Shopka
My purchases

Privacy Policy

Last updated: 2 May 2026

1. Who we are

Shopka ("we", "us", "our") is a chat-first AI assistant that helps you track your personal spending. We are the data controller within the meaning of Art. 4 (7) of Regulation (EU) 2016/679 (the "GDPR") for the personal data processed in connection with the service.

Contact for privacy matters: support@shopka.app

2. Personal data we process

  • Identity & contact data. When you sign in via a supported messenger (currently Telegram), we receive your channel user ID and display name from the platform. We do not collect your phone number or email unless you provide it.
  • Receipt and purchase data. When you forward receipts (photo, QR, or text), we process and store the items, totals, merchant, date, and category.
  • Family-sharing data. If you create or join a family, we store membership and the receipts you choose to share with that family.
  • Technical data. Application logs (timestamps, error codes), and IP addresses at the network edge for short-term security and abuse prevention.
  • Communication data. The messages you send to the bot.

3. Purposes and legal basis for processing

We process your personal data on the following bases under Art. 6 (1) GDPR:

  • Performance of contract — Art. 6 (1) (b). To provide the core service: read receipts, categorize items, return analytics, store your purchase history.
  • Legitimate interests — Art. 6 (1) (f). To keep the service safe and prevent abuse (rate limits, security logging, fraud prevention).
  • Consent — Art. 6 (1) (a). For optional features such as family sharing and any future anonymous community-statistics feature. You may withdraw consent at any time without affecting prior lawful processing.

4. Automated processing

We use automated systems (large-language and OCR models) to read your receipts and assign category and merchant tags. This processing does not produce decisions with legal or significantly similar effects on you within the meaning of Art. 22 GDPR. You may ask us to review or correct any automated output at any time.

5. Recipients and processors

  • Hosting and infrastructure providers. Located in the EU/EEA, or covered by appropriate safeguards (see §6) when outside.
  • Messaging platforms. Telegram is the current channel. Each platform processes the messages you send via that channel under its own privacy policy.
  • AI model providers. Used for receipt parsing and categorization; only the receipt content is sent, never identifying account information.

We never sell personal data.

6. International transfers

Where personal data is transferred outside the EU/EEA, we rely on (i) an adequacy decision adopted by the European Commission, (ii) Standard Contractual Clauses adopted under Art. 46 (2) (c) GDPR, or (iii) another lawful transfer mechanism. A copy of the safeguards is available on request.

7. Retention

  • Receipts and purchase history — retained while your account is active.
  • Account deletion — your data is removed within 30 days of your deletion request, except where law requires longer retention (e.g. accounting records).
  • Logs — kept for 90 days, then deleted or anonymised.

8. Your rights

Under Art. 15–22 GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data rectified;
  • request erasure ("right to be forgotten");
  • restrict or object to processing;
  • data portability — receive your data in a structured, machine-readable format;
  • withdraw consent where consent is the legal basis;
  • lodge a complaint with the supervisory authority in your EU/EEA country of residence.

To exercise any right, write to support@shopka.app. We respond within one month (Art. 12 (3) GDPR).

9. Security

We use industry-standard encryption in transit (TLS 1.3) and at rest. Access to personal data is limited to authorised personnel under confidentiality obligations.

10. Cookies and similar technologies

The marketing site uses no third-party tracking cookies. A single functional cookie / localStorage entry stores your locale preference. Functional storage strictly necessary to deliver a service explicitly requested by the user is exempt from consent under Art. 5 (3) of Directive 2002/58/EC (the ePrivacy Directive).

11. Children

The service is not intended for users under 16. We do not knowingly collect personal data from children. If you believe we may have collected such data, please contact us.

12. Changes to this notice

We may update this notice from time to time. The "Last updated" date at the top reflects the latest version. Material changes are notified at least 30 days in advance through the service.