Skip to main content

Privacy Policy

Effective Date: February 19, 2026

This Privacy Policy ("Policy") describes how Farnaus Technologies LLC, an Illinois limited liability company (together with its affiliates, "Farnaus Technologies," "FarnTech," "Company," "we," "us," or "our"), collects, uses, discloses, retains, and protects information in connection with: (a) farn-tech.com and its subdomains; (b) usebackpocket.com and its subdomains; (c) the BackPocket mobile application for iOS and Android (the "App"); and (d) any other websites, applications, application programming interfaces ("APIs"), portals, dashboards, beta or pre-release offerings, and related services owned or operated by Company (collectively, the "Services").

1. Scope

This Policy applies to the following categories of Services and interactions:

  • Marketing websites, informational pages, and landing pages operated by Company;
  • Public-facing consumer applications, including without limitation BackPocket, where end users accept the applicable Terms of Service as a condition of use;
  • Beta, preview, development, and staging environments made accessible to users;
  • Customer support channels, including support tickets, electronic mail, live chat, telephone, and any troubleshooting artifacts generated in the course of providing support;
  • Professional services and managed IT services ("MSP Services") delivered to business clients pursuant to a written agreement.

Where Company provides MSP Services or Professional Services to a business client under a signed Master Services Agreement, Statement of Work, Service Order, or similar written instrument (each, a "Business Agreement"), such Business Agreement may contain additional or different privacy and data security terms. In the event of a conflict between a Business Agreement and this Policy with respect to the business client relationship governed by that Business Agreement, the terms of the Business Agreement shall control.

2. No Sale of Personal Information

Farnaus Technologies does not sell, rent, lease, or otherwise transfer personal information to third parties for monetary or other valuable consideration. This commitment applies under all applicable federal and state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act, and analogous state privacy statutes.

Company does not engage in cross-context behavioral advertising or the "sharing" of personal information for advertising purposes as those terms are defined under applicable law.

Differences between free and paid service tiers are based solely on feature access and usage limits, not on the value of personal information collected. Company does not offer financial incentives conditioned on the collection, sale, retention, or deletion of personal information.

3. Role Clarification: Controller and Processor

  • Controller. Company acts as a controller (or "business" under applicable state privacy law) with respect to personal information collected to operate its websites and public-facing applications, manage user accounts, process transactions, and conduct its business operations.
  • Processor / Service Provider. Where Company processes Customer Data on behalf of a business client in the course of delivering MSP Services or Professional Services under a Business Agreement, Company acts as a processor (or "service provider" under applicable state privacy law) and processes such data solely in accordance with the business client's documented instructions and applicable law.

4. Information We Collect

4.1 Information Provided Directly

  • Identifiers and contact information: email address, display name, and timezone preference.
  • Authentication and account data: account identifiers and sign-in metadata. Authentication is managed through a third-party identity provider (AWS Cognito). Company does not store plaintext passwords; authentication credentials are managed by the identity provider using industry-standard cryptographic methods.
  • Tracked item data: item names, deadline classifications (return, trial, warranty, subscription, document, or custom), key dates, purchase dates, prices, retailer names, notes, item status, and input source (manual entry, receipt scan, or email forward).
  • Receipt images: photographs of receipts uploaded by users for AI-powered extraction of purchase details.
  • Forwarded emails: purchase confirmation and order emails forwarded by users to their unique BackPocket inbound email address for AI-powered extraction of purchase details. Forwarded email content is parsed to extract structured data and is not stored in its original form after processing.
  • Chat messages: messages exchanged between users and the BackPocket AI assistant, including text content and any associated image references.
  • Household data: household membership, roles, and shared item associations for users on the Family plan.
  • Notification preferences: push notification tokens, device platform (iOS or Android), quiet hours settings, and reminder preferences.
  • Support communications: support tickets, electronic mail correspondence, and any attachments or diagnostic information provided by you.

4.2 Information Collected Automatically

  • Device and connection data: Internet Protocol ("IP") address, browser type and version, device type, operating system and version, language preference, and approximate geolocation derived from IP address.
  • Usage data: pages and screens viewed, features used, interactions and events, timestamps, and referring URLs.
  • Security and audit logs: authentication events, API request logs, error logs, and system performance metrics.
  • Analytics events: aggregated, non-personally-identifiable event data used to measure feature usage and Service performance, including item creation events, receipt scan events, reminder delivery events, subscription events, and account lifecycle events. Analytics events are tracked using anonymous identifiers and do not include names, email addresses, or other directly identifying information.

