This Privacy Policy explains how Lumin Marketing Group ("PKTD™", "we", "us", or "our") handles information when you use PKTD™, our iOS receipt scanner, expense ledger, mileage tracker, and AI assistant.
PKTD™ is designed to be local-first. The app does not require a PKTD™ account. Most receipt, expense, budget, category, warranty, recurring-expense, business-label, and trip data is stored on your device using Apple's app storage technologies. Some optional features send limited data to service providers when you choose to use them.
This policy is intended for users in Canada and the United States. It is not legal, financial, accounting, investment, or tax advice.
1. Age Requirement
PKTD™ is intended for users who are 18 years of age or older. We do not knowingly collect personal information from children under 13 or from users under 18. If you believe a minor has provided information to us, contact privacy@pktd.ca and we will take appropriate steps to delete it.
2. Information PKTD™ Handles
2.1 Receipt and Expense Data
When you scan, import, edit, or save receipts, PKTD™ may store:
- receipt images and thumbnails;
- OCR text extracted from receipts;
- merchant names, dates, totals, subtotals, taxes, tips, currencies, payment-method text, line items, notes, and categories;
- custom categories, category snapshots, corrected fields, confidence scores, and duplicate-detection hashes;
- warranty details, recurring-expense records, budgets, achievements, and app preferences;
- business-expense labels, business names you create, tax-region fields, mileage/fuel fields, and export/report settings.
Receipt images are processed on device. PKTD™ strips image metadata such as GPS and camera metadata before saving the app's processed receipt image. The app stores downscaled JPEG receipt images and thumbnails locally. If you enable iCloud sync, receipt and ledger data may sync through your private Apple iCloud account.
2.2 AI Parsing and Ledger Chat
AI features are optional and require your consent. If AI parsing is enabled, PKTD™ sends extracted receipt text, selected locale hints, and any active custom category names through PKTD™'s server to OpenAI so the receipt can be converted into structured fields. Receipt images are not sent to OpenAI for AI parsing.
If you use Ledger chat, PKTD™ sends your chat message and recent chat context through PKTD™'s server to OpenAI. For spending questions, PKTD™ may also include app-generated spending context derived from your saved receipt data. For app-help questions, PKTD™ sends your help question without spending context.
PKTD™ does not use your receipt data or chat content to train our own AI models. OpenAI processes API requests under its API data controls. We use AI responses to provide the feature you requested, and we apply server-side validation and sanitization to reduce accidental card-data leakage and prompt-injection risks.
2.3 Device, Security, and Operational Data
When PKTD™ calls its server, the app sends:
- a device identifier used for app security, rate limits, referrals, promo-code redemption, and deletion requests;
- Firebase App Check tokens used to verify that requests are coming from a genuine app instance;
- request metadata naturally created by HTTPS requests, such as IP address, request time, route, and response status.
PKTD™'s server stores operational counters such as daily scan/chat counts, aggregate OpenAI token usage, estimated API cost, referral code state, promo-code state, and rate-limit keys. These records are used to run the service, prevent abuse, debug reliability, and manage quotas. They are not used for advertising tracking.
2.4 Location and Mileage Data
Location is optional and controlled by iOS permission plus PKTD™'s in-app Location consent setting. If enabled, PKTD™ can use precise location for business mileage tracking, trip start/end points, route points, and reverse-geocoded trip endpoints. Active mileage trips may use background location so distance can be tracked while you drive.
Receipt address text can be saved and shown without Location. If receipt map/geocoding features are enabled separately, PKTD™ may send merchant address text to Apple's geocoding services to resolve map coordinates and tax-region hints.
2.5 Camera, Photos, PDF Import, Share Sheet, Microphone, and Speech
PKTD™ uses the camera when you scan receipts or use the standalone Scan to PDF tool. Documents scanned with Scan to PDF are temporary exports and are not added to your receipt library. You can also import receipt images from Photos or receipt PDFs from Files. Camera, Photos, and Files access are handled by iOS permissions and pickers.
You can also send receipt images or PDFs to PKTD™ from other apps using the iOS Share Sheet. Items shared this way are held in PKTD™'s private app-group storage on your device until you open PKTD™ and complete the import. Importing uses the same on-device steps, consent settings, and access requirements as a normal scan — including onboarding and, where required, an active subscription — so a shared item can stay in that staging area until those conditions are met. Items left unimported are automatically deleted after about seven days.
If you use voice dictation in Ledger, PKTD™ uses the microphone and Apple's speech-recognition services to turn your speech into text. Dictation is optional and only starts when you request it.
2.6 Purchases and Subscriptions
PKTD™ Pro subscriptions are handled through Apple's StoreKit and App Store purchase systems. We do not receive or store your full payment-card details. PKTD™ reads StoreKit entitlement information to determine whether Pro access, trial access, or tester access is active.
2.7 Communications, Support, and Website Forms
If you email us, report a bug, request privacy help, or submit a form on our website, we collect the information you choose to provide, such as your email address, message content, and any app/device details included in the request.
