Privacy Policy
Last Updated: January 7, 2026
Data Controller:
Boutique Web Development (Enskild firma)
Org. nr: 860413-8779
Address: Stockholm, Sweden
Contact: asterisk@summo.plus
📝 1. Introduction
At Summo ("the App"), we treat privacy as a fundamental feature, not an afterthought. This Privacy Policy outlines how Boutique Web Development ("we," "us," or "our") collects, uses, and protects your data.
We operate under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Swedish Data Protection Act (Lag med kompletterande bestämmelser till EU:s dataskyddsförordning). By using Summo, you agree to the practices described in this policy.
📸 2. What to Upload
2.1 Keep it to Receipts
Summo is built to organize your grocery life. The Service is designed exclusively for processing receipts and purchase documents.
2.2 Please Don't Upload Personal Photos
To protect your own privacy, please do not upload personal photos (like selfies or pictures of family members) or sensitive documents unrelated to shopping.
- Our Focus: Our system is trained to read grocery items, not people. If you upload unrelated personal photos, our system won't understand them, and we may delete them to keep our storage efficient.
- Your Privacy: Since the app isn't designed for personal photo storage, we cannot accept responsibility for private photos you upload by mistake. Please help us keep Summo focused on groceries!
⚖️ 3. Lawful Basis for Processing
We process your data based on specific legal grounds:
- Contractual Necessity (Art. 6.1.b GDPR): To provide the core functionality: scanning receipts, extracting data, and organizing your grocery history.
- Legitimate Interest (Art. 6.1.f GDPR):
- To train and improve our proprietary machine learning models.
- To generate aggregated market insights (e.g., price trend analysis).
- To ensure the security and integrity of our Service.
- Consent (Art. 6.1.a GDPR): Solely for optional features or direct marketing, which you can withdraw at any time.
🔍 4. Data We Collect
We adhere to data minimization principles. We collect only what is needed:
- Account Data: Email address and internal User ID.
- Receipt Data: Images you upload and the raw text/data extracted (store name, products, prices, timestamps).
- Usage Metadata: Technical logs, device type, crash reports, and interaction metrics to help us fix bugs.
📈 5. Local Shopping Insights (Aggregated Data)
5.1 How We Create Insights
We want to help everyone shop smarter. To do this, we analyze trends across all receipts, like "Who has the cheapest milk in Stockholm?". We call this "Aggregated Data."
- It's Anonymous: This data is stripped of all personal identifiers. It is just math and statistics, impossible to trace back to you.
- Business Use: Because this anonymous data helps the whole market understand pricing, we reserve the right to use, publish, or sell these anonymous statistics to improve the grocery ecosystem.
5.2 Improving Summo
We use the receipts you upload to teach our AI how to read better. This helps the app become more accurate for you and everyone else over time. We do not use your personal email or identity for this training.
🤖 6. Third-Party Services
We use trusted partners to operate the Service.
6.1 Processors (process data on our behalf, under our instructions)
| Provider | Purpose | DPA |
|---|---|---|
| Google Cloud Platform | Hosting, Database, Storage, AI | Google Cloud DPA |
| Sentry | Error Tracking & Crash Reporting | Sentry DPA |
| Resend | Transactional Emails | Resend DPA |
6.2 Controllers (process data under their own privacy policies)
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Google Maps Platform | Store Location Geocoding | Google Privacy |
| Google Sign-in | Authentication | Google Privacy |
| Apple Sign-in | Authentication | Apple Privacy |
We configure our AI providers to ensure they do not train their public models on your private data.
🇸🇪 7. Your Rights
Under the GDPR, you have the following rights over your Personal Data:
- Access & Portability: Request a copy of your receipts and account data.
- Rectification: Correct wrong info.
- Erasure ("Right to be Forgotten"): Request deletion of your account and identifiable data.
- Note: This does not apply to Aggregated Data that has already been anonymized, as it is no longer personal data.
- Objection: You may object to our processing of your data for model training purposes by contacting support.
To exercise these rights: Email us at asterisk@summo.plus.
🛡️ 8. Security & Retention
- Security: We use industry-standard encryption (TLS/SSL) in transit and at rest.
- Retention: We keep your identifiable data only as long as you have an active account. If you delete your account, personal identifiers are removed within 30 days.
🏛️ 9. Regulatory Authority
If you believe we are mishandling your data, you have the right to lodge a complaint with your local Data Protection Authority (for example, the Swedish Authority for Privacy Protection – IMY).
👤 10. Age Requirement
Summo is intended for users aged 16 or older. We do not knowingly collect data from children under 16.