4.3 AI Processing of User Content

The Services use artificial intelligence and machine learning services, including third-party AI model providers, to process certain User Content in order to provide core functionality.

  • Chat messages. When you use the chat feature, your messages, recent conversation history, and a summary of your active tracked items are sent to third-party AI model providers for processing.
  • Receipt images. When you upload a receipt image, the image is processed by an optical character recognition service to extract text, which is then sent to a third-party AI model provider to extract purchase details and estimated deadlines.
  • Forwarded emails. When you forward an email to your unique BackPocket inbound address, the email subject and body text are sent to a third-party AI model provider to extract purchase details. Email attachments are not sent to AI services. Original email content is not retained after processing.
  • Session summarization. Older chat messages may be summarized by an AI model, with the summary stored in place of the original messages.
  • Local analysis. The Service may analyze your tracked items locally, without sending data to third-party AI providers, to identify purchasing patterns and improve suggestions.

Company's third-party AI model providers process User Content solely to generate responses and outputs for the requesting user. Company does not authorize AI model providers to use your User Content to train, improve, or develop their general-purpose AI models. Company contractually requires that AI model providers process data in accordance with their enterprise and API terms of service, which restrict the use of customer data for model training purposes.

4.4 MSP and Professional Services Data

When you engage Company for MSP Services or Professional Services, Company may access systems and data as reasonably necessary to perform the scope of work, including:

  • Endpoint and system data: device identifiers, hardware and software inventory, patch compliance status, configuration state, security telemetry, and event logs.
  • Identity and administrative data: tenant configuration, directory metadata, administrative audit logs, and access policy settings.
  • Email system metadata: mail flow configuration, security settings, message headers and transport logs, and anti-spam or security events, in each case solely as needed for troubleshooting.
  • Remote support artifacts: session metadata, actions performed during remote sessions, scripts executed, configuration changes, and troubleshooting output.

In the course of troubleshooting, Company personnel may incidentally observe content visible on-screen or present in system logs, including email content or filenames. Company minimizes such access and uses incidentally observed information solely for the purpose of delivering the requested services or as required by law.

4.5 Information from Third-Party Sources

  • Infrastructure providers: hosting, storage, backup, monitoring, logging, and error tracking services.
  • Identity providers: where you authenticate via the identity provider (AWS Cognito), Company receives identifiers and authentication signals from the identity provider.
  • AI model providers: Company uses third-party AI and machine learning services (including Amazon Bedrock) to power chat, receipt scanning, and email parsing features. These providers return generated text and structured data in response to user-initiated requests.
  • OCR services: Company uses optical character recognition services (including Amazon Textract) to extract text from uploaded receipt images.
  • Security providers: error tracking and monitoring services (including Sentry) used to detect, diagnose, and resolve errors and performance issues within the Services.
  • Payment processor: Stripe, Inc. ("Stripe"), for billing and subscription management. See Sections 7 and 8.

5. Purposes of Processing

Company uses collected information for the following purposes:

  • Provision, operation, maintenance, and improvement of the Services, including the AI-powered chat, receipt scanning, email forwarding, and reminder features;
  • User authentication, account administration, and enforcement of access controls;
  • Processing of user-submitted receipt images and forwarded emails to extract structured item and deadline data;
  • Generation of AI chat responses and execution of user-requested actions through the chat interface;
  • Delivery of push notifications and deadline reminders;
  • Management of household memberships and shared item access;
  • Calculation and display of savings summaries and milestone achievements;
  • Customer support and response to inquiries;
  • Security monitoring, fraud prevention, abuse detection, and incident response;
  • Performance measurement, reliability monitoring, debugging, and error resolution;
  • Communications regarding service updates, security notifications, subscription changes, payment failures, and policy changes;
  • Marketing communications where permitted by applicable law. You may opt out of marketing emails at any time by using the unsubscribe link included in each marketing email or by contacting [email protected]. Opt-out requests will be processed within ten (10) business days. Opting out of marketing emails does not affect transactional or service-related communications;
  • Compliance with legal obligations, enforcement of agreements, and establishment, exercise, or defense of legal claims; and
  • Subscription and billing management.