If you join a website waitlist or mailing list, your email address may be processed by email/CRM service providers used for that website workflow.
If you complete an optional website quiz such as the Receipt Stack Audit and choose to share your email address, we process your email address plus non-sensitive multiple-choice quiz selections, such as your result type, receipt-volume bucket, and feature interests. We use this information to personalize PKTD™ product updates and, if offered in that release, send follow-up content related to your on-page result. We do not collect receipt images, receipt contents, merchant names, card numbers, income, or tax documents through the website quiz.
Our website uses Vercel Web Analytics for cookieless, aggregate traffic and conversion measurement. It can include the page path, general referrer, approximate country, device type, operating system, and browser.
If you select “Allow analytics cookies” in the website's analytics preferences, the site also loads Google Analytics 4. Google Analytics can process page paths, a general referrer, standard campaign labels from allowlisted utm_* fields, approximate location derived from network information, device/browser information, and selected website events such as an App Store click, Ledger Brief start or completion, or confirmed newsletter signup. Google Analytics may set first-party analytics cookies after you consent. PKTD™ strips query strings and URL fragments from page locations and referrers before sending them to Google, rejects campaign values outside a limited safe character set, disables Google advertising signals, and does not send email addresses, form entries, quiz answers, receipt information, or other free-form content as analytics events.
3. How We Use Information
We use information to:
- scan, process, store, display, search, filter, edit, export, and delete receipts;
- provide budgets, insights, recurring-expense detection, warranties, achievements, widgets, mileage tracking, and tax-record organization features;
- provide AI receipt parsing and Ledger chat when you consent to AI processing;
- run subscriptions, trials, quotas, referrals, promo-code redemption, and service abuse protection;
- provide support, respond to privacy requests, and troubleshoot bugs;
- maintain security, prevent fraud or abuse, enforce terms, and comply with legal obligations;
- improve app reliability and product quality using consent-gated local analytics and aggregate operational metrics.
We do not sell your personal information. We do not share your personal information for cross-app or cross-website advertising tracking.
4. Consent and Controls
PKTD™ includes settings for AI receipt parsing, analytics, notifications, promo notifications, and location. You can change these choices in the app.
- AI Receipt Parsing: When off, receipt scans can still use on-device OCR, but AI-powered parsing, categorization, tax detection, and Ledger chat are unavailable.
- Usage Analytics: When off, PKTD™ drops local funnel analytics events. Current analytics are local logger events, not an advertising SDK.
- Website Analytics: Vercel Web Analytics provides cookieless aggregate measurement. Google Analytics is off until you explicitly allow it. Use the “Privacy choices” link in the website footer to allow, decline, or later change this choice.
- Notifications: When off, PKTD™ does not request or use notification permissions for app notifications.
- Promo Notifications: When off, PKTD™ does not send promotional alerts such as deals, feature announcements, or product updates. This is separate from operational reminders such as scan-limit notices.
- Location: When off, PKTD™ does not use device location for mileage tracking or background trip tracking. Receipt address text can still be saved and shown.
- iCloud Sync: Optional and off until you enable it. Changes apply after reopening PKTD™ because the app's data container is created at launch.
You can also use iOS Settings to manage camera, photo, microphone, speech recognition, location, notification, and Face ID permissions.
5. Service Providers
We use service providers only as needed to operate PKTD™ and related website workflows:
- Apple: iOS, camera/photo/file permission flows, StoreKit subscriptions, iCloud private database sync if enabled, speech recognition if dictation is used, geocoding where applicable, App Store distribution, and app entitlements.
- OpenAI: AI receipt parsing and Ledger chat responses.
- Cloudflare: PKTD™ API hosting, routing, server-side rate limits, operational counters, and security controls.
- Vercel: Website hosting and cookieless, aggregate website analytics. PKTD™ does not send email addresses, receipt details, or Receipt Stack Audit answers to Vercel Analytics.
- Google Analytics: Consent-gated website traffic, acquisition, and conversion measurement. The Google tag does not load before you allow analytics, advertising storage and signals remain disabled, and event parameters are limited to allowlisted page and placement values.
- Firebase App Check / Google: App attestation tokens used to protect PKTD™'s server endpoints.
- Exchange-rate provider (Open ER API, open.er-api.com): Live currency-conversion rates fetched when you open the Currency Converter. The request contains no receipt or personal data; standard request metadata such as IP address is processed by the provider.
- Beehiiv: Newsletter email address, signup source metadata, and optional website quiz metadata, for email-list management.
- GoHighLevel / LeadConnector: Newsletter or Ledger Brief contact details and tags sent directly from the website workflow or received from Beehiiv webhooks, for CRM follow-up.
- Resend: Email address used to send welcome, newsletter, or result-related emails.
- Slack: Newsletter signup or Ledger Brief notification details, for internal operational alerts.
- Cloudflare Turnstile: Challenge-response data when the website's anti-abuse check is enabled, for spam and abuse prevention.
