On this page
The short version
- Month Audit is a small pilot. You forward receipts to a single shared address; we email weekly and monthly summaries back.
- Forwarded receipts are read by Claude (Anthropic's model) running inside AWS Bedrock, parsed into structured records, and used to generate your summaries. Nothing leaves Amazon Web Services.
- Raw forwarded emails are kept 30 days, then truncated to parsed records. Parsed records are kept until you ask us to delete them. Summaries are kept 12 months rolling.
- We don't sell your data, share it with advertisers, or use it to train any AI model. Bedrock‑with‑Anthropic is configured so your data is not used for model training.
- We don't collect bank credentials, credit card numbers, or government IDs. If a forwarded receipt contains a full card number or ID, we redact it before processing.
- You can pause, resume, or delete everything by replying in plain English to any email from us — no special keywords. For deletion, we'll send a one‑time 6‑digit code to confirm; this defends against someone spoofing your email address.
- The summary emails we send include a small open‑tracking pixel (via AWS SES) so we can see whether emails are being opened. You can block it by disabling remote image loading in your email client — see Cookies and Tracking.
- This is a pilot, currently operated by an individual rather than a company. See “Who is the data controller?” below.
Who is the data controller?
Month Audit is currently operated by an individual based in Dubai, United Arab Emirates, as a sole proprietorship pilot project. The operator's full legal name is provided in writing on request to verified data‑rights requests at hello@monthaudit.com, and to any data‑protection authority on request.
If incorporation occurs before or during the pilot, this notice will be updated to name the legal entity as controller, and active users will be notified by email.
Contact: hello@monthaudit.com
What data we collect
When you first forward a receipt to review@receipts.monthaudit.com:
- The
From:address on the message. - The full content of the forwarded email — sender, subject, date, body, and any attachments (PDFs).
- A user record in
pending‑confirmationstate. The parked message is stored but not parsed until you confirm.
When you reply to our confirmation email or any later email from us:
- The full text of your reply.
- The intent the system inferred from it:
confirm,pause,resume,delete_intent,delete_token, orengagement. Replies the system can't confidently classify are forwarded to the operator for a manual response. - For deletion specifically: a one‑time 6‑digit token issued at the deletion request, valid for 24 hours, single‑use, never reused.
When you forward more receipts (after confirmation):
- The full email content, parsed into structured records — merchant, date, amount, currency, line items, fees, and an inferred category from a fixed list.
When we send your weekly pulse or monthly review:
- The generated summary text itself.
- The outbound delivery record (sent / delivered / bounced — handled by AWS SES).
- Email‑open events from a 1×1 tracking pixel embedded by AWS SES Virtual Deliverability Manager (VDM). When your email client loads images, AWS SES records that the email was opened, along with a timestamp and metadata your client reveals when fetching the image (typically: an IP address, which AWS SES uses to derive approximate location, and user‑agent string). We use these signals to know whether summaries are landing and being read. You can block the pixel by disabling remote image loading in your email client before opening our emails — see Cookies and Tracking.
After you delete your account:
- One append‑only deletion‑log entry is retained:
{deleted_at, sha256(lowercase(your_email_address))}— a one‑way hash, not your address. This is the audit trail to demonstrate the deletion happened. Plaintext of your email address is not retained.
What we do NOT collect:
- Bank credentials, credit card numbers, social security numbers, passport numbers, or other government IDs.
- Hidden third‑party tracking pixels in our emails — the only open‑tracking signal is the AWS SES first‑party pixel described above.
- Cookies — we don't operate a tracked website.
- Browsing or device fingerprinting data, geolocation, or ad‑network identifiers.
If a forwarded receipt happens to contain a full credit card number, social security number, or other government ID, we redact it before processing and do not retain it.
Why we collect it (lawful bases)
Under GDPR / UK GDPR:
| Data | Lawful basis | Plain‑language reason |
|---|---|---|
From: address, parsed receipts, generated summaries, user‑state record |
Art 6(1)(b) — contract performance | Necessary to provide the service you asked for: deliver summaries to the address you forwarded from. |
| Full content of forwarded receipts | Art 6(1)(a) — explicit consent (your confirmation reply); Art 9(2)(a) for any special‑category data | You actively forward each receipt; your confirmation reply is explicit consent to model‑processing. |
| Free‑text replies (commands and engagement) | Art 6(1)(b) for action‑classified replies; Art 6(1)(f) — legitimate interest for engagement routing | Acting on pause/resume/delete is the service; routing unclassified replies to the operator keeps the pilot honest. |
| Deletion‑log entry (hash + timestamp, no plaintext) | Art 6(1)(c) — legal obligation; Art 6(1)(f) — legitimate interest | Audit trail to demonstrate compliance with erasure requests if challenged. |
| Email‑open events from the VDM pixel | Art 6(1)(f) — legitimate interest | We need to know whether summaries are being opened to judge whether the pilot is working and whether to keep sending them. You can block the pixel by disabling remote image loading in your email client. |
If any forwarded receipt contains “special category” data (Art 9) — for example, a pharmacy receipt revealing a specific medication, or a religious or political donation — we do not name the specific item in your summaries, do not store it longer than the retention schedule below, and rely on Art 9(2)(a) explicit consent (your choice to forward it).