6. Cookies, Local Storage, and Analytics

Essential technologies. Company uses cookies and browser local storage that are strictly necessary to enable session management, authentication, security protections, and user preferences. Disabling these technologies may impair or prevent access to core functionality of the Services.

No targeted advertising. Company does not serve cross-site behavioral advertising through the Services.

Analytics. Company uses aggregated, anonymous analytics (via CloudWatch Embedded Metric Format) to measure feature usage, performance, and reliability. These analytics events are identified by anonymous user identifiers and do not contain names, email addresses, or other directly identifying personal information. Where Company enables additional analytics technologies, Company will update this Policy and, where required by applicable law, provide appropriate notice or consent mechanisms prior to deployment.

Payment processor technologies. Payment flows processed by Stripe may involve cookies or similar technologies deployed by Stripe for fraud prevention and payment processing purposes, subject to Stripe's Privacy Policy.

7. Disclosure of Information

Company discloses information only in the following circumstances:

  • Service providers and processors: to third-party vendors providing hosting, storage, monitoring, logging, error tracking, support tooling, AI model inference, optical character recognition, push notification delivery, email delivery, and security services, in each case subject to contractual obligations to protect the confidentiality and security of such information.
  • AI model providers: User Content (including chat messages, extracted receipt text, and forwarded email text) is sent to third-party AI model providers (including Amazon Bedrock) to generate responses and extract structured data. These providers process data as service providers under contract and do not use your data to train their general-purpose models.
  • Household members: if you use the Family plan and share an item with your household, item details (including item name, classification, dates, price, retailer, and notes) are visible to other household members. Chat messages and receipt images are not shared with household members.
  • Payment processing: to Stripe for the purpose of processing payment transactions associated with paid subscription plans. Company may receive limited billing signals from Stripe (such as subscription status, customer identifiers, payment success or failure status, and invoice references) for subscription administration purposes.
  • Business client instructions: where Company processes Customer Data on behalf of a business client in the course of MSP Services or Professional Services, disclosures are made in accordance with the business client's instructions and the applicable Business Agreement.
  • Legal compliance and safety: where required to comply with applicable law, lawful process, subpoena, court order, or governmental request, or where Company reasonably believes disclosure is necessary to protect the rights, property, or safety of Company, its users, or the public, or to investigate fraud, security incidents, or violations of the Terms of Service.
  • Business transfers: in connection with a merger, acquisition, reorganization, financing, asset sale, or similar transaction, subject to appropriate confidentiality protections.
  • Professional advisors: to legal, accounting, and other professional advisors as necessary for the operation of Company's business, subject to confidentiality obligations.

8. Payment Data

Where you subscribe to a paid plan (BackPocket Pro or BackPocket Family), payment transactions are processed by Stripe. Stripe collects payment instrument information (such as payment card details) directly; Company does not receive or store full payment card numbers on its systems. Company stores limited billing and subscription metadata necessary for account administration, including Stripe customer identifiers, subscription identifiers, subscription tier, billing status, and invoice references. Stripe's collection and use of payment information is governed by Stripe's Privacy Policy.

9. Data Retention

Company retains information for the period reasonably necessary to fulfill the purposes described in this Policy, including provision of the Services, maintenance of security and audit records, compliance with legal obligations, resolution of disputes, and enforcement of agreements.

  • Account and profile data: retained until account deletion; removed from active systems within thirty (30) days following deletion request, subject to legal, regulatory, or security exceptions.
  • Tracked items and associated data: active items are retained within your account until deleted by you or until deletion of your account. Items in expired, acted-on, or dismissed status are retained for up to two (2) years from the date of last update for historical reference and savings reporting, after which they are permanently deleted.
  • Receipt images: retained for up to two (2) years from the date associated with the linked item, after which they are permanently deleted from storage.
  • Chat messages: retained for up to one (1) year from creation. Older messages within active sessions may be summarized and the original messages deleted to maintain performance. Session summaries are retained for the life of the session.
  • Forwarded email data: structured data extracted from forwarded emails is retained as part of the associated tracked item. Original email content is not retained after processing.
  • Reminders: sent and dismissed reminders are retained for ninety (90) days, after which they are permanently deleted.
  • Support tickets and troubleshooting artifacts: retained for operational continuity and audit purposes, typically for a period of one (1) to three (3) years, unless longer retention is required by law or litigation hold.
  • Security and audit logs: retained for thirty (30) to one hundred eighty (180) days, depending on log type and applicable security requirements.
  • Backups: deleted data may persist in encrypted backup media for a limited period (typically up to ninety (90) days) before being overwritten in the ordinary course.
  • Billing records: retained as required for accounting, tax, and legal compliance purposes.

