We don't see your image.
That's the headline.
What we store, per receipt
- A short receipt ID (8 random characters)
- The SHA-256 hash of your original image (32 bytes)
- The SHA-256 hash of the stamped composite (set when you finalize)
- The UTC timestamp we signed at
- The cryptographic signature (base64 ECDSA, ~75 bytes)
- The two-letter country code of the request (for rate-limit only — no IP stored)
- A daily-rotated SHA-256 hash of your User-Agent string (for abuse detection only — no UA stored)
- Your optional note (up to 280 characters, visible on the public verification page)
- Your optional source URL (visible on the public verification page, not verified by us)
- An OpenTimestamps external anchoring proof (~200-1000 bytes)
That's the whole row. About 400-1500 bytes per receipt. We do not store the image. We do not store your IP address. We do not store your raw User-Agent. We do not store cookies (we don't set any).
What we don't store
- Your image — your browser keeps it; we only see the hash
- Your IP address — country only, for rate-limit buckets
- Your raw user-agent string — hashed with a daily salt
- Email address (we don't require signup)
- Cookies, local storage, fingerprints — we don't set them
- Analytics on you specifically (we use Cloudflare Web Analytics, which is cookieless + anonymous + aggregate)
The public verification page
When you seal a receipt, a public page is created at receipts.you/r/<id>. It shows the timestamp, both hashes, your optional note and source URL. It does NOT show your country code, UA hash, or any internal metadata. Anyone who knows or guesses the ID can see it.
If you want the receipt unlisted, leave the note + source URL blank — the page will still exist but contains no information tying it to you. (Pro plan, when launched, will offer link-only-private receipts.)
Third parties involved
- Cloudflare — hosts the API, the database, the marketing site. They see request metadata (IP, UA, country). They are bound by their privacy policy at cloudflare.com/privacypolicy/. They do not see your image (it never reaches us → it never reaches them).
- OpenTimestamps calendar servers (Peter Todd / Eternity Wall) — receive the SHA-256 hash so it can be anchored externally. They see the hash, not the image.
- anchor network — the aggregated Merkle root of many hashes is broadcast as part of an anchor transaction. Public, immutable.
Deletion
Email hi@receipts.you with your receipt ID and we'll remove the row from our database within 7 days. The OpenTimestamps external timestamp anchor can't be deleted (it's on the blockchain) but it's only verifiable by someone who has the original image — without that, the hash alone is meaningless.
Children
Receipts.you is not directed at children under 16. We collect no personal data anyway, so this is a precaution rather than a meaningful disclosure.
Changes to this policy
We'll publish material changes with a 30-day notice at the top of this page. Trivial wording fixes happen silently.