The short version
Penny Hunter is built to be useful without knowing who you are. We don't ask for your name, email, phone, or address. Your watchlist, finds, and receipts stay on your device unless you turn on Pair Sync to share with one other device. We collect anonymous usage events so we can fix what's broken — you can turn that off any time in Profile.
What we collect
1. Usage analytics (PostHog)
Anonymous event counts: app opens, screen views, scans, finds added,
outbound retailer clicks. Each event is tagged with a randomly generated
device ID, app version, and platform — never your name, email, or
precise location. PostHog's IP-derived geolocation is disabled at
initialization (disableGeoip: true).
Opt out: Profile → Privacy → toggle "Usage Analytics" off.
2. Crash reporting (Sentry)
When the app crashes, we send the JavaScript error message, stack trace,
and a minimal device fingerprint (OS version, app version, release ID)
to Sentry. We strip personally identifying information at the SDK level
(sendDefaultPii: false). We do not log your watchlist, finds,
or any user-entered data in error reports.
3. Anonymous crowdsourced finds
When you log a find with a UPC, we send a row to our backend containing only: the UPC, the store ID, the price you paid, whether it's a penny, and a randomly generated client ID. We never send your item names, notes, or anything else from your finds. This data powers the "X hunters confirmed" badges in the penny list.
Opt out: Profile → Privacy → toggle "Share Anonymous Finds" off.
Retention: rows older than 90 days are automatically
deleted from our database via a daily cron job.
4. Pair Sync (only if you enable it)
If you create or join a pair (Profile → Pair Sync), the watchlist + finds + live store status from this device are stored on our backend so the paired device can read them. Access is controlled by an 8-character pair code — anyone with that code can read your pair's data, so don't share it publicly. Stop sharing any time by leaving the pair (data is removed when the pair becomes inactive).
5. Receipt photos (optional, on-demand)
If you scan a receipt, the photo is stored locally on your device only. The image is sent to a third-party AI processing service once for parsing into structured items, then discarded. The provider operates under a no-training data agreement, meaning your receipt is not used to train models (provider privacy policy). The receipt photo is never uploaded to our backend.
6. Device permissions
- Camera — only while you're scanning a barcode or photographing a receipt. Photos are not transmitted except as described above.
- Location — only while you're using the app, and only to filter store deals to your zip. Coordinates are stored on-device only and never transmitted to our servers.
- Notifications — only used for penny-day reminders and watchlist hits. Opt-out via iOS Settings.
What we do NOT collect
- Your name, email, phone, mailing address, or government IDs
- Payment information (we never process payments)
- Your contacts, calendar, photos library, or microphone
- Precise location coordinates (only zip-level)
- Item names from your finds (when sharing anonymously — only UPCs)
- Receipt photos on our servers (only sent to a third-party AI service for parsing, then discarded)
Third-party services we use
The following services receive limited data as described above:
- Supabase (database, edge functions, realtime) — anonymous finds, pair sync data, briefing cache. supabase.com/privacy
- PostHog (analytics) — anonymous usage events. posthog.com/privacy
- Sentry (crash reporting) — JS error messages + stack traces. sentry.io/privacy
- AI processing service (categorization, receipt OCR, resale estimates) — item names and receipt photos for the duration of the API call only. Provider privacy policy.
- Skimlinks (affiliate link tracking) — when you tap "Shop" on a deal, the outbound URL is wrapped through Skimlinks, which records the click for affiliate attribution. They may set cookies on the retailer site. skimlinks.com/privacy
- BestTime (busyness forecasts) — chain name + your city/state/zip are sent to BestTime so we can show "best time to visit" data. They do not receive your identity. besttime.app/privacy
- Flipp (weekly ad data) — your zip code is sent to Flipp's public API to fetch weekly ads for retailers in your area. corp.flipp.com/privacy
Affiliate links + revenue
When you tap "Shop" on a deal, you're redirected to a retailer's website (Amazon, Walmart, Dollar General, etc.). If you make a purchase, Penny Hunter may earn a small commission via Amazon Associates, Skimlinks, or Impact. The commission has no effect on your price and never changes which deals we show or how they're ranked.
Children's privacy
Penny Hunter is intended for users 13 and older. We do not knowingly collect data from children under 13. If you believe a child has provided data to us, contact us and we'll remove it.
Your rights
You can:
- Turn off all analytics (Profile → Privacy → Usage Analytics)
- Stop sharing anonymous finds (Profile → Privacy → Share Anonymous Finds)
- Delete the app — all on-device data is removed instantly
- Leave any active pair from the Pair Sync screen
- Request deletion of any anonymous-find rows we've collected from your device by emailing privacy@pennyhunter.store with the random client_id from your phone (we'll show you how to find it on request)
Residents of California (CCPA), the EU/UK (GDPR), and Canada (PIPEDA) have additional rights to access, port, or delete data. Email us — we respond within 30 days.
Changes to this policy
We'll bump the "Last updated" date at the top and post a notice in the app the next time you open it after a material change. Continued use after the update means you accept the new terms.
Contact
Privacy questions: privacy@pennyhunter.store
Anything else: hello@pennyhunter.store