返回首頁

Privacy Policy (隱私權政策)

Effective Date (生效日): 2024-12-23
Controller/Operator (營運方): 努法有限公司 (Taiwan)
Contact: hello@meetnuva.com

Address: 台北市中山區南京東路三段210號九樓

This Privacy Policy explains how we collect, use, share, and protect personal data when you use ChaChing San. It is intended to align with Taiwan's Personal Data Protection Act (PDPA) and commonly expected global privacy practices.

1. Scope (適用範圍)

This Policy applies to our web app, mobile app, and related services, support, and communications. It does not cover third-party websites/services you access through integrations.

2. Personal Data We Collect (我們蒐集的個人資料)

We may collect:

A. Account and Organization Data

  • name, email, phone (if provided)
  • company/organization name, billing details, plan selection
  • user roles/permissions, team member invites, audit logs

B. Expense and Financial Data

  • receipt/invoice images and attachments
  • extracted invoice fields (merchant, date, amount, tax ID, currency)
  • expense categories, notes, approval status, reimbursement status
  • bank account information used for reimbursement tracking and management (e.g., bank name, account number, account holder name, and related payment instructions)

C. Payment Data (Service Subscription)

Payment is processed by TapPay (or another payment processor). We typically receive limited billing metadata (e.g., payment status, last four digits, tokens) rather than full card numbers. TapPay describes its security governance referencing PCI DSS and ISO 27001.

D. Device, App, and Usage Data

  • device identifiers, app version, OS, language, time zone
  • IP address, log files, timestamps, clickstream, error reports
  • camera/photos permission usage (only if you choose to upload receipts)

E. Communications

  • support tickets, emails, and feedback you send us

3. How We Use Personal Data (使用目的)

We use personal data to:

  • Provide and operate the Service (account creation, receipt processing, workflow, exports, API features)
  • Authenticate and secure accounts; prevent fraud and abuse
  • Billing and subscription administration
  • Customer support and communications
  • Improve and develop the Service, including:
    • improving OCR and invoice extraction accuracy
    • training and evaluating AI models using receipt/invoice content and extracted fields (as described below)
  • Compliance with legal obligations and enforcing our Terms

4. AI Processing and Model Training (AI 處理與模型訓練)

Because the Service includes AI Features:

  • We process receipt/invoice images and related expense data to extract fields and generate structured expense records.
  • We may use Customer Content (including images and extracted fields) to train, evaluate, and improve our AI systems.
  • Third-Party AI Providers. We may send relevant content to AI providers (e.g., OpenAI GPT and Anthropic Claude) to generate outputs. OpenAI's platform documentation states that data sent to the OpenAI API is not used to train OpenAI models unless the customer opts in.

For other providers, data practices may differ by product tier and contract terms; you should also review the provider's policies.

5. Legal Bases (Where Applicable) (法律依據)

Depending on your jurisdiction, we process personal data based on:

  • performance of a contract (to provide the Service)
  • legitimate interests (security, fraud prevention, service improvement)
  • consent (where required, especially for certain marketing or sensitive processing)
  • legal obligations

For EU/EEA users, we describe rights consistent with GDPR-style transparency and control expectations.

6. How We Share Personal Data (資料分享對象)

We may share personal data with:

A. Subprocessors / Service Providers

  • Cloudflare for security/performance and infrastructure services.
  • TapPay for payment processing and related fraud/security controls.
  • AI providers (e.g., OpenAI, Anthropic) to deliver AI Features.
  • analytics, monitoring, email, and support tooling (if enabled)

B. Legal and Safety

if required by law, court order, or to protect rights, safety, and security

C. Corporate Transactions

in connection with a merger, acquisition, financing, reorganization, or sale of assets (with appropriate safeguards)

We do not sell personal data in the ordinary sense of "selling" to third parties for money.

7. International Transfers (跨境傳輸)

You are in Taiwan, but users may be global. Our subprocessors and infrastructure may process data in multiple jurisdictions. Cloudflare's DPA and related terms describe its processor obligations and cross-border processing framework.

Where required, we will implement appropriate safeguards for cross-border transfers.

8. Data Retention (保存期間)

We retain personal data:

  • for as long as your Account is active and as needed to provide the Service
  • for a reasonable period after deletion to comply with legal obligations, resolve disputes, enforce agreements, prevent fraud, and maintain backup integrity
  • in aggregated/de-identified form for analytics and model improvement for longer periods, where reasonably necessary

9. Your Rights and Choices (您的權利)

You may have rights to:

  • access and obtain a copy of your personal data
  • correct or update inaccurate data
  • delete your Account and personal data (subject to retention exceptions)
  • object to or restrict certain processing (where applicable)
  • data portability (where applicable)
  • withdraw consent (where processing is based on consent)

These rights reflect common global privacy expectations (including GDPR-style rights).

To exercise rights, email hello@meetnuva.com. We may verify your identity before fulfilling requests.

10. Security (資料安全)

We use reasonable security measures such as encryption in transit, access controls, and monitoring to protect data. TapPay states it operates security management with reference to PCI DSS and ISO 27001 for its payment services.

No method of transmission or storage is completely secure; you should use strong passwords and restrict access via roles/permissions.

11. Cookies and Tracking (Cookie 與追蹤)

We may use cookies/local storage and similar technologies to:

  • keep you logged in
  • remember preferences
  • measure performance and reliability

You can control cookies through browser settings; some functions may not work without cookies.

12. Children / Minors (未成年人)

The Service is not designed specifically for children. If you are a minor under laws applicable to you, you should use the Service only with consent of a parent/guardian or authorized representative of your organization.

13. Changes to This Policy (政策更新)

We may update this Privacy Policy by posting a new version and updating the Effective Date. Material changes will be notified in the Service or by email.

14. Contact (聯絡方式)

Privacy questions or requests: hello@meetnuva.com

Address: 台北市中山區南京東路三段210號九樓