Zenrate

Privacy Policy

Last updated: May 2026

Your receipts never leave your device.

Endots LLC cannot see your expense data — we don't store it. Only an anonymous SHA-256 hash is sent to our server to verify the timestamp (for tamper-detection). The image itself stays in your browser.

あなたのレシートは端末から出ません。

Endots LLC はあなたの経費データを見ることができません。 保存していないからです。改ざん検知のため、画像から計算された SHA-256 ハッシュのみをサーバーに送信します (画像本体は送信されません)。

1. What we don't store

  • Receipt images: Stored only in your browser's IndexedDB. Never uploaded to our servers.
  • Expenses & trips: Stored only in your browser's IndexedDB. Not synced to any server we control.
  • OCR results: Extracted on your device by Tesseract.js (Web/iOS) or Google ML Kit (Android). Raw OCR text is not transmitted.
  • Rate viewing history: Not tracked or stored against your identity.
  • Personal settings: Stored in your browser, not on our servers.

2. What we do collect (on our servers)

  • Account data: Email address when you create an account, managed by Supabase authentication.
  • Subscription state: Plan tier, billing status, via Stripe + Supabase.
  • Receipt hashes: If you create a receipt, a SHA-256 hash (sha256:xxxxx) is sent to our server with a UTC timestamp. The hash cannot be reversed to reconstruct the image — it only proves "you had this exact file at this exact time" if you later need to verify it.
  • Exchange shop submissions: Shop name, city, public rate data you choose to submit via Exchange Finder. This is shared community data, not private to you.
  • Rate alerts: Trigger conditions (e.g., USD/JPY > 150) and email address needed to deliver notifications. No browsing history.
  • Anonymous analytics: Page views and feature usage via Google Analytics 4 (when enabled). No personal identifiers.

3. Where data lives

  • Your device (IndexedDB): All expenses, trips, receipt images, OCR results, integrity records, and personal settings.
  • Our servers (Supabase, Tokyo ap-northeast-1): Only the items listed in section 2.
  • Hosting: Vercel.

4. Third-party services

  • Supabase: Authentication, subscription state, receipt hashes, exchange shop submissions, rate alerts.
  • Stripe: Subscription billing.
  • Google Analytics 4: Anonymous usage analytics (when configured).
  • Google AdSense: Advertising on free tier (when enabled).
  • Exchange Rate API / Frankfurter API: Public fiat currency rates.

5. Cookies

Used only for authentication (Supabase session) and analytics (Google Analytics, optional). You can disable cookies in your browser settings; the converter still works.

6. Data ownership & deletion

Because your expense data lives only on your device, you are the sole custodian. If you clear your browser data or uninstall the app, your local data is gone permanently — we cannot recover it for you.

To delete your account and the server-side records (receipt hashes, subscription, etc.), contact us at the email below.

7. Contact

For privacy inquiries, contact: privacy@endots.co

Terms of ServiceLegal NoticeDisclosure