Privacy Policy

Last updated: May 16, 2026

This Privacy Policy explains how Aruha ("Aruha", "we", "our", or "us") collects, uses, stores, shares, and protects personal data when you use the Aruha mobile application, website, and related services (together, the "Service").

Aruha is an early-stage MVP product designed to help users scan grocery receipts, track pantry items, monitor grocery spending, and receive expiry-related reminders. Because the Service is still under active development, this Privacy Policy may be updated as the product, infrastructure, and features evolve.

Controller / Operator

The Service is operated for early testing and validation by the Aruha startup team.

Privacy and legal contact:
support@aruha.app

Until a registered legal entity is established, user requests related to privacy, access, correction, or deletion of personal data are received and handled by the Aruha startup team through the contact address above.

If the Service is later operated by a registered company, distribution partner, or other entity, this Privacy Policy will be updated to reflect the correct controller.

1. Data we collect or process

Depending on how you use the Service, we may collect or process the following categories of data:

1.1 Account data

The app uses Firebase Authentication for account access, supporting email/password login and Google Sign-In. When you create or use an account, we may collect:

• email address;
• user ID or account identifier;
• authentication provider (email/password or Google);
• profile information you choose to provide;
• account status and settings.

1.2 Receipt images and receipt-related data

When you scan, upload, or submit a grocery receipt, we may process:

• receipt images;
• QR code data;
• OCR text extracted from the receipt;
• store or merchant name;
• date and time of purchase;
• item names;
• quantities;
• unit prices;
• item prices;
• discounts, taxes, totals, and payment-related receipt fields where visible on the receipt.

You should avoid submitting receipts that contain information unrelated to grocery tracking or that you do not want processed by the Service.

1.3 Pantry, budget, and household tracking data

We may store and process data you create or save in the app, including:

• pantry items;
• manually corrected item names;
• quantities and units;
• expiry dates;
• grocery budget entries;
• shopping list items;
• spending history;
• recipes;
• meal plans and related meal planning data;
• app preferences and notification settings.

1.4 Technical, diagnostic, and usage data

The following technical data may be processed as part of normal cloud service operation:

• device type and operating system;
• app version;
• language and region settings;
• server-side logs generated by Firebase infrastructure as part of standard authentication and database operations.

No dedicated client-side analytics SDK or crash reporting SDK is currently installed in the app. Some technical information may still be processed by Firebase infrastructure services as a standard part of operating those services.

We do not intentionally collect precise location data unless a future feature clearly requires it and you grant permission.

1.5 Communication data

If you contact us, join a waitlist, send feedback, report a bug, or request support, we may process:

• your email address;
• your name, if provided;
• message content;
• attachments or screenshots you choose to send;
• support history.

2. How we use data

We use the data described above for the following purposes:

• to provide the core features of the Service;
• to scan and parse receipts;
• to extract grocery item data;
• to create and update your digital pantry;
• to track grocery spending and budget information;
• to show expiry-related reminders and pantry notifications;
• to allow you to review, correct, and save extracted receipt data;
• to maintain user accounts and authentication;
• to provide customer support;
• to improve receipt parsing accuracy and product reliability;
• to detect, investigate, and fix bugs;
• to protect the Service against abuse, fraud, or misuse;
• to comply with legal obligations;
• to communicate important Service updates.

We do not sell your personal data.

3. Legal bases for processing

Where EU, Serbian, or similar data protection laws apply, we rely on one or more of the following legal bases:

3.1 Performance of a contract

We process data where necessary to provide the Service you request, including account access, receipt scanning, pantry tracking, budget tracking, and related app features.

3.2 Consent

We rely on your consent where required, for example for optional notifications, optional analytics where applicable, or features requiring device permissions. You may withdraw consent where technically and legally applicable.

3.3 Legitimate interests

We may process data based on legitimate interests, including:

• improving and securing the Service;
• preventing misuse;
• debugging and diagnosing issues;
• understanding whether core features work properly;
• responding to user requests.

We balance these interests against your rights and expectations.

3.4 Legal obligations

We may process data where required to comply with applicable laws, lawful requests, tax, accounting, consumer protection, or regulatory obligations.

4. Third-party service providers and processors

Aruha relies on third-party infrastructure and service providers to operate the Service. These providers may process data on our behalf or as independent providers, depending on the service and legal relationship.

The primary infrastructure provider is Google (Firebase), used for authentication (Firebase Auth), database storage (Firestore), and website hosting (Firebase Hosting). These services process data on our behalf as part of standard cloud infrastructure operation.

For receipt scanning, images or QR code data may be sent to third-party OCR or AI-assisted parsing providers to extract grocery item information. Receipt images are used for processing purposes. The app does not intentionally save receipt images as permanent copies to your device's public external storage or photo library.

We may also use third-party providers for email and support communication.

No dedicated client-side analytics or crash reporting provider is currently active in the app.

We use such providers only where reasonably necessary to operate, secure, maintain, or improve the Service. These providers operate under their own terms and privacy policies.

