BillRecorder Privacy Policy
Effective Date: July 17, 2025
Last Updated: July 17, 2025
1. Parties and Definitions
This Privacy Policy (hereinafter referred to as "PRIVACY POLICY" or "POLICY") governs the collection, use, disclosure, and protection of personal information in connection with the BillRecorder mobile application.
1.1 Service Provider: Cmv Teknoloji Sanayi Ve Ticaret Limited Şirketi (hereinafter referred to as "COMPANY", "we", "us", or "our"), a limited liability company organized and existing under the laws of Turkey.
1.2 Application: BillRecorder mobile application (hereinafter referred to as "APP", "APPLICATION", or "SERVICE"), an AI-powered receipt and bill analysis application available on iOS and Android platforms.
1.3 User: Any individual who downloads, installs, accesses, or uses the Application (hereinafter referred to as "USER", "you", or "your"), whether registered or not.
1.4 Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, device identifiers, usage patterns, and any data that can be used to identify an individual directly or indirectly.
2. Scope and Acceptance
2.1 Binding Agreement: By downloading, installing, accessing, or using the Application, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy in its entirety. This Privacy Policy constitutes a legally binding agreement between you and the Company.
2.2 Prerequisite for Use: Acceptance of this Privacy Policy is a mandatory prerequisite for using the Application. If you do not agree with any provisions of this Privacy Policy, you must immediately cease using the Application and uninstall it from your device.
2.3 Continuous Acceptance: Your continued use of the Application after any modifications to this Privacy Policy constitutes your acceptance of such modifications.
3. Information We Collect
We collect various types of information to provide and improve our services, ensure security, and enhance user experience.
3.1 Information You Actively Provide
3.1.1 Account Information:
- Email address obtained through Google Sign-In or Apple Sign-In authentication
- Profile information associated with your Google or Apple account (name, profile picture)
- User preferences and settings within the Application
- Language preferences and notification settings
3.1.2 Receipt and Bill Data:
- Digital images of receipts, bills, and invoices captured through device camera
- Receipt images selected from device gallery or photo library
- Extracted textual information from receipts including but not limited to:
- Merchant names and business information
- Transaction amounts and currency
- Purchase dates and times
- Product descriptions and quantities
- Tax information and receipt numbers
- Store locations and addresses (when present on receipts)
- User-generated categories, tags, and notes associated with receipts
- Expense categories and custom classifications
3.1.3 Communication Data:
- Support requests and customer service communications
- Feedback, suggestions, and user-generated content
- Responses to surveys or promotional communications
3.2 Automatically Collected Information
3.2.1 Device and Technical Information:
- Device model, manufacturer, and hardware specifications
- Operating system version and type (iOS/Android)
- Application version and build information
- Device identifiers (IDFA, GAID, device UUID)
- Screen resolution and device orientation
- Available storage space and memory usage
- Network connection type (WiFi, cellular) and carrier information
- IP address and approximate geographic location derived from IP
3.2.2 Usage and Analytics Data:
- Application launch and session duration
- Feature usage patterns and frequency
- Screen views and user interface interactions
- Button clicks, swipes, and navigation patterns
- Receipt processing times and success rates
- Error logs and crash reports
- Performance metrics and response times
3.2.3 Camera and Media Access:
- Metadata from captured images (timestamp, camera settings)
- Image quality metrics and processing statistics
- Camera permission status and usage patterns
4. How We Use Your Information
We process your personal information for various legitimate business purposes, always in accordance with applicable data protection laws.
4.1 Primary Service Functions
- Receipt Analysis: Processing receipt images using AI technology to extract relevant data
- Data Organization: Categorizing and organizing extracted receipt information
- Account Management: Creating, maintaining, and authenticating user accounts
- Data Synchronization: Syncing user data across devices and platforms
- Expense Tracking: Providing expense management and tracking capabilities
4.2 Service Improvement and Development
- AI Model Training: Improving receipt recognition accuracy through machine learning (using anonymized data)
- Feature Development: Developing new features and enhancing existing functionality
- Performance Optimization: Optimizing application performance and user experience
- Bug Detection: Identifying and resolving technical issues and bugs
4.3 Communication and Support
- Customer Support: Providing technical support and responding to user inquiries
- Notifications: Sending push notifications about application updates and important information
- Service Communications: Sending transactional emails related to account activity
4.4 Legal and Security Purposes
- Fraud Prevention: Detecting and preventing fraudulent activities
- Security Monitoring: Monitoring for security threats and unauthorized access
- Legal Compliance: Complying with applicable laws and regulations
- Terms Enforcement: Enforcing our Terms of Service and other agreements
5. Third-Party Services and Data Sharing
We work with trusted third-party service providers to deliver our services. Each provider has strict contractual obligations regarding data protection.
