Privacy Policy

Proof Panda ("the app", "we") is a local-first vault for your receipts, warranties, return windows, tax records, and important documents. This policy explains what the app does and does not do with your information.

Information we collect

Almost nothing — and never your records. Proof Panda has no user accounts and no servers of our own, and there is no analytics, advertising, or tracking SDK in the app. Fonts and the on-device text-recognition (OCR) engine are bundled inside the app, so everyday use makes no network requests and your receipts, documents, and vault never leave your device.

The one exception is the optional Pro purchase. If you choose to buy or restore Pro, the purchase is processed by Google Play and RevenueCat, which receive the purchase itself, an anonymous app-generated user ID, and basic device and country information needed to validate and restore your upgrade. This is the only reason the app requests the Android internet permission, and it never involves any of the data you store in the app.

Where your data lives

Everything you add — receipt details and photos, warranties, return windows, budgets, income, Proof Vault documents and their attachments, and password vault entries — is stored locally on your device using the device's own storage (browser/WebView storage and IndexedDB). It is not uploaded anywhere.

• Receipts, Proof Vault documents, and their attachments are encrypted at rest on the device (AES-256-GCM). The encryption key is generated on the device and held in the platform's hardware-backed secure storage (the Android Keystore); it is never derived from your passcode and never leaves the device.
• Password vault entries are additionally encrypted with a separate key derived from a master passphrase you choose (AES-256-GCM). That passphrase is never stored and never leaves your device — if you forget it, those entries are unrecoverable, by design.
• For extra protection against someone with physical access to an unlocked phone, also use the optional App Lock and your device's own lock screen.

Device permissions

The app may ask for these permissions, each used only for the stated purpose, entirely on your device:

• Camera / Photos — to capture or attach a receipt or document image. Optical character recognition (OCR) to read those images runs on your device using an engine bundled with the app; images are not sent anywhere.
• Notifications — to remind you locally before return windows, warranties, or document expiries lapse. Reminders are scheduled on the device.
• Biometrics (where available) — to unlock the optional App Lock. Biometric data is handled by your device's operating system; the app never sees it.
• Internet — used only to process and restore the optional Pro purchase through Google Play and RevenueCat. No other feature uses the network, and none of the data you store in the app is ever transmitted.

Data you choose to export

Proof Panda lets you export your data yourself: a JSON backup, a tax CSV, or a tax ZIP bundle. When you use these features, the resulting file goes wherever you choose to save or share it. Those exported files are unencrypted and may contain personal information, so store and share them carefully. We never receive a copy.

Sharing

We never sell your data, and we never share the records you store in the app — we don't have them. The only third parties involved are Google Play and RevenueCat, and only to process the optional Pro purchase as described above.

Children

Proof Panda is a general-purpose personal records app and is not directed at children.

Changes to this policy

If this policy changes, we'll update the date above and post the new version at this URL.

Contact

Questions about this policy? Contact us at support@proofpanda.ca.