Privacy & data handling

Effective 9 June 2026 · Plain-English. This is how Recoup treats your data — and the limits we hold ourselves to.

Recoup will never ask you for money, your password, your bank or card details, or remote access to your device. Money only ever changes hands on the official government, airline, or vendor website — never inside Recoup. We never make a payment or move funds for you.

The paste path never leaves your device

When you paste a statement, the entire recovery scan runs 100% in your browser (recover.js). No statement text is uploaded, logged, or sent anywhere. Close the tab and it's gone.

The Gmail path — read-only, minimal, deletable

Scope: read-only Google OAuth (gmail.readonly). Recoup can read mail to detect subscriptions/receipts; it can never send, delete, or modify anything.
What we use: only the sender + subject + snippet of subscription/receipt emails, to identify recurring services. We don't store your message bodies.
What we store: detected subscriptions are held only transiently in server memory for your session, then discarded; the claims you approve may be saved to our database (MongoDB). We never store your Gmail password or your full inbox.
Revoke anytime: remove Recoup's access at myaccount.google.com/permissions. You can also disconnect in-app.
Current status: the OAuth app is published but not yet Google-verified, so you'll see Google's "unverified app" screen — click Advanced → Continue to proceed. Access is capped (~100 users) until Google's formal security review. No sign-in is needed — the paste path works without any account.

We never sell your data

We do not sell, rent, or share your data with advertisers or data brokers — ever. Reasoning is done by Google Gemini on the text of your findings only; amounts come from deterministic rules, not the model.

Who runs Recoup & how to reach us

Data controller: Vaibhav Lalwani — a student developer at the University of Liverpool. This is an independent student project, not a company. Send contact or data-deletion requests via an issue on the GitHub repository.

Sub-processors: the app is designed to be hosted on Google Cloud Run. For the Gmail path only, the sender/subject/snippet of subscription emails are processed by Google Gemini (reasoning) and may be held transiently in MongoDB (US-hosted). Every API response carries a short random trace_id for debugging, and standard server access logs may record request metadata (never your statement text, which stays in your browser on the paste path). Recoup's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Your control

You approve every action — nothing is sent on your behalf without your tap. You can disconnect Gmail and request deletion of your stored findings at any time by opening an issue on the GitHub repository; the in-app "Delete my data" clears server-held findings immediately.

Legal basis, retention & your rights (UK/EU GDPR)

Legal basis: the paste path processes no personal data on our servers (it runs entirely in your browser). For the Gmail path, our basis is your explicit consent (Art. 6(1)(a)), which you can withdraw at any time.
Retention: Gmail-derived findings are discarded within 30 minutes (or immediately when you use "Delete my data"); any claim you explicitly approve is retained only until you request its deletion.
Your rights: access, rectification, erasure, restriction, portability, and objection. You can erase Gmail-derived data yourself in-app ("Delete my data") — no request needed.
Complain: you may lodge a complaint with the UK ICO (or your local EU supervisory authority) if you believe your data has been mishandled.
International transfers: the Gmail path may send the sender/subject/snippet to US-hosted processors (Google Gemini, MongoDB). Transfers rely on the EU-US / UK Data Privacy Framework (Google is DPF-certified) plus standard contractual clauses / the UK IDTA where applicable. The paste path transfers nothing.
Breach notification: if a breach is likely to affect your rights, we notify the ICO within 72 hours and you without undue delay.
No children / special category: Recoup is not intended for anyone under 16. Receipt snippets are read only to identify a service — please don't paste special-category data.

Honest limits

This is a hackathon project. It is not yet a verified, audited, production financial service. Treat it as a tool that helps you find and draft claims — you file them yourself on the official portals, and you're responsible for the accuracy of anything you submit.

← Back to Recoup