Privacy Policy
Last updated: 6 July 2026
We appreciate your interest in our R3ALITY app (hereinafter the “App”) and our website. Protecting your personal data and the documents you upload is our highest priority. Below we inform you about the nature, scope, and purpose of processing personal data when using our App and website in accordance with the General Data Protection Regulation (GDPR).
1. Data controller
The controller responsible for data processing is:
R3NEW Holding Ltd.6 Emmanouil Raidi
1095 Nicosia
Cyprus
Email: privacy@r3ality.app
2. Principles of data encryption and data security
Your data is protected through modern technical and organizational security measures.
- All data transmission between the App and our servers takes place exclusively via encrypted TLS/HTTPS connections.
- Personal data is stored encrypted on our servers (encryption at rest).
- Local storage on your device is encrypted as part of the security mechanisms of the respective operating system.
- Access to stored data is limited to authorized systems and processes.
- End-to-end encryption (E2EE) is not technically feasible for the App’s core functions, because uploaded documents must be processed on our servers for automated processing by artificial intelligence.
Despite all security measures, complete security of data transmission over the internet cannot be guaranteed.
3. Collection and processing of personal data
3.1. Categories of data processed
When using the App, the following data may in particular be processed:
3.2. Account data
- Name (if provided)
- Email address
- User ID
3.3. Document and receipt data
- Uploaded receipt images
- Invoices
- Warranty documents
- Purchase receipts
- Other documents uploaded by the user
3.4. Automatically extracted information
- Merchant name
- Purchase date
- Purchase price
- Tax amount
- Tax rate
- Warranty periods
- Return periods
- Product information
3.5. Technical data
- Device model
- Operating system version
- App version
- Push token
- Error and crash logs
- anonymized usage and performance data (if you have consented)
3.6. Subscription and payment information
- Subscription purchase status
- Subscription type
- Subscription term
Payment data such as credit card or bank account details are not processed or stored by us.
3.7. Registration and account management
When you create a user account, we collect the data required to perform the contract, in particular your email address and, where applicable, other information you voluntarily provide.
This data is used to provide your user account and to associate your documents with you.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
3.8. Receipt scanning and AI processing
When you upload receipts or other documents, they are transmitted to our servers in encrypted form and processed there.
For automated analysis and extraction of relevant information, we use Google Cloud and Google Gemini services under existing data processing agreements.
Processing is solely for providing R3ALITY features, in particular:
- automatic recognition of receipt data
- extraction of purchase information
- calculation of warranty and return deadlines
- structuring and categorization of documents
According to Google's contractual assurances, customer data processed via the Google Cloud services we use is not used to train publicly available AI models.
Where personal data is processed outside the European Economic Area, this is done solely on the basis of appropriate safeguards under Art. 44 et seq. GDPR.
Processing and storage of data takes place primarily on Google Cloud servers within a data center in the European Union (EU). If, in exceptional cases (e.g. technical support by US parent company Google LLC), data is transferred to the USA, this is done on the basis of EU Standard Contractual Clauses (SCC).
Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
3.9. In-app purchases and subscriptions
Purchases and subscriptions are handled exclusively through the respective platform providers:
- Apple App Store
- Google Play Store
We do not receive credit card, bank, or payment data. We only receive the information required to unlock Premium features regarding purchase status and subscription term.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
3.10. Push notifications
The App may send push notifications to remind you of upcoming warranty expirations, return deadlines, or other relevant events.
To deliver these notifications, technical device identifiers (push tokens) are transmitted to the push services of the respective operating system provider:
- Apple Push Notification Service (APNs)
- Firebase Cloud Messaging (FCM)
Enabling push notifications is voluntary and can be disabled at any time in your device settings.
Legal basis: Art. 6(1)(a) GDPR (consent)
4. Use of third-party services (sub-processors)
4.1. Google Firebase Crashlytics (Google Ireland Limited)
To improve the stability and security of the App, we use Google Firebase Crashlytics if you have consented to app analytics and the feature is enabled for the respective app environment.
In the event of a technical error or crash, the following technical diagnostic data may be processed:
- Device model
- Operating system version
- App version
- Time of the error
- Technical error codes and error logs (without receipt contents)
This data is used solely to analyze and fix technical errors.
Contents of uploaded receipts, documents, or financial data are not sent to Crashlytics. In particular, merchant names, amounts, item names, receipt numbers, or file names are not sent.
Legal basis: Art. 6(1)(a) GDPR (consent).
You may withdraw your consent at any time in the App settings under “Profile”.
