HSA Monster Privacy Policy

Last updated: January 15, 2026

This Privacy Policy describes how HSA Monster ("we," "us," or "our") handles information when you use our mobile application (the "App"). We are committed to protecting your privacy and being transparent about our data practices.

By using HSA Monster, you agree to the practices described in this Privacy Policy.

1. Information We Collect

HSA Monster is designed with privacy in mind. We collect minimal information, and your personal HSA data and receipts never leave your device or Apple's secure ecosystem.

1.1 Information You Store Locally

When you use HSA Monster, you may create and store:

• HSA transaction records (date, provider, amount, description, claimant)
• HSA account information (account name, institution, balance)
• Family member information (name, relationship)
• Receipt images and PDFs attached to transactions
• Provider directory and templates
• Notes and tags on transactions
• Any other data you enter into the App

Important: All of this data, including receipt attachments, is stored on your device using Core Data. If you have iCloud sync enabled, all data (including receipts) is also synced across your devices using Apple's CloudKit service. If you disable iCloud sync, your data remains only on your local device. Either way, we never have access to, collect, or store any of your personal HSA information or receipts.

1.2 Receipt Processing

When you use the receipt scanning feature:

• Receipt images are processed entirely on your device using Apple's Vision Framework and Natural Language Framework (or Apple Foundation Models on supported devices)
• Text recognition (OCR) and data extraction happen locally on your device
• No receipt images or extracted data are transmitted to our servers or any third-party AI service
• Receipt attachments are stored in Core Data, either locally on your device or synced via CloudKit (if iCloud sync is enabled)
• Receipts remain private to you and are only accessible through the App or CloudKit family sharing (if you enable it)

1.3 Anonymous Analytics and Purchase Data

We collect anonymous data through third-party services to help us understand how the App is used, manage subscriptions, and improve functionality. This data includes:

• Device type and operating system version
• App usage patterns (which features are used, how often)
• Anonymous subscription status and purchase history
• Receipt capture method used (camera, photo library, files, etc.)
• AI extraction success/failure rates (without receipt content)
• Crash reports and error logs
• General usage statistics

This data is anonymous and cannot be used to identify you personally. It does not include any of your HSA transaction details, receipt images, family member information, or other personal data you enter into the App.

1.4 Information We Do NOT Collect

HSA Monster does not collect:

• Your name, email address, or contact information
• Your HSA transaction records or account information
• Receipt images or PDFs you capture or upload
• Family member details
• Medical provider information
• Your location data
• Any personally identifiable information

2. How We Use Information

The anonymous analytics data we collect is used solely to:

• Understand how users interact with the App
• Manage and track subscription status
• Identify and fix bugs and crashes
• Improve receipt scanning and AI extraction features
• Improve App features and user experience
• Make decisions about future development priorities
• Monitor AI extraction accuracy rates to improve the feature

We use Firebase Remote Config to deliver app configuration updates and feature flags. This service does not collect any personally identifiable information.

3. Third-Party Services

HSA Monster uses the following third-party services:

3.1 Apple Services

• CloudKit: If you enable iCloud sync, your HSA transaction data and receipt attachments are stored in Apple's CloudKit service and synced across your devices. If you disable iCloud sync, your data is stored only on your local device. Apple's privacy policy governs CloudKit data storage. Either way, your data is private to you and we never have access to it.
• CloudKit Sharing: If you enable family sharing, you can invite family members to collaborate on HSA tracking. Shared data is visible to invited members. This feature uses Apple's CloudKit zone sharing and is governed by Apple's privacy policy.
• App Store In-App Purchase: Payment processing for subscriptions is handled entirely by Apple through the App Store. We do not collect or store any payment information.
• Vision Framework & Natural Language Framework: Used for on-device text recognition and data extraction from receipts. All processing happens on your device; no data is transmitted to Apple's servers or our servers.
• Apple Foundation Models (iOS 18.1+): On supported devices with Apple Intelligence enabled, the App may use Apple's on-device Foundation Models for improved receipt data extraction. All processing is done locally on your device; no receipt data is sent to Apple's servers.
• VisionKit: Used for document scanning with automatic edge detection and perspective correction. Scanning happens entirely on your device.