- Other email, support, and business-operations providers: Used only as needed for email communications, privacy requests, support workflows, or related business operations.
Service providers may process information in countries other than where you live, including Canada and the United States.
6. Storage and Retention
Receipt and ledger data stays on your device unless you enable iCloud sync, export/share files, contact support with details, or use optional server-backed features such as AI, referrals, promo codes, or deletion requests.
Local receipt and ledger data remains until you delete it, delete the app, reset all data, or iOS removes app data. If iCloud sync is enabled, copies may remain in your private iCloud account until deleted through the app, iCloud, or Apple account controls. Turning iCloud sync off stops future sync after app restart but does not automatically delete data already synced to iCloud.
PKTD™ server records for rate limits, operational analytics, referrals, promo codes, and security may be retained as long as needed to operate, secure, audit, and improve the service. Rate-limit keys are designed to expire automatically. Aggregate operational metrics may be retained longer because they do not contain receipt contents.
Support emails and privacy requests are retained as needed to respond, document the request, and meet legal obligations.
7. Export and Deletion
PKTD™ includes tools to export your receipt data and consent audit log, delete all receipts, or delete your PKTD™ account/device-linked data.
When you choose "Delete Account & Data", PKTD™ first sends an authenticated deletion request to DELETE /api/account using the current device identity. The server immediately removes device-linked rate-limit, referral, and promo-code records that it controls, then the app removes local SwiftData records, app preferences, consent records, and the local device identity. If the server deletion cannot be confirmed, PKTD™ shows an error and leaves local data in place so you can retry. Some information may remain where retention is required for security, fraud prevention, legal compliance, backups, aggregate operational metrics, or provider-controlled systems such as Apple iCloud.
8. Security
PKTD™ uses reasonable safeguards for the nature of the data it handles, including HTTPS with App Transport Security (system TLS validation, enforced by default), Firebase App Check for backend request integrity and abuse protection, local file protection for the app data store, card-data redaction before AI parsing, image metadata stripping, and consent-gated feature access.
No app, device, network, or storage system can be guaranteed completely secure. You are responsible for keeping your device, Apple account, exports, and shared files secure.
9. Your Privacy Rights
Depending on where you live, you may have rights to access, correct, delete, export, or restrict certain personal information, withdraw consent, object to certain processing, or appeal a privacy-rights decision.
You can exercise many controls directly in PKTD™ through export, deletion, and consent settings. You can also contact us at privacy@pktd.ca. We may need information sufficient to verify and process your request.
California residents may have rights under the CCPA/CPRA. For California purposes, PKTD™ does not sell or share personal information as those terms relate to cross-context behavioral advertising. Canadian residents may contact us about access, correction, consent withdrawal, and questions under PIPEDA or applicable provincial privacy laws.
10. Cookies and Tracking
The iOS app does not use cookies. PKTD™ does not use the iOS App Tracking Transparency framework because we do not track you across apps or websites owned by other companies.
Vercel Web Analytics does not use cookies and is used only for aggregate website measurement. Google Analytics is optional and uses a basic consent setup: the Google tag is blocked until you choose “Allow analytics cookies.” If allowed, Google may set first-party _ga analytics cookies. Advertising storage, advertising user data, ad personalization, Google Signals, and ad-personalization signals remain disabled.
Your analytics choice is stored in your browser so the site can remember it. You can reopen “Privacy choices” in the website footer at any time. If you withdraw permission, PKTD™ disables further Google Analytics events and removes Google Analytics cookies it can access; you can also clear site data in your browser. PKTD™ does not use advertising pixels or cross-site behavioural tracking. Website security, form, or mailing-list providers may use strictly functional storage or request metadata where needed to operate their service.
11. Changes to This Policy
We may update this Privacy Policy as PKTD™ changes. If changes are material, we will update the "Last Updated" date and provide notice where required, such as in the app, on the website, or through the App Store metadata.
12. Contact Us
If you have questions, concerns, accessibility requests, or privacy-rights requests, contact:
Privacy Officer / Person Responsible for Personal Information
Email: privacy@pktd.ca
luminmarketinggroup.com
Canadian users may also contact the Office of the Privacy Commissioner of Canada or their provincial privacy commissioner. California residents may visit the California Attorney General's privacy resources for more information about CCPA/CPRA rights.
13. Promotional Messages (CASL)
If you turn on Promotional Notifications in PKTD™, we may send you occasional promotional push notifications such as feature announcements, tips, and product updates. In Canada, these are commercial electronic messages under Canada's Anti-Spam Legislation (CASL). They are sent by:
Suite 201, 10359 82 Avenue NW
Edmonton, Alberta T6E 1Z9, Canada
Email: privacy@pktd.ca · luminmarketinggroup.com
How to unsubscribe: open PKTD™ and turn off Settings → Privacy & Data → Promotional Notifications, or turn off notifications for PKTD™ in iOS Settings. Opt-outs take effect immediately. Promotional messages are separate from operational reminders such as scan-limit notices, which follow your Notifications setting.