Privacy Policy

Last updated: June 14, 2026

LeanBills ("we," "us," or "our") operates leanbills.polsia.app. This Privacy Policy explains what data we collect when you use LeanBills, how we use it, and your rights over it. We keep it short and plain.

1. What We Collect

Account information: When you sign up, we collect your email address and name (either from your Google account or from the registration form). We store a hashed password if you use email/password authentication — we never store your password in plain text.

Bill files: When you upload a utility bill, we store the image or PDF temporarily in Cloudflare R2 (our cloud storage) so our AI can read it. Bill files are automatically deleted after 30 days. We store the extracted data (vendor, rates, amounts, fees) in our database as your bill record.

Usage data: We log standard server access data (IP address, browser/device type, pages visited, timestamps) for security and debugging. We do not sell this data or use it to build advertising profiles.

Waitlist email: If you sign up for early access before the full product is live, we store your email address to notify you at launch.

Contact messages: If you contact us via our contact form, we receive and store your name, email, and message content to respond to your inquiry.

2. How We Use Your Data

• To analyze your utility bills using AI and produce your savings report.
• To authenticate and maintain your account session.
• To send transactional emails (welcome, report-ready, waitlist confirmation).
• To respond to support and contact requests.
• To detect and prevent fraud, abuse, and security threats.
• To comply with legal obligations.

We do not sell your personal data. We do not use your bill data to train AI models. We do not send marketing emails without your consent.

3. Third-Party Services

We share data with the following third parties only to the extent needed to operate the product:

• OpenAI (GPT-4o Vision): Bill images and PDFs are sent to OpenAI's API for text extraction and rate analysis. OpenAI's data processing is governed by their privacy policy. We use OpenAI through Polsia's proxy and do not send data to OpenAI directly without intermediary logging controls.
• Cloudflare R2: Bill files are stored in Cloudflare's R2 object storage. Files are auto-purged after 30 days. Cloudflare's data processing is governed by their privacy policy.
• Neon (PostgreSQL): Your account information, bill records, and parsed data are stored in a Neon-hosted PostgreSQL database. Neon's privacy policy is available at neon.tech/privacy-policy.
• Postmark / Polsia Email Proxy: Transactional emails (welcome, report-ready, waitlist confirmations) are sent via Postmark through Polsia's email proxy. Postmark's privacy policy is available at postmarkapp.com/privacy-policy.
• Google OAuth: If you sign in with Google, we receive your name and email address from Google. We do not receive your Google password or access your Google account beyond the OAuth profile scope.
• Render: Our web server runs on Render's infrastructure. Render processes server logs and HTTP traffic as part of hosting.

4. Data Retention

Bill files (R2): Deleted automatically after 30 days.

Bill records (database): Retained as long as your account is active. Deleted within 30 days of account deletion.

Account data: Retained while your account is active. You may request deletion at any time (see Your Rights below).

Session data: Sessions expire after 7 days of inactivity.

Waitlist emails: Retained until the waitlist program ends or you unsubscribe.

5. Cookies and Sessions

We use a single session cookie to keep you logged in. This cookie is HTTP-only, sent only over HTTPS, and expires after 7 days. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

6. Security

We use HTTPS for all data in transit. Passwords are hashed with bcrypt. Sessions use hardened cookie flags (httpOnly, secure, sameSite=lax). We enforce CSRF protection on all state-changing endpoints. Login attempts are rate-limited to prevent brute-force attacks.

No system is perfectly secure. If you discover a security issue, please report it to security@leanbills.polsia.app (see also security.txt).

7. Your Rights

You may at any time:

• Access the data we hold about you — email support@leanbills.polsia.app.
• Delete your account and all associated data — email us or use the account settings page (coming soon).
• Correct inaccurate information — contact support.
• Opt out of waitlist emails — unsubscribe link in each email.

If you are in the EU or UK, you have additional rights under GDPR / UK GDPR, including the right to lodge a complaint with your supervisory authority.

8. Children

LeanBills is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have inadvertently collected such data, contact us immediately.

9. Changes to This Policy

We will post updates here and update the "Last updated" date. Continued use of LeanBills after a policy update constitutes acceptance of the revised policy. Material changes will be communicated by email.

10. Contact

Questions about this policy: support@leanbills.polsia.app or via our contact page.

LeanBills — a Polsia company. Founded by Michael Kamau Jr.