3.2 RevenueCat

We use RevenueCat to manage in-app subscriptions and purchases. RevenueCat collects anonymous data related to your subscription status, including:

• Anonymous customer identifier
• Subscription status and purchase history
• Device and platform information
• Transaction timestamps

This data is anonymous and cannot be used to identify you personally. RevenueCat does not have access to your HSA records, receipts, or other personal data stored in the App. Payment processing is still handled entirely by Apple. View RevenueCat's privacy policy at https://www.revenuecat.com/privacy

3.3 Google Services

• Firebase Analytics: Collects anonymous usage data as described in Section 1.3. View Google's privacy policy at https://policies.google.com/privacy
• Firebase Remote Config: Delivers app configuration and feature settings without requiring an app update.
• Firebase Crashlytics: Collects anonymous crash reports to help us identify and fix bugs.
• Google Analytics: Collects anonymous analytics data to help us understand app usage patterns.

4. Data Sharing and Disclosure

We do not sell, rent, or share your information with third parties.

The only data we have access to is anonymous analytics data, which may be shared with:

• RevenueCat for subscription management and purchase tracking
• Google (through Firebase and Google Analytics) for usage analytics
• Service providers who help us analyze usage data to improve the App

We may disclose information if required by law, such as in response to a subpoena or court order, but since we don't collect personally identifiable information or have access to your HSA data, there is little to disclose.

5. Data Security

Your personal data security is primarily handled by Apple and your device:

• If you use iCloud sync, all HSA transaction data and receipt attachments are stored in CloudKit with Apple's industry-standard encryption
• If you disable iCloud sync, your data is stored only on your device with iOS security protections
• All data is protected by your iCloud account security (password, two-factor authentication) and/or your device passcode
• All receipt processing (OCR and AI extraction) happens on your device; no receipt data is transmitted to our servers
• We never transmit your personal data to our servers

For the anonymous analytics data we collect, we use industry-standard security measures to protect it during transmission and storage.

6. Your Rights and Choices

6.1 Your Personal Data

Because your data is stored on your device (and optionally in your iCloud account via CloudKit):

• You have complete control over your data at all times
• You can delete any or all transactions, accounts, family members, or receipt attachments directly from the App
• You can delete the App and all associated data (both local and iCloud) through your device settings
• You can enable or disable iCloud sync at any time
• You control your iCloud account security and access
• You can export all your data and receipts at any time using the App's export feature

6.2 Family Sharing

If you use the CloudKit family sharing feature (requires active subscription):

• You control who has access to your shared HSA data
• You can remove family members from the share at any time
• You can stop sharing entirely and keep your data private
• Invited family members can choose to leave the share at any time

6.3 Analytics Data

While the analytics data we collect is anonymous and cannot be tied back to you:

• You can limit ad tracking on your iOS device through Settings > Privacy > Tracking
• You can reset your advertising identifier in iOS settings

7. Children's Privacy

HSA Monster is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us. Since we don't collect personally identifiable information, there would be nothing for us to delete, but we will investigate and take appropriate action.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Posting the new Privacy Policy in the App
• Updating the "Last updated" date at the top of this policy
• Providing a notification within the App for significant changes

You are advised to review this Privacy Policy periodically for any changes. Changes are effective when posted.

9. International Users

HSA Monster is operated from the United States. If you are accessing the App from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

However, since all your personal data is stored in Apple's CloudKit and remains under your iCloud account, Apple's data handling practices and international compliance standards apply to that data.

10. California Privacy Rights (CCPA)

If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You have the right to request information about the personal data we collect. As described in this policy, we collect only anonymous analytics data.
• Right to Delete: Since we don't collect personally identifiable information, there is no personal data for us to delete. Your HSA data and receipts are in your control through your iCloud account and device.
• Right to Opt-Out: We do not sell personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

11. HIPAA and Health Information

HSA Monster is not a HIPAA-covered entity. The App is a personal finance organization tool, not a healthcare provider or health plan. While the App helps you track health-related expenses, it does not create, receive, maintain, or transmit protected health information (PHI) as defined by HIPAA.

However, we recognize the sensitive nature of health information and have designed the App with privacy-first principles:

• All your data stays on your device and in your private iCloud account
• We never have access to your health expense information
• Receipt processing happens entirely on your device
• You control who has access to your data through CloudKit sharing

12. Contact Us