4.2. Google Firebase Analytics (Google Ireland Limited)
To improve our App and understand usage, we use Google Firebase Analytics if you have consented.
The following information may be processed:
- App areas opened (for example, Dashboard, Receipts, Profile)
- General usage events (for example, receipt scan started, receipt saved)
- Device model, operating system version, and app version
- Technical status values (for example, success/error, duration in milliseconds)
No contents of uploaded receipts, documents, or financial data are sent to Firebase Analytics. In particular, email addresses, phone numbers, names, addresses, merchant names, amounts, item names, receipt numbers, file names, or login credentials are not sent as event data.
The data is used solely to improve the App, analyze errors, and optimize features.
Legal basis: Art. 6(1)(a) GDPR (consent).
You may withdraw your consent at any time in the App settings under “Profile”. Without consent, no Analytics data is collected.
4.3. Google Firebase Performance Monitoring (Google Ireland Limited)
To measure app performance and loading times, we use Google Firebase Performance Monitoring if you have consented.
The following technical performance data may be processed:
- App startup time
- Duration of technical operations (for example, synchronization, upload, analysis)
- General network and response times
- Technical metrics such as file-size categories (without file names)
No URLs containing personal identifiers, no storage paths, no receipt contents, and no login credentials are sent.
Legal basis: Art. 6(1)(a) GDPR (consent).
You may withdraw your consent at any time in the App settings under “Profile”.
4.4. Microsoft Clarity (Microsoft Ireland Operations Limited)
To improve usability and the user experience of the App, we may use Microsoft Clarity if you have consented.
Clarity may process the following information:
- anonymized session recordings (interactions such as taps and scrolling)
- heatmaps (aggregated usage patterns)
- technical device and app information
Sensitive areas of the App — in particular login, profile, receipt preview, receipt review, and receipt details — are masked in recordings. Receipt contents, financial data, login credentials, and profile data are not recorded in plain text.
Clarity is only activated if you have consented.
Legal basis: Art. 6(1)(a) GDPR (consent).
You may withdraw your consent at any time in the App settings.
Further information on Microsoft privacy is available at: https://privacy.microsoft.com/
4.5. Principles for app analytics
The data collected via the services described in sections 4.1 to 4.4:
- is not sold,
- is not used for advertising,
- is not used for cross-device advertising tracking,
- is used solely to improve the App, its stability, and usability.
4.6. Hosting and AI infrastructure
Our server infrastructure and AI processing are provided via Google Cloud.
Google processes data solely under existing data processing agreements and in compliance with applicable data protection law.
Further information on privacy at Google is available in Google’s privacy policy at: https://policies.google.com/privacy
5. Storage period and deletion
Personal data is generally stored only for as long as necessary to provide the App and its functions.
Users can delete individual documents at any time within the App.
Users can delete their account at any time.
After account deletion, personal data is removed from production systems without undue delay, unless statutory retention obligations apply.
Complete removal from backup copies follows our technical backup and deletion cycles.
6. Data export and data portability
Users can download their stored data via the App’s export function in a structured, machine-readable format.
Export may in particular include the following formats:
- CSV
- JSON
7. Your rights as a data subject
Under the GDPR, you have in particular the following rights:
7.1. Right of access (Art. 15 GDPR)
You have the right to obtain information about the personal data we process concerning you.
7.2. Right to rectification (Art. 16 GDPR)
You have the right to have inaccurate personal data corrected.
7.3. Right to erasure (Art. 17 GDPR)
You have the right to request deletion of your personal data.
7.4. Right to restriction of processing (Art. 18 GDPR)
You have the right to request restriction of processing under certain conditions.
7.5. Right to data portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
7.6. Right to object (Art. 21 GDPR)
You have the right to object to processing of your personal data where it is based on legitimate interests.
7.7. Withdrawal of consent
Where processing is based on your consent, you may withdraw it at any time with effect for the future. The lawfulness of processing before withdrawal remains unaffected.
You may withdraw your consent to app analytics (Firebase Analytics, Firebase Crashlytics, Firebase Performance Monitoring, and Microsoft Clarity) at any time in the App settings under “Profile”.
To exercise your rights, an informal message to the following address is sufficient:
8. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR.
For R3NEW Holding Ltd., the following authority is in particular competent:
Office of the Commissioner for Personal Data Protection
Cyprus
Alternatively, you may contact the data protection supervisory authority of your habitual residence within the European Union.
9. Changes to this privacy policy
We reserve the right to amend this privacy policy when required due to technical, legal, or organizational changes.
The current version is available at any time within the App and on our website.