When we use AI service providers for receipt processing, data is processed to provide that specific feature. We do not intend to use user data to train our own models, and we do not knowingly choose providers that use such data to train public models without an appropriate legal basis or consent.

5. International data transfers

Your data may be processed and stored in countries other than the country where you live, including countries that may not provide the same level of data protection as your jurisdiction.

Where required by applicable law, we aim to use appropriate safeguards for international transfers, such as contractual safeguards, provider data protection terms, or other lawful transfer mechanisms.

Because Aruha is an early-stage MVP, our infrastructure and provider setup may change. When it does, this Privacy Policy should be updated accordingly.

6. Data storage and security

We use reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure.

These measures may include:

• encrypted connections in transit;
• access controls;
• authentication controls;
• cloud provider security features;
• restricted administrative access;
• logging and monitoring for reliability and abuse prevention.

We do not claim that stored data is end-to-end encrypted. No cloud-based service can guarantee absolute security.

7. Data retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

General retention approach:

• account data is retained while your account is active;
• pantry, budget, and receipt-derived data is retained while your account is active or until you request deletion of that data;
• receipt images may be retained only as long as needed for processing, debugging, support, fraud prevention, or product improvement, unless you choose to store them;
• diagnostic and crash data may be retained for a limited period necessary to debug, secure, and improve the Service;
• support communications may be retained for a reasonable period to handle requests and maintain records.

Account deletion is available directly in the app. When you delete your account, the following data is removed:

• your Firestore user data (pantry, shopping list, budgets, expenses, recipes, meal plans);
• any legacy or migrated Firestore data associated with your account;
• your Firebase Authentication account;
• local scan debug files and legacy application preference entries created by prior app versions.

If you are unable to delete your account from within the app, you may contact us at support@aruha.app and we will process the deletion request in accordance with applicable law.

Some platform-managed caches may remain on your device after account deletion, including the Firestore offline cache and app-private local storage. These are managed by the platform and are not accessible to us. They are typically cleared when the app is uninstalled or when the device performs a cache cleanup.

Some data may also remain in infrastructure backups, security logs, or legal records for a limited period where deletion is not immediately technically possible or where retention is legally required.

8. Your rights

Depending on your location and applicable law, you may have rights regarding your personal data, including the right to:

• be informed about how your data is processed;
• request access to your personal data;
• request correction of inaccurate or incomplete data;
• request deletion of your data;
• request restriction of processing;
• object to certain processing;
• request data portability;
• withdraw consent where processing is based on consent;
• lodge a complaint with a competent data protection authority.

To exercise your rights, contact us at support@aruha.app.

If you are located in Serbia, you may also have the right to contact the Commissioner for Information of Public Importance and Personal Data Protection.

If you are located in the European Economic Area, you may also have the right to contact your local data protection authority.

We may need to verify your identity before responding to certain requests.

9. Notifications and permissions

The app may request the following device permissions:

• Camera — used to scan grocery receipts. Access is requested only when you initiate a scan.
• Photo library (read/import) — used to import a receipt image you select from your gallery. The app does not write images to your photo library.
• Notifications — may be used in app versions where notification reminders are enabled, such as reminders related to expiry dates or pantry status. This feature may not be active in all app versions.

You can control all permissions through your device settings. If you disable notifications, reminder features that rely on them will not work.

10. Children and minors

Aruha is not intended for children or minors who cannot legally use online services without parental or guardian consent under the laws of their country.

We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data without appropriate consent, contact us and we will take reasonable steps to delete such data.

11. Automated processing and AI-assisted features

The Service may use automated systems, OCR, and AI-assisted processing to recognise and interpret receipt information. Although we continuously improve these systems, results may be inaccurate or incomplete.

Users are able to review and correct extracted item names, prices, quantities, expiry estimates, budget calculations, and other app outputs before using or saving them.

Aruha does not use automated processing to make legal, financial, medical, employment, credit, or similarly significant decisions about users.

12. Data accuracy

Receipt parsing may be inaccurate due to receipt quality, store format, OCR limitations, QR code differences, language issues, or AI interpretation errors.

You are responsible for reviewing and correcting extracted receipt data before relying on it.

13. Marketing and communications

If you join a waitlist, request early access, or subscribe to updates, we may use your email address to send product updates, launch information, early access invitations, and related communications.

You may unsubscribe or request removal from such communications by contacting us or using an unsubscribe method where available.

14. Links to third-party websites

The Service or website may contain links to third-party websites, app stores, or services. We are not responsible for the privacy practices, content, or security of third-party websites or services.

15. Changes to this Privacy Policy

We may update this Privacy Policy as the Service evolves, as legal requirements change, or as our infrastructure changes.

When we update this Privacy Policy, we will update the "Last updated" date above. Where required by law or where changes are material, we may provide additional notice.

The updated version becomes effective when posted, unless otherwise stated.

16. Contact

If you have questions, requests, or concerns about this Privacy Policy or how we handle personal data, contact us at:

support@aruha.app