Cancellation of a paid Subscription does not automatically delete your account or the data associated with it. To request deletion of your account and associated data, see Section 11.

10. Security and Data Breach Notification

Company implements reasonable administrative, technical, and organizational safeguards designed to protect information against unauthorized access, alteration, disclosure, or destruction, including access controls, principle of least privilege, monitoring and logging, encryption of data in transit and at rest, and secure credential management through third-party identity providers. No method of electronic transmission or storage is completely secure, and Company cannot guarantee absolute security.

In the event of a breach of security involving personal information, Company will notify affected individuals and applicable regulatory authorities as required by applicable law, including the Illinois Personal Information Protection Act (815 ILCS 530). Notification will be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, restore the integrity of affected systems, and cooperate with law enforcement where appropriate.

11. Your Privacy Rights

Depending on your jurisdiction, applicable law may afford you certain rights with respect to your personal information. These rights may include, without limitation:

  • The right to know what personal information Company collects, uses, and discloses about you;
  • The right to access, correct, or delete personal information held by Company;
  • The right to obtain a portable copy of personal information;
  • The right to opt out of the sale or sharing of personal information, targeted advertising, and certain profiling activities (where applicable); and
  • The right to limit certain uses of sensitive personal information (where applicable).

These rights may be subject to limitations and exceptions under applicable law. Company will not discriminate against you for exercising your privacy rights. Where you access the Services through a business client (in the MSP or Professional Services context), you should direct requests to that business client in the first instance; Company will assist the business client in fulfilling such requests as required by law.

11.1 Data Export

BackPocket provides a data export feature that allows you to download a copy of your data, including tracked items, reminders, chat history, and preferences, in a structured, machine-readable format (JSON). Data exports are available through the App or by contacting [email protected]. Export requests are limited to one per twenty-four (24) hour period. Export download links are available for seven (7) days after generation.

11.2 Account Deletion

You may request deletion of your account and all associated data at any time through the App or by contacting [email protected]. Account deletion includes a thirty (30) day grace period during which you may reverse the deletion. Following the grace period, your account and all associated data—including tracked items, receipt images, chat history, household memberships, notification preferences, and savings data—will be permanently deleted. See the Terms of Service, Section 19, for additional detail on the account deletion process.

11.3 Opt-Out Preference Signals

Where required by applicable law, Company will honor recognized universal opt-out mechanisms, including the Global Privacy Control ("GPC") signal, as a valid request to opt out of covered activities such as the sale or sharing of personal information or targeted advertising. Where Company does not engage in the relevant activity, the signal will have no operational effect.

Some browsers transmit "Do Not Track" signals. There is no industry consensus on how to respond to such signals. Company does not currently respond to Do Not Track signals but does honor Global Privacy Control as described above.

11.4 Submitting Requests

To exercise your privacy rights, submit a request to [email protected]. Company may require verification of your identity and authority before processing a request, consistent with applicable law. Company will acknowledge receipt of your request and respond within the timeframe required by applicable law (typically forty-five (45) days, subject to permitted extensions).

You may designate an authorized agent to submit a request on your behalf. An authorized agent must provide documentation of authority, such as a signed written authorization or a valid power of attorney. Company may require verification of both the agent's authority and your identity before processing the request.

11.5 Appeals

If Company denies your request in whole or in part, you may appeal by responding to the denial communication or by contacting [email protected] with the subject line "Privacy Appeal." Company will respond within the timeframe required by applicable law.

