use Your Data

Purpose	Data Used	Legal Basis
Provide core app features	Account, financial, scanned data	Contract performance
AI receipt scanning & classification	Scanned images	Contract performance
AI spending insights & coaching	Aggregated expense data	Contract performance
Send notifications	Budget, expiry, streak data	Consent
Improve app quality	Anonymous usage analytics	Legitimate interest
Prevent fraud & abuse	API usage patterns	Legitimate interest
Process payments	Subscription status (via RevenueCat)	Contract performance

4. AI Processing

Stacko uses artificial intelligence to enhance your experience:

4.1 Receipt Scanning (Google Gemini)

When you scan a receipt or document, the image is sent to Google's Gemini API for text extraction and classification
Google processes the image to extract text, amounts, dates, and merchant names
Google does not retain your images after processing
See Google's AI terms: ai.google.dev/terms

4.2 Spending Insights (OpenAI)

Aggregated, anonymized spending summaries (not raw receipts) are sent to OpenAI's API for generating personalized insights
No personally identifiable information is included in AI requests
OpenAI does not use your data to train their models (API usage policy)
See OpenAI's terms: openai.com/policies

AI Transparency: We never send your full name, email, or personal identifiers to AI services. Only anonymous financial summaries and document images are processed.

5. Third-Party Services

Service	Purpose	Data Shared
Supabase	Database, authentication, file storage	All app data (encrypted)
Google Gemini API	Receipt/document scanning	Scanned images
OpenAI API	Spending insights	Anonymous spending summaries
RevenueCat	Subscription management	Purchase status, user ID
PostHog	Anonymous analytics	Usage events (no PII)
Google Sign-In	Authentication	Email, name, profile photo
Apple Sign-In	Authentication	Email (optional), name
Frankfurter API	Currency exchange rates	No user data

6. Data Storage & Security

Encryption at rest: All data stored in Supabase is encrypted using AES-256
Encryption in transit: All communications use TLS 1.3
Row Level Security: Database policies ensure each user can only access their own data
Vault security: Additional biometric/PIN protection for sensitive documents
API keys: All third-party API keys are stored server-side (Edge Functions), never on your device
PIN storage: Vault PINs are hashed (SHA-256) and stored in your device's secure enclave (iOS Keychain / Android Keystore)
Data location: Our servers are located in the European Union (Supabase EU region)

7. Your Rights

Under GDPR, CCPA, KVKK, and other applicable privacy laws, you have the right to:

Right	How to Exercise
Access your data	Settings → Data → Export Data (JSON)
Correct your data	Edit within the app
Delete your data	Settings → Danger Zone → Delete Account
Export your data	Settings → Data → Export (CSV/JSON)
Restrict processing	Contact hello@revolisapp.com
Withdraw consent	Disable notifications, delete account
Object to processing	Contact hello@revolisapp.com

Data Deletion: When you delete your account, all your data is permanently removed from our servers within 30 days. This includes all expenses, documents, scans, settings, and analytics data.

8. Data Retention

Active accounts: Data retained while your account is active
Deleted accounts: All data permanently deleted within 30 days
Analytics data: Anonymized, retained for 12 months
Crash reports: Retained for 90 days
AI processing: No data retained by AI providers after processing

9. Children's Privacy

Stacko is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@revolisapp.com.

10. Cookies & Tracking

The Stacko mobile app does not use cookies. We use PostHog for anonymous, privacy-focused analytics. No advertising trackers or third-party tracking SDKs are included in the app.

11. International Transfers

Your data may be processed in the European Union (Supabase), United States (AI APIs), and other countries where our service providers operate. We ensure appropriate safeguards are in place through Standard Contractual Clauses and adequacy decisions.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or by email. The "Last updated" date at the top indicates when this policy was last revised.

13. Contact Us

For privacy-related questions, data requests, or concerns:

Email: hello@revolisapp.com
Developer: Revolis