Privacy Policy

Last Updated: January 29, 2026

Introduction

Kishi Consulting ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our reconciliation and expense management services.

Information We Collect

Account Information

When you create an account, we collect:

  • Name and email address
  • Company information
  • Authentication credentials (encrypted)

Financial Data

For reconciliation and expense management services, we process:

  • Financial documents you upload or share
  • Expense reports and receipts
  • Analysis results and reconciliation data

Google Drive Integration

Our application integrates with Google Drive to provide seamless file access. When you connect your Google Drive account, you authorize us to:

Permissions We Request

  • Read access to Google Drive files: To download and analyze reconciliation files and expense documents that you explicitly share with our application
  • File management for app-created files: To organize and manage files that are created or uploaded through our application only

How We Use Google Drive Data

Files accessed from your Google Drive are:

  • Only accessed when you explicitly provide a file URL or folder link
  • Downloaded temporarily for reconciliation analysis or expense processing
  • Processed using secure servers with encrypted connections
  • Analysis results are stored in our database, but original files are not stored permanently
  • Never shared with third parties
  • Never used for any purpose other than providing our services

OAuth Tokens

To maintain your Google Drive connection, we securely store:

  • Access tokens (encrypted at rest)
  • Refresh tokens (encrypted at rest)
  • Token expiration timestamps

These tokens are stored with industry-standard encryption and are only used to authenticate your requests to Google Drive on your behalf.

AI-Powered Processing

Our service uses AI (Anthropic Claude API) to process receipt images and extract expense data. When you upload a receipt:

  • Receipt images are sent to Anthropic's Claude API for optical character recognition (OCR)
  • Extracted data (dates, amounts, vendors, categories) is stored in your account
  • Original receipt images are processed temporarily and not permanently stored
  • Anthropic does not use API data to train their AI models
  • We do not train any AI models on your private data

For more information, see Anthropic's Privacy Policy.

How We Use Your Information

We use the collected information to:

  • Provide reconciliation and expense management services
  • Authenticate your identity and manage your account
  • Process and analyze financial documents using AI
  • Generate reports and insights
  • Process payments and manage subscriptions via Stripe
  • Communicate with you about our services
  • Improve our application and services
  • Comply with legal obligations

We do not sell your personal information, use your data for advertising, or share your receipt data with anyone outside our service.

Third-Party Service Providers

We use the following trusted third-party services to operate our platform:

  • Anthropic (Claude AI) — Receipt OCR and data extraction. Privacy Policy
  • Stripe — Payment processing and subscription management. We do not store credit card details. Privacy Policy
  • Google — Authentication (Google Sign-In) and optional Drive integration. Privacy Policy
  • Vercel — Application hosting and infrastructure. Privacy Policy
  • Supabase — Database and file storage (encrypted at rest). Privacy Policy
  • Sentry — Error monitoring and performance tracking. Privacy Policy
  • Resend — Transactional email delivery. Privacy Policy

Data Storage and Security

Where We Store Data

Your data is stored on secure servers provided by:

  • Supabase (PostgreSQL database) - Encrypted at rest
  • Vercel (Application hosting) - Secured infrastructure
  • Supabase Storage (File storage) - Encrypted storage buckets

Security Measures

We implement industry-standard security measures:

  • End-to-end encryption for data transmission (HTTPS/TLS)
  • Database encryption at rest
  • Row-Level Security (RLS) policies for data access control
  • Secure password hashing (bcrypt)
  • OAuth token encryption
  • Regular security audits and updates
  • Access controls and authentication requirements

Data Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share information only in these circumstances:

  • Service Providers: With trusted third-party service providers who assist in operating our services (e.g., hosting, database management)
  • Legal Requirements: When required by law, court order, or government request
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • With Your Consent: When you explicitly authorize us to share information

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data based on the following legal grounds:

  • Contractual Necessity — To provide the services you signed up for (account management, expense processing, report generation)
  • Legitimate Interest — To improve our services, ensure security, prevent fraud, and monitor system performance
  • Consent — For optional features such as analytics cookies and marketing communications (you may withdraw consent at any time)
  • Legal Obligation — To comply with tax, financial, and regulatory requirements

International Data Transfers

Our services are hosted in the United States. If you access our services from outside the US, your data may be transferred internationally. We ensure appropriate safeguards are in place for such transfers, including the use of service providers that comply with GDPR requirements and maintain adequate data protection standards.

Your Rights and Choices

Depending on your location (including rights under GDPR and CCPA), you have the following rights:

Access and Portability

  • Right to Access — Request a copy of all personal data we hold about you
  • Right to Portability — Receive your data in a structured, machine-readable format

Correction and Deletion

  • Right to Correction — Request correction of inaccurate or incomplete data
  • Right to Deletion — Request deletion of your account and all associated data (within 30 days)
  • Right to Restriction — Request restriction of processing under certain circumstances

Consent and Objection

  • Right to Object — Object to processing based on legitimate interest
  • Right to Withdraw Consent — Withdraw consent at any time (does not affect prior processing)
  • Opt-out — Opt-out of marketing communications at any time

How to exercise your rights: Email us at kishiconsulting.io@gmail.com or use the account settings page. We will respond to requests within 30 days.

Revoking Google Drive Access

You can revoke our application's access to your Google Drive at any time:

  1. Visit your Google Account Permissions
  2. Find "Kishi Consulting" in the list of apps
  3. Click "Remove Access"

Note: Revoking access will prevent our application from accessing your Google Drive files, but previously processed data will remain in your account unless you request deletion.

Data Retention

We retain your information for as long as:

  • Your account is active
  • Needed to provide you with services
  • Required to comply with legal obligations
  • Necessary to resolve disputes or enforce agreements

When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it by law.

Cookies and Tracking

We use essential cookies and session storage to:

  • Maintain your logged-in session and authentication state
  • Remember your preferences (e.g., currency selection)
  • Ensure security and prevent fraud

We do not use third-party advertising cookies or cross-site tracking cookies. Analytics cookies are only loaded with your consent.

You can control cookie settings through your browser preferences or our cookie consent banner. Disabling essential cookies may affect service functionality.

Children's Privacy

Our services are not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete such information.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Continued use of our services after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: kishiconsulting.io@gmail.com

Website: https://www.kishi.io

Google API Services User Data Policy

Kishi Consulting's use and transfer of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.