| Service Provider |
Primary Purpose |
Data Categories Shared |
Data Processing Location |
| Google Firebase |
Authentication, database, analytics, crash reporting |
Account data, usage analytics, crash logs, device information |
Global (Google Cloud Infrastructure) |
| OpenAI GPT-4.1 |
AI-powered receipt analysis and text extraction |
Receipt images, extracted text content |
United States |
| Google Sign-In |
User authentication and account creation |
Email address, basic profile information |
Global (Google Infrastructure) |
| Apple Sign-In |
User authentication and account creation |
Email address (optional), user identifier |
Global (Apple Infrastructure) |
5.1 Data Sharing Principles
- Minimum Necessary: We share only the minimum data necessary for each service provider to perform their function
- Contractual Protection: All third-party providers are bound by strict data protection agreements
- Purpose Limitation: Data is shared only for specified, legitimate business purposes
- Security Requirements: All providers must maintain appropriate security measures
5.2 Circumstances for Data Disclosure
We may disclose your personal information in the following circumstances:
- Legal Obligations: When required by law, court order, or government authority
- Safety Protection: To protect the safety of users or prevent illegal activities
- Business Transfers: In connection with mergers, acquisitions, or asset transfers (with prior notice)
- Consent: When you have provided explicit consent for specific disclosures
6. Data Storage, Security, and Retention
We implement comprehensive security measures to protect your personal information and maintain its confidentiality.
6.1 Security Measures
- Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
- Access Controls: Strict role-based access controls and multi-factor authentication for system access
- Network Security: Firewalls, intrusion detection systems, and secure network architecture
- Regular Audits: Periodic security audits and vulnerability assessments
- Data Backup: Secure, encrypted backup systems with disaster recovery procedures
- Employee Training: Regular security training for all personnel with data access
6.2 Data Retention Periods
- Active Account Data: Retained until you delete your account or request deletion
- Receipt Images: Stored securely until manually deleted by user
- Extracted Receipt Data: Retained for the duration of account activity
- Analytics Data: Aggregated and anonymized data may be retained for up to 3 years
- Support Communications: Retained for 2 years for quality assurance purposes
- Legal Data: Some data may be retained longer when required by law
6.3 Account Deletion Process
- Soft Deletion: When you delete your account, data is immediately marked for deletion and becomes inaccessible
- Grace Period: Data is retained in soft-deleted state for 30 days to allow account recovery
- Permanent Deletion: After 30 days, all personal data is permanently and irreversibly deleted
- Third-Party Notification: We notify relevant third-party services to delete shared data
7. Permissions and Device Access
The Application requires certain device permissions to function properly. All permissions are requested with clear explanations.
7.1 Required Permissions
| Permission |
Purpose |
Required/Optional |
Impact if Denied |
| Camera Access |
Capture receipt photos for analysis |
Required |
Cannot capture new receipts |
| Photo Library |
Select existing receipt images |
Optional |
Cannot import existing photos |
| Push Notifications |
Send important updates and alerts |
Optional |
No impact on core functionality |
| Internet Access |
Data sync and AI processing |
Required |
No receipt analysis or sync |
| Local Storage |
Cache data and offline access |
Required |
Cannot store data locally |
7.2 Permission Management
- Granular Control: You can manage permissions individually through device settings
- Runtime Requests: Permissions are requested only when needed for specific features
- Clear Explanations: Each permission request includes a clear explanation of its purpose
- Graceful Degradation: Application functions appropriately even with limited permissions
8. Your Privacy Rights
You have comprehensive rights regarding your personal data, which we fully respect and facilitate.
8.1 Access and Portability Rights
- Data Access: Request a complete copy of all personal data we hold about you
- Data Portability: Receive your data in a structured, machine-readable format
- Account Dashboard: View and manage your data through in-app settings
- Export Features: Export your receipt data in various formats (CSV, PDF, JSON)
8.2 Correction and Update Rights
- Data Correction: Correct any inaccurate or incomplete personal information
- Profile Updates: Update account information and preferences at any time
- Receipt Editing: Modify extracted receipt data for accuracy
8.3 Deletion and Restriction Rights
- Right to Erasure: Request complete deletion of your personal data ("right to be forgotten")
- Selective Deletion: Delete specific receipts or data categories
- Processing Restriction: Request limitation of data processing in certain circumstances
- Account Deactivation: Temporarily deactivate your account while retaining data
8.4 Objection and Consent Rights
- Processing Objection: Object to certain types of data processing
- Consent Withdrawal: Withdraw consent for optional data processing activities
- Marketing Opt-out: Unsubscribe from promotional communications
- Analytics Opt-out: Disable analytics data collection
8.5 Exercising Your Rights
- In-App Controls: Many rights can be exercised directly through application settings
- Email Requests: Contact us at info@cmvteknoloji.com for complex requests
- Response Timeline: We respond to requests within 30 days
- Identity Verification: We may require identity verification for security purposes
- No Charge: Exercising your rights is free of charge (except for manifestly unfounded requests)
9. International Data Transfers
Some of our service providers operate globally, which may involve transferring your data internationally.
