TriplTriplBack to home

Privacy Policy

Last updated: April 18, 2026

What We Collect

When you use Tripl, we collect and store the following data:

  • Account information: your email address and account creation date
  • Receipt files: images and PDFs you upload or email to us
  • Expense data: date of service, amount, category (e.g. Prescription, Therapy, Dental), and provider/merchant name extracted from receipts or entered manually
  • Reimbursement tracking: amounts redeemed, dates, and notes you add
  • Guide downloads: if you download a free guide, we collect your email address and optional first name to deliver the guide and send follow-up educational content

How We Use Your Data

Your data is used solely to provide the Tripl expense tracking service:

  • Storing and organizing your HSA expense records
  • AI-powered receipt parsing to automatically extract expense details (when enabled)
  • Generating exports and reimbursement summaries
  • Sending transactional emails (account confirmation, password resets)

We do not sell your data, use it for advertising, or share it with third parties beyond what is described below.

Third-Party Services

Tripl relies on the following third-party services to operate:

Anthropic (Claude AI)

When AI parsing is enabled, your receipt images, PDFs, or extracted text are sent to Anthropic's Claude API to extract expense details (date, amount, category, provider). You can disable this in Settings at any time. Per Anthropic's API terms, inputs sent via their API are not used to train their models. Anthropic retains API inputs for up to 30 days for trust and safety purposes, then deletes them.

Vercel

The Tripl web application is hosted on Vercel. Vercel processes incoming web requests and may log IP addresses and request metadata as part of standard infrastructure operations.

Supabase

Your account data, expense records, and receipt files are stored in Supabase (PostgreSQL database and object storage). Data is transmitted over TLS.

Cloudflare

If you email receipts to Tripl, inbound email is routed through Cloudflare Email Workers before being processed by our application. We process the sender address (to identify your account), email attachments (receipt images and PDFs), and email body text (which may be sent to Anthropic for AI parsing if you have AI processing enabled). Only emails from registered users are processed; emails from unrecognized senders are silently discarded. Raw email content is not stored beyond the extracted expense data and receipt files.

Google Drive

If you choose to connect Google Drive, Tripl can import receipts you select and automatically back up new receipts to a folder you choose. Tripl requests the minimum scope needed (drive.file), which only grants access to files Tripl creates or that you explicitly select via the file picker. Tripl cannot browse your entire Google Drive. Your Google account email is used to identify the connection. You can disconnect Google Drive at any time in Settings, which revokes access. Disconnecting does not delete files already in your Drive.

Dropbox

If you choose to connect Dropbox, Tripl can import receipts from a folder you select and automatically back up new receipts to that folder. Tripl requests access to your files and folders for import and backup purposes. Your Dropbox account email is used to identify the connection. You can disconnect Dropbox at any time in Settings, which revokes access. Disconnecting does not delete files already in your Dropbox.

Google Analytics

With your consent, Tripl uses Google Analytics (GA4) to measure page views, traffic sources, and general usage patterns. IP addresses are anonymized. No health, expense, or receipt data is sent to Google. Analytics cookies are only set after you accept via the cookie banner. You can decline at any time.

Resend

If you download a free guide from Tripl, we use Resend to deliver the guide and send follow-up educational emails about HSA strategies. You can unsubscribe from these emails at any time using the link in each email.

AI Processing

By default, receipts you upload or email are sent to Anthropic's Claude AI to automatically extract expense information. This means your receipt content (which may include provider names, service types, and amounts) is processed by Anthropic's servers.

You can opt out of AI processing at any time in your account settings. When disabled, receipts are stored but you will need to enter expense details manually.

Data Storage & Security

  • Data is stored in Supabase-hosted PostgreSQL and object storage
  • All data is transmitted over TLS (encrypted in transit)
  • Receipt files are stored in a private storage bucket and accessed via time-limited signed URLs
  • Authentication is handled by Supabase Auth with email/password credentials

Your Rights

You have the following rights over your data:

  • Export: download all your expense data as CSV and all receipt files as a ZIP archive from Settings
  • Delete: permanently delete your account and all associated data (expenses, receipts, auth credentials) from Settings
  • Opt out of AI: disable AI receipt parsing so your documents are not sent to third-party AI services

California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request a copy of the personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information. You can do this directly in Settings, or by contacting us.
  • Right to Opt Out of Sale: Tripl does not sell your personal information to third parties. We have never sold personal information and have no plans to do so.
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at support@triplapp.com. We will respond within 45 days.

Health-Related Data

Tripl stores financial information related to healthcare expenses, including provider names, service dates, and amounts. While this data is health-adjacent, Tripl is not a healthcare provider, health plan, or HIPAA-covered entity. Your data is not protected health information (PHI) under HIPAA because it is provided voluntarily by you, not created or received by a covered entity.

Certain state laws, including the Washington My Health My Data Act, may provide additional protections for consumer health data. Tripl treats all uploaded data as sensitive and applies the security measures described on our Security page regardless of jurisdiction.

Please ensure that documents you upload do not contain sensitive medical information about third parties who have not consented to its storage on this platform.

Data Retention

Your data is retained for as long as your account exists. When you delete your account, all expense records, receipt files, and authentication credentials are permanently removed. Residual copies may exist temporarily in automated database backups managed by our infrastructure provider.

Cookies

Tripl uses a single authentication cookie to keep you logged in. This cookie is strictly necessary for the Service to function and does not track your activity.

If you consent via our cookie banner, we also set cookies from Google Analytics (GA4) to understand how visitors use Tripl. These cookies track page views, referral sources, and general usage patterns. IP addresses are anonymized. No health or expense data is included in analytics. You can decline analytics cookies at any time and Tripl will function normally without them.

Geographic Scope

Tripl is intended for use by individuals in the United States. The Service is designed around U.S. Health Savings Accounts (HSAs) and is not directed at individuals in the European Union, European Economic Area, United Kingdom, or other jurisdictions outside the United States. By using the Service, you acknowledge that your data is processed and stored in the United States.

Analytics

Tripl uses Vercel Analytics to measure basic page views and visitor counts. Vercel Analytics does not use cookies and does not track individual users.

With your consent, Tripl also uses Google Analytics (GA4) to understand traffic sources and usage patterns. Google Analytics uses cookies and is only loaded after you accept via the cookie banner. IP addresses are anonymized. No health, expense, or receipt data is sent to Google. We do not use advertising pixels or track your behavior across other websites.

Children's Privacy

Tripl is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from individuals under 18. If you believe someone under 18 has provided us with personal data, please contact us and we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. The “last updated” date at the top of this page reflects the most recent revision.

Contact

For questions about this privacy policy or your data, contact us at support@triplapp.com.