TriplTriplBack to home

Security

Tripl handles your medical receipts and expense data. Here is exactly how we protect it.

Encryption

All data is encrypted in transit using TLS 1.2+. Your receipt images and expense records are encrypted at rest in Supabase's infrastructure, which runs on AWS with AES-256 encryption.

Data isolation

Every user's data is completely isolated. Tripl uses Supabase Row Level Security (RLS) to enforce that you can only access your own expenses, receipts, and account data. No other user, including Tripl administrators, can see your expense details through the application.

Receipt storage

Your receipt images are stored in a private storage bucket scoped to your user ID. They are not publicly accessible and can only be retrieved through authenticated requests tied to your account. You can delete any receipt at any time, and the file is permanently removed from storage.

AI receipt parsing

When you upload a receipt, Tripl can use AI (Anthropic's Claude) to extract the provider name, date, amount, and category. Your receipt image is sent to Anthropic's API for processing. Anthropic does not use your data to train their models. You can read their privacy policy for details.

You can opt out of AI parsing entirely.

In Settings, toggle off "AI Receipt Parsing" and your receipts will never be sent to any third-party AI service. You can still upload receipts and enter expense details manually. The toggle applies to all upload methods: drag-and-drop, phone camera, and email forwarding.

No tracking

Tripl does not use third-party analytics, advertising pixels, or tracking scripts. We do not sell, share, or monetize your data in any way. Server logs are used only for debugging and are not linked to your identity.

Data export and deletion

You own your data. You can export all of your expenses as a CSV file or download all of your receipt images as a ZIP archive from Settings. You can also delete your entire account and all associated data at any time. Deletion is permanent and irreversible.

Infrastructure

  • Hosted on Vercel (application) and Supabase (database, auth, storage)
  • Database: PostgreSQL on Supabase (AWS us-west-1)
  • Authentication: Supabase Auth with email/password (no third-party OAuth providers)
  • Email: Cloudflare Email Routing (inbound), Resend (outbound)
  • No data is stored on the developer's local machine

HIPAA

Tripl is a personal finance tool, not a healthcare provider, health plan, or healthcare clearinghouse. HIPAA applies to these "covered entities" and their business associates. Tripl is neither. You voluntarily upload your own receipts to track expenses and manage HSA reimbursements. While receipt images may contain health-related financial information, this data is not "protected health information" (PHI) as defined under HIPAA (45 CFR 160.103) because it is provided directly by you, not created or received by a covered entity. We treat all uploaded data as sensitive and protect it accordingly.

Questions

If you have questions about how your data is handled, email security@triplapp.com.