12. Sensitive Data and Special Notices

  • Biometric information: Company does not collect biometric identifiers or biometric information as defined under the Illinois Biometric Information Privacy Act (740 ILCS 14) or analogous statutes. Receipt scanning uses optical character recognition to extract text from images and does not involve facial recognition, fingerprint scanning, or any form of biometric data collection.
  • Protected health information: Do not submit Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations unless Company has executed a Business Associate Agreement with you.
  • Children and minors: The Services are intended for users who are at least eighteen (18) years of age, or the age of majority in their jurisdiction, whichever is greater. Company does not knowingly collect personal information from individuals under the age of thirteen (13), consistent with the Children's Online Privacy Protection Act ("COPPA"). If you believe a child under 13 has provided personal information to Company, contact [email protected] and Company will take steps to delete such information. Users between the ages of 13 and 18 should not use the Services without the consent and supervision of a parent or legal guardian.

13. AI-Specific Data Practices

This section provides additional detail about how personal information and User Content are handled in connection with AI-powered features of the Services.

  • Data sent to AI model providers. When you use the chat feature, scan a receipt, or forward an email, the content you provide is sent to third-party AI model providers through their API services. This data is transmitted via encrypted connections.
  • No training on your data. Company does not authorize third-party AI model providers to use your data for training, improving, or developing their general-purpose AI models. Data sent through API services is processed only to generate the requested output and is subject to the provider's enterprise data handling policies, which restrict use of API data for model training.
  • Contextual data shared with AI. To provide relevant responses, the chat feature sends the AI model a summary of your current tracked items (names, classifications, dates, prices, retailers, and statuses), your subscription plan, your timezone, and recent conversation history.
  • Automated decision-making. Items extracted from receipts or emails with high confidence may be created automatically. Lower-confidence items are presented for your review before creation. You may edit or delete any automatically created item at any time.

14. International Users

The Services are operated from the United States. If you access the Services from outside the United States, your information may be transferred to, stored in, and processed in the United States and other jurisdictions in which Company or its service providers operate, which may have data protection laws that differ from those in your jurisdiction.

15. Changes to This Policy

Company may update this Policy from time to time. The "Effective Date" at the top of this page will be revised to reflect the date of the most recent update. Where changes are material, Company will provide additional notice as required by applicable law. Your continued use of the Services following the Effective Date of an updated Policy constitutes acceptance of the updated Policy.

16. Contact

Farnaus Technologies LLC
Privacy inquiries: [email protected]
General support: [email protected]

California Notice at Collection

This notice is provided pursuant to the California Consumer Privacy Act, as amended, and supplements the information contained in this Policy. In the event of any conflict between this notice and the body of this Policy, the body of this Policy shall control.

  • Categories of personal information collected: Identifiers (email address, display name, account identifiers); Internet or other electronic network activity information (IP address, device information, browser type, usage data); geolocation data (approximate, derived from IP address); commercial information (subscription and billing metadata, tracked item prices, retailer names, purchase dates); customer support records; content you submit (including chat messages, receipt images, forwarded email text, tracked item data, and notes).
  • Categories of sources: Directly from you (account registration, chat messages, receipt uploads, email forwards, manual item entry, support inquiries); automatically from your device and browser; from identity providers (AWS Cognito); from AI model providers (generated responses and extracted data); from payment processors (Stripe); and from infrastructure, error tracking, and security service providers.
  • Purposes of collection: Provision and operation of the Services, including AI-powered chat, receipt scanning, and email forwarding; account authentication and administration; deadline tracking and reminder delivery; savings calculation and reporting; household management; customer support; security monitoring and fraud prevention; performance measurement and debugging; service communications; subscription management; and legal compliance. See Section 5 for a complete description.
  • Categories of third parties to whom personal information is disclosed: Cloud infrastructure and hosting providers; AI model and machine learning providers; OCR service providers; payment processors; identity and authentication providers; error tracking and monitoring providers; email delivery providers; household members (shared items only, on Family plan); and professional advisors (legal, accounting).
  • Sensitive personal information: Company does not intentionally collect sensitive personal information as defined under applicable California law. Do not submit sensitive personal information unless expressly requested by a Service.
  • Sale or sharing: Company does not sell personal information. Company does not share personal information for cross-context behavioral advertising.
  • Financial incentives: Company does not offer financial incentives conditioned on the collection, sale, retention, or deletion of personal information. Differences between free and paid service tiers are based on feature access, not on the value of personal information.
  • Retention: See Section 9 for category-based retention periods.