TriplTriplBack to home

Privacy Policy

Last updated: April 8, 2026

What We Collect

When you use Tripl, we collect and store the following data:

  • Account information: your email address and account creation date
  • Receipt files: images and PDFs you upload or email to us
  • Expense data: date of service, amount, category (e.g. Prescription, Therapy, Dental), and provider/merchant name extracted from receipts or entered manually
  • Reimbursement tracking: amounts redeemed, dates, and notes you add
  • Guide downloads: if you download a free guide, we collect your email address and optional first name to deliver the guide and send follow-up educational content

How We Use Your Data

Your data is used solely to provide the Tripl expense tracking service:

  • Storing and organizing your HSA expense records
  • AI-powered receipt parsing to automatically extract expense details (when enabled)
  • Generating exports and tax reports
  • Sending transactional emails (account confirmation, password resets)

We do not sell your data, use it for advertising, or share it with third parties beyond what is described below.

Third-Party Services

Tripl relies on the following third-party services to operate:

Anthropic (Claude AI)

When AI parsing is enabled, your receipt images, PDFs, or extracted text are sent to Anthropic's Claude API to extract expense details (date, amount, category, provider). You can disable this in Settings at any time. Per Anthropic's API terms, inputs sent via their API are not used to train their models. Anthropic retains API inputs for up to 30 days for trust and safety purposes, then deletes them.

Vercel

The Tripl web application is hosted on Vercel. Vercel processes incoming web requests and may log IP addresses and request metadata as part of standard infrastructure operations.

Supabase

Your account data, expense records, and receipt files are stored in Supabase (PostgreSQL database and object storage). Data is transmitted over TLS.

Cloudflare

If you email receipts to Tripl, inbound email is routed through Cloudflare Email Workers before being processed by our application. We process the sender address (to identify your account), email attachments (receipt images and PDFs), and email body text (which may be sent to Anthropic for AI parsing if you have AI processing enabled). Only emails from registered users are processed; emails from unrecognized senders are silently discarded. Raw email content is not stored beyond the extracted expense data and receipt files.

Google Drive

If you choose to connect Google Drive, Tripl can import receipts from a folder you select and automatically back up new receipts to that folder. Tripl requests access to files it creates (drive.file scope) and read access to browse your existing files for import (drive.readonly scope). Tripl only accesses the folder you select. Your Google account email is used to identify the connection. You can disconnect Google Drive at any time in Settings, which revokes access. Disconnecting does not delete files already in your Drive.

Google Analytics

With your consent, Tripl uses Google Analytics (GA4) to measure page views, traffic sources, and general usage patterns. IP addresses are anonymized. No health, expense, or receipt data is sent to Google. Analytics cookies are only set after you accept via the cookie banner. You can decline at any time.

Resend

If you download a free guide from Tripl, we use Resend to deliver the guide and send follow-up educational emails about HSA strategies. You can unsubscribe from these emails at any time using the link in each email.

AI Processing

By default, receipts you upload or email are sent to Anthropic's Claude AI to automatically extract expense information. This means your receipt content (which may include provider names, service types, and amounts) is processed by Anthropic's servers.

You can opt out of AI processing at any time in your account settings. When disabled, receipts are stored but you will need to enter expense details manually.

Data Storage & Security

  • Data is stored in Supabase-hosted PostgreSQL and object storage
  • All data is transmitted over TLS (encrypted in transit)
  • Receipt files are stored in a private storage bucket and accessed via time-limited signed URLs
  • Authentication is handled by Supabase Auth with email/password credentials

Your Rights

You have the following rights over your data:

  • Export: download all your expense data as CSV and all receipt files as a ZIP archive from Settings
  • Delete: permanently delete your account and all associated data (expenses, receipts, auth credentials) from Settings
  • Opt out of AI: disable AI receipt parsing so your documents are not sent to third-party AI services

Data Retention

Your data is retained for as long as your account exists. When you delete your account, all expense records, receipt files, and authentication credentials are permanently removed. Residual copies may exist temporarily in automated database backups managed by our infrastructure provider.

Cookies

Tripl uses a single authentication cookie to keep you logged in. This cookie is strictly necessary for the Service to function and does not track your activity.

If you consent via our cookie banner, we also set cookies from Google Analytics (GA4) to understand how visitors use Tripl. These cookies track page views, referral sources, and general usage patterns. IP addresses are anonymized. No health or expense data is included in analytics. You can decline analytics cookies at any time and Tripl will function normally without them.

Geographic Scope

Tripl is intended for use by individuals in the United States. The Service is designed around U.S. Health Savings Accounts (HSAs) and is not directed at individuals in the European Union, European Economic Area, United Kingdom, or other jurisdictions outside the United States. By using the Service, you acknowledge that your data is processed and stored in the United States.

Analytics

Tripl uses Vercel Analytics to measure basic page views and visitor counts. Vercel Analytics does not use cookies and does not track individual users.

With your consent, Tripl also uses Google Analytics (GA4) to understand traffic sources and usage patterns. Google Analytics uses cookies and is only loaded after you accept via the cookie banner. IP addresses are anonymized. No health, expense, or receipt data is sent to Google. We do not use advertising pixels or track your behavior across other websites.

Children's Privacy

Tripl is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from individuals under 18. If you believe someone under 18 has provided us with personal data, please contact us and we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. The “last updated” date at the top of this page reflects the most recent revision.

Contact

For questions about this privacy policy or your data, contact us at support@triplapp.com.