Skip to main content
CostCreep logoCostCreep

Legal

Privacy Policy

Effective date: March 11, 2026

1. Introduction

CostCreep ("we", "us", "our") operates the food cost visibility platform at costcreep.com. This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service. By using CostCreep, you agree to the practices described in this policy.

2. Information We Collect

Account Information

When you create an account, we collect your email address, password (stored as a cryptographic hash — we never store plaintext passwords), and optionally your restaurant name.

Invoice Data

When you upload invoices, we collect and store the uploaded files (PDF, PNG, JPG, or WebP), extracted text and structured data from OCR processing, supplier names, item names and prices, and related metadata such as invoice dates and totals.

Billing Information

Payment details (credit card numbers, billing addresses) are collected and processed directly by Stripe. We do not store your full payment card information on our servers. We receive and store your subscription status and billing history from Stripe.

Usage Data

We collect basic usage information including login timestamps, session data, and request logs for security monitoring and rate limiting. Security-relevant events (authentication failures, account deletions, invoice deletions) are logged for protection purposes.

Local Storage

The Service stores an authentication token and your theme preference (light or dark mode) in your browser's local storage. We do not use tracking cookies or third-party analytics cookies.

3. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Service, including invoice processing, price tracking, and alert generation
  • Authenticate your identity and secure your account
  • Process payments and manage your subscription
  • Send transactional emails (email verification, password resets)
  • Monitor for security threats and enforce rate limits
  • Improve the accuracy and reliability of the Service

We do not sell your personal information. We do not use your data for advertising. We do not share your data with third parties for their marketing purposes.

4. Third-Party Data Processing

To deliver the Service, your data is processed by the following third-party providers:

Microsoft Azure Document Intelligence

Uploaded invoice files are sent to Azure Document Intelligence for optical character recognition (OCR). This service extracts text, tables, and structured fields from your invoices. Data is processed in accordance with Microsoft's Privacy Statement.

OpenAI

Extracted text from invoices is sent to OpenAI's API (GPT-4o-mini) for structured data extraction, including item identification, price parsing, and abbreviation expansion. Data is processed in accordance with OpenAI's Privacy Policy. We use the API, which does not use your data for model training.

Stripe

Payment processing is handled by Stripe. Your billing information is collected and stored by Stripe directly. Data is processed in accordance with Stripe's Privacy Policy.

Mailgun

Transactional emails (verification, password reset) are sent via Mailgun. Your email address is shared with Mailgun for this purpose. Data is processed in accordance with Mailgun's Privacy Policy.

5. Data Retention

We retain your account data and invoice data for as long as your account is active. Raw OCR processing results are stored alongside your invoice data for transparency and to support review of extracted information.

If your subscription expires or is canceled, your data is retained in a read-only state so you can access it if you resubscribe. When you delete your account, all associated data — including invoices, extracted data, price history, and alerts — is permanently deleted from our systems.

6. Data Security

We implement industry-standard security measures to protect your data, including:

  • Passwords stored using cryptographic hashing
  • Bearer token authentication with session expiry
  • HTTPS encryption for all data in transit (enforced via Strict-Transport-Security in production)
  • Security headers including Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options
  • Rate limiting to prevent abuse (general, authentication, and upload-specific limits)
  • Security event logging for authentication failures and sensitive operations
  • All sessions revoked on password reset

While we take reasonable precautions, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

7. Your Rights

You have the right to:

  • Access your data — view your invoices, extracted data, price history, and alerts through the Service dashboard
  • Correct your data — update your account information (email, restaurant name, alert preferences) from your settings
  • Delete your data — delete your account and all associated data from your account settings
  • Delete individual invoices — remove specific invoices and their associated data from the extractions page

To exercise any rights not available through the Service interface, contact us at support@costcreep.com.

8. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. Material changes will be communicated via the email address associated with your account. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy or how we handle your data, contact us at support@costcreep.com.