1. Introduction

Pure Harmony LLC ("we," "us," or "our"), located at 30 N Gould St Ste N, Sheridan, WY 82801, operates Explain My Bill ("the Service"), available as a web application and Progressive Web App (PWA) for mobile devices. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service. We are committed to protecting your privacy and handling your data with transparency and security. By using the Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, and login method (Google, Microsoft, Apple, or email via Manus OAuth)
• Payment Information: Billing details processed through Stripe, Inc. (we never store, access, or process credit card numbers on our servers)
• Uploaded Documents: Bills, contracts, subscriptions, and other financial documents you upload for analysis
• User Content: Notes, preferences, consent choices, and feedback you provide through the Service
• Communications: Messages you send to our support team via email or in-app ticketing

2.2 Information Automatically Collected

• Usage Data: Pages visited, features used, time spent, and interaction patterns collected via Umami Analytics (a privacy-focused, cookie-free analytics platform)
• Device Information: IP address, browser type, operating system, screen resolution, and device type
• Authentication Tokens: Session cookies required for login functionality (no third-party tracking cookies)
• Log Data: Server logs including timestamps, error messages, and API request metadata

2.3 Information from Third Parties

• OAuth Providers: Basic profile information (name and email) from Google, Microsoft, or Apple when you choose to sign in with these services
• Payment Processors: Transaction status and payment confirmation from Stripe, Inc.

2.4 Mobile Application Data

When you use our Progressive Web App (PWA) on mobile devices:

• Camera Access: Only when you explicitly choose to scan a barcode or capture a document photo. We do not access your camera in the background.
• File Access: Only when you explicitly select files for upload. We do not scan or access other files on your device.
• Local Storage: We store authentication tokens and user preferences locally on your device for app functionality.
• No Background Data Collection: Our app does not collect any data when it is not actively in use.

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: Process and analyze your uploaded documents using AI (OpenAI GPT-4) and OCR technology
• Account Management: Create and maintain your account, authenticate users, and manage subscriptions
• Payment Processing: Process subscription payments through Stripe, Inc. and manage billing
• Communication: Send transactional emails (account confirmation, password reset, payment receipts) and respond to support requests
• Service Improvement: Analyze anonymous usage patterns via Umami Analytics to improve features and user experience
• Security: Detect and prevent fraud, abuse, and security threats
• Legal Compliance: Comply with legal obligations and enforce our Terms of Service
• Marketing (Opt-in Only): Send promotional emails only with your explicit prior consent. You may opt in during account creation or through your account settings. You can withdraw consent at any time.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to any third party.

4.1 Service Providers

We share data with the following trusted third-party service providers who assist in operating the Service:

These providers are contractually obligated to protect your data and use it only for the specified purposes. OpenAI does not retain or use your document data for model training under our data processing agreement.

4.2 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or government request, or to protect our rights, property, or safety.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email at least 30 days before any such transfer.

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in Transit: TLS 1.3 encryption for all data transmitted between your device and our servers
• Encryption at Rest: AES-256 encryption for all stored data including uploaded documents
• Access Controls: Role-based access restrictions and multi-factor authentication for staff
• Secure Storage: Documents stored on AWS S3 with strict access policies and server-side encryption
• Automatic Deletion: Uploaded documents are automatically and permanently deleted after 24 hours
• Regular Security Audits: Periodic security assessments and vulnerability scanning
• PCI DSS Compliance: All payment processing handled by Stripe (PCI DSS Level 1 certified)

Data Breach Notification

In the event of a data breach that affects your personal information, we will: (1) notify affected users via email within 72 hours of discovering the breach; (2) notify relevant regulatory authorities as required by applicable law; (3) provide details about the nature of the breach, the data affected, and steps we are taking to address it; and (4) offer guidance on steps you can take to protect yourself.

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Data Retention

We retain your information for different periods depending on the type of data:

After account deletion, we may retain certain anonymized information as required by law or for legitimate business purposes (e.g., fraud prevention, resolving disputes, tax compliance).

7. Your Privacy Rights

Depending on your location, you may have the following rights:

7.1 Access and Portability

You can access, download, and export your personal data from your account dashboard at any time.

7.2 Correction

You can update your account information at any time through your profile settings.

7.3 Deletion

You can delete your account and all associated data at any time through the Delete Account page in your account settings, or by contacting [email protected]. Upon deletion, we will remove all your personal data within 30 days, except where retention is required by law.

7.4 Opt-Out of Marketing

You can unsubscribe from promotional emails by clicking the "unsubscribe" link in any marketing email, or by updating your preferences in account settings. Transactional emails (payment receipts, security alerts) cannot be opted out of.

7.5 Do Not Track

We honor Do Not Track (DNT) browser signals. Our analytics tool (Umami) does not use cookies and does not track users across third-party websites.

7.6 GDPR Rights (EU/EEA Users)

If you are in the European Union or European Economic Area, you have additional rights under GDPR, including the right to object to processing, restrict processing, withdraw consent, and lodge a complaint with your local supervisory authority.

7.7 CCPA/CPRA Rights (California Residents)

California residents have the right to: know what personal information is collected; request deletion of personal information; opt-out of the sale of personal information (we do not sell personal information); and not be discriminated against for exercising these rights.

7.8 Other US State Privacy Laws

We comply with applicable state privacy laws including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and similar state regulations.

8. Cookies and Tracking Technologies

We use minimal cookies and tracking technologies:

• Essential Cookies: Session authentication tokens required for login functionality
• Preference Cookies: Remember your settings (theme, language preferences)
• Analytics: Umami Analytics (privacy-focused, cookie-free, GDPR compliant by design — collects only anonymous page views and basic device information, no personally identifiable information)

We do not use: Third-party advertising cookies, cross-site tracking pixels, fingerprinting technologies, or any form of surveillance advertising.

You can control cookies through your browser settings. Disabling essential cookies may affect Service functionality.

9. Children's Privacy

The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we discover that a minor has provided personal information, we will delete it immediately. If you believe a minor has provided information to us, please contact [email protected].

10. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers and service providers are located. If you are located outside the United States, please be aware that data protection laws in the US may differ from those in your country. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/EEA.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect, post a prominent notice on the Service, and update the "Last updated" date at the top of this policy. Your continued use after changes take effect constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint, please contact us:

For privacy-specific inquiries, you may also email: [email protected]. We will respond to all privacy requests within 30 days.