Krate Privacy Policy

Effective date: May 12, 2026. Applies to Krate 1.0 and later on iOS.

Introduction

Krate is published by Finn Digital LLC ("we," "us," or "our"). This policy explains what personal and business data we collect when you use the Krate iOS app, how we use it, and your rights regarding that data.

We collect only what is necessary to deliver Krate's features. We do not sell your data. We do not run third-party advertising.

Data We Collect

The following data categories are collected. All data is linked to your account and used for app functionality — never for cross-app or cross-site tracking.

• Identity & contact — your email address, phone number, and display name, collected at sign-up or profile creation. Used to authenticate your account, send transactional emails (receipts, submission confirmations), and contact you about your subscription.
• Invoice photos — photos of DSD invoices captured in-app. Processed on-device by Apple Vision and, when AI extraction is requested, sent to our secure Firebase Cloud Functions endpoint for further processing. Photos are stored in Firebase Storage, scoped to your account, and are never used for any purpose other than extracting invoice data for you.
• Precise location — when you enable location access, used to pre-fill the store address on a new invoice or store record. Location data is not transmitted to our servers; it is used locally on your device only.
• User ID — a unique identifier assigned to your account in Firebase Authentication. Used to scope all your data (stores, invoices, submissions) and to identify your subscription status.
• Purchase history — your Krate subscription tier, trial status, and billing dates. This information is stored in Firebase Firestore and passed to Stripe for payment processing. We do not store full credit card numbers.
• Product interaction (analytics) — screen views, feature usage events (e.g., "invoice scanned," "scan-data submitted"), and session duration. Collected via Firebase Analytics. No advertising identifiers are used.
• Product interaction (app functionality) — invoice records, scanned SKUs, submission logs, compliance calendar entries, and rebate tracking data. Stored in Firebase Firestore, scoped to your account and store.
• Crash data — stack traces and device metadata collected automatically when the app crashes, via Firebase Crashlytics. Used to identify and fix bugs. No personally identifiable information is attached to crash reports.

How We Use Your Data

• To operate the app: authenticate your session, display your stores and invoices, submit scan-data on your behalf, and send compliance reminders.
• To process payments: pass billing data to Stripe to charge your subscription and issue receipts.
• To communicate with you: send transactional emails (submission confirmations, receipts, password resets) via Mailgun. We do not send marketing emails without your explicit opt-in.
• To improve the app: analyze aggregated, anonymized usage patterns and crash reports to prioritize bug fixes and new features.
• To provide AI-assisted extraction: forward invoice photo data to our AI pipeline (powered by Apple Vision on-device and Anthropic Claude for structured extraction) solely to extract line-item data for your records.

Third-Party Services

We share data with the following service providers, limited to what is necessary for each service:

• Google Firebase (Authentication, Firestore, Storage, Cloud Functions, Crashlytics, Analytics) — core infrastructure for accounts, data storage, and crash reporting.
• Stripe — payment processing for subscriptions. Stripe's privacy policy governs how they handle payment card data. We do not store raw card numbers.
• Mailgun — transactional email delivery (receipts, submission confirmations). Mailgun receives your email address when we send you a message.
• Anthropic (Claude) — AI-powered structured data extraction from invoice text. Invoked server-side via Firebase Cloud Functions. Invoice line-item text is sent to Anthropic's API and is subject to Anthropic's data usage policy.
• Apple Vision — on-device OCR for invoice scanning. All processing occurs locally; no data is sent to Apple as part of this feature.

Scan-Data Submissions

When you use Krate's scan-data autopilot feature, Krate submits scan-data reports to manufacturer portals using credentials you provide. You authorize these submissions and are solely responsible for the accuracy of the underlying data. Krate logs each submission for your records. Your portal credentials are stored encrypted in Firebase and are never shared with third parties beyond the submission endpoint you configure.

Data Retention

• Invoice records, scan-data logs, and compliance entries are retained as long as your account is active.
• On account deletion, all your data (Firestore documents, Storage objects, authentication record) is permanently deleted within 30 days.
• Crash logs and anonymized analytics aggregates may be retained for up to 2 years in aggregated, non-identifiable form.
• Stripe retains billing records as required by financial regulations (typically 7 years).

Your Rights

Regardless of where you are located, you have the following rights:

• Access — request a copy of all data associated with your account.
• Correction — request correction of inaccurate personal data.
• Deletion — delete your account from the app (Settings → Delete Account) or by emailing us. All account data is removed from our servers within 30 days.
• Portability — request an export of your invoice records and submission logs in a machine-readable format.
• Opt-out of analytics — disable Firebase Analytics by toggling "Analytics" off in Krate's Settings screen. This does not affect core app functionality.

California residents (CCPA): You have the right to know what personal information we collect, to delete it, and to opt out of any sale (we do not sell personal information). To exercise your rights, email us at the address below.

EEA/UK residents (GDPR): Our lawful basis for processing is contractual necessity (to deliver the subscription service you purchased) and legitimate interest (crash reporting and analytics to improve the app). You may lodge a complaint with your local supervisory authority if you believe we have violated your rights.

Children

Krate is a business tool intended for adults operating retail establishments. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, contact us and we will delete it.

Security

All data in transit is encrypted with TLS. Firestore and Storage Security Rules enforce per-user access — no user can read another user's data. Stripe handles card data under PCI DSS compliance. We do not store passwords; authentication is delegated to Firebase's secure credential store.

Changes to This Policy

If we make material changes to this policy we will update the effective date above and notify active subscribers by email at least 14 days before the changes take effect.

Contact

Privacy questions, data requests, or account deletion: [email protected]

Finn Digital LLC, Gainesville, FL 32608, United States.