9.1 Transfer Safeguards
- Adequacy Decisions: We prefer transfers to countries with adequate data protection laws
- Standard Contractual Clauses: Use of approved contractual clauses for other transfers
- Certification Programs: Working with providers certified under recognized privacy frameworks
- Additional Safeguards: Implementing supplementary measures where necessary
9.2 Transfer Transparency
- Provider Locations: Information about where each provider processes data is available
- Transfer Purposes: Clear explanation of why international transfers are necessary
- User Notification: We notify users of any significant changes to transfer arrangements
10. Children's Privacy
We are committed to protecting the privacy of children and complying with applicable children's privacy laws.
10.1 Age Requirements
- No Age Restrictions: The Application does not impose specific age restrictions
- Parental Guidance: We recommend parental or guardian supervision for users under 13
- Educational Use: The Application may be used for educational purposes under adult supervision
10.2 Special Protections
- Minimal Data Collection: We collect only necessary data for core functionality
- No Behavioral Advertising: We do not engage in behavioral advertising targeted at children
- Parental Rights: Parents can request access to or deletion of their child's data
- School Notifications: Schools using the Application must notify parents of data collection
11. Cookies and Tracking Technologies
We use various technologies to enhance user experience and collect analytics information.
11.1 Types of Technologies
- Analytics SDKs: Firebase Analytics for usage statistics and crash reporting
- Authentication Tokens: Secure tokens for maintaining login sessions
- Local Storage: Device storage for offline functionality and caching
- Push Notification Tokens: Device tokens for sending notifications
11.2 Purpose and Control
- Performance Monitoring: Tracking application performance and identifying issues
- User Experience: Remembering user preferences and settings
- Analytics: Understanding usage patterns to improve the application
- Security: Detecting and preventing fraudulent activities
- User Control: Most tracking can be disabled through device or application settings
12. Data Breach Response
We have comprehensive procedures for detecting, responding to, and reporting data security incidents.
12.1 Detection and Response
- Monitoring Systems: 24/7 monitoring for security threats and anomalies
- Incident Response Team: Dedicated team for rapid response to security incidents
- Containment Procedures: Immediate steps to contain and mitigate breaches
- Forensic Analysis: Thorough investigation to understand breach scope and cause
12.2 Notification Procedures
- Authority Notification: Report breaches to relevant authorities within 72 hours when required
- User Notification: Notify affected users without undue delay when high risk is involved
- Transparent Communication: Provide clear information about the breach and response measures
- Remediation Steps: Offer guidance on protective measures users can take
13. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements.
13.1 Update Process
- Regular Review: We review and update this policy regularly
- Material Changes: Significant changes require prominent notification
- Version Control: We maintain version history of policy changes
- Effective Date: Changes take effect on the date specified in the updated policy
13.2 Notification Methods
- In-App Notifications: Prominent notices within the application
- Email Notifications: Direct email to registered users for major changes
- Website Updates: Updated policy posted on our website
- Continued Use: Continued use of the application constitutes acceptance of changes
14. Legal Basis for Processing
We process personal data based on various legal grounds depending on the purpose and nature of processing.
14.1 Processing Grounds
- Contractual Necessity: Processing necessary to provide the Application services
- Legitimate Interests: Our legitimate business interests, balanced against your rights
- Consent: Your explicit consent for specific processing activities
- Legal Obligation: Compliance with applicable laws and regulations
- Vital Interests: Protection of life or physical safety in emergency situations
14.2 Balancing Test
- Necessity Assessment: We ensure processing is necessary for the specified purpose
- Proportionality: Processing is proportionate to the purpose and not excessive
- User Expectations: Processing aligns with reasonable user expectations
- Rights Impact: We consider the impact on your fundamental rights and freedoms
15. Dispute Resolution
We are committed to resolving privacy-related concerns and disputes fairly and efficiently.
15.1 Internal Resolution
- First Contact: Contact our privacy team at info@cmvteknoloji.com
- Response Timeline: We aim to respond within 5 business days
- Escalation Process: Unresolved issues can be escalated to senior management
- Documentation: We maintain records of all privacy complaints and resolutions
15.2 External Options
- Regulatory Complaints: You can file complaints with relevant data protection authorities
- Legal Remedies: You have the right to seek judicial remedies
- Alternative Dispute Resolution: We may participate in mediation or arbitration when appropriate
16. Contact Information and Data Protection Officer
17. Governing Law and Jurisdiction
This Privacy Policy is governed by applicable data protection and privacy laws.
17.1 Applicable Law
- Primary Jurisdiction: Turkish data protection laws (KVKK - Personal Data Protection Law)
- International Users: Additional compliance with GDPR, CCPA, and other applicable laws
- Conflicts: In case of conflicts, the most protective law for user privacy applies
17.2 Compliance Framework
- Regular Audits: Regular compliance audits and assessments
- Legal Updates: Monitoring and implementing changes in privacy laws
- Cross-Border Compliance: Ensuring compliance across all jurisdictions where we operate
- Industry Standards: Following best practices and industry standards
This Privacy Policy was last updated on July 17, 2025, and is effective immediately.