How long we keep your data
| Data | While active or paused |
After you delete | If pending‑confirmation expires |
|---|---|---|---|
From: address |
Until deletion | Purged within 24h of token confirmation | Purged at 14 days |
| Raw forwarded email body (incl. attachments) | 30 days from receipt, then truncated to parsed records | Purged within 24h | Purged at 14 days |
| Parsed receipt records | Until deletion | Purged within 24h | Purged at 14 days |
| Generated summaries | 12 months rolling | Purged within 24h | n/a |
| Email‑open events (AWS SES VDM) | 30 days from event, then auto‑purged. Aggregated metrics may persist beyond raw events per AWS defaults. | Existing events continue to age out within 30 days; no new events created after your 24h purge | n/a |
| Free‑text replies (command + engagement history) | Until deletion | Purged within 24h | Purged at 14 days |
| Pending deletion tokens | 24h TTL, then auto‑expired | n/a | n/a |
| Append‑only deletion‑log entry (hashed email + timestamp) | n/a | Retained indefinitely as audit record | n/a |
| AWS SES inbound / outbound mail logs | Per AWS retention, configured to minimum | Aged out per AWS schedule | Same |
| AWS Bedrock model‑invocation logs (Claude requests + responses) | 30 days from invocation, then auto‑purged. Not used to train any model. | Existing logs continue to age out within 30 days; no new logs created after your 24h purge | Same |
To delete everything, reply to any email from us in plain English (“delete everything”, “I want out”, “wipe my data” — anything that reads as a deletion request works). We'll reply with a 6‑digit confirmation code; reply with the code within 24 hours and the purge completes within a further 24 hours, with confirmation in writing. The only thing that survives is the hashed‑and‑timestamped deletion‑log entry above.
Who we share it with
Three sub‑processors. The bulk of your data — forwarded receipts, parsed records, summaries — stays within Amazon Web Services in the EU. A narrower flow involves Google Workspace, which hosts the operator's contact mailbox and receives any engagement messages the system can't auto‑classify. The public pages at monthaudit.com load fonts from Google Fonts, which means Google receives your IP address and browser headers on each page visit.
| Sub‑processor | Role | Where processed | Safeguards |
|---|---|---|---|
| Amazon Web Services, Inc. | Amazon SES for inbound and outbound email delivery; Amazon Bedrock for invoking Anthropic's Claude model (receipt parsing, intent classification, summary generation); AWS compute and storage for everything else. | EU — Ireland (eu‑west‑1). Contracting entity is AWS, Inc., a US company. |
EU‑US Data Privacy Framework; UK Data Bridge; 2021 SCCs. Your data sent to Bedrock is not used to train any AI model — AWS Bedrock does not use customer prompts or outputs for training by default, and we have an AWS organisation AI services opt‑out policy in effect as a belt‑and‑suspenders measure. Invocations are not shared with Anthropic outside the request/response cycle. Bedrock invocation logs are retained 30 days for operational debugging. AWS DPA |
| Google LLC (Google Workspace) | Hosts the operator's contact mailbox (hello@monthaudit.com). Receives engagement replies the system can't confidently auto‑classify and forwards them to the operator for a manual response. Also receives any email you send directly to hello@monthaudit.com. | Workspace Data Regions configured to EU. Contracting entity is Google LLC, a US company. | EU‑US Data Privacy Framework; UK Data Bridge; 2021 SCCs. DPA |
| Google LLC (Google Fonts) | Serves the web fonts (Instrument Serif, Geist, JetBrains Mono) used by the public pages at monthaudit.com. Every page load sends your IP address and browser headers to Google's font servers. No receipt or account data is involved; only the page visit itself. | Google infrastructure (global CDN). Contracting entity is Google LLC, a US company. | EU‑US Data Privacy Framework. Google Privacy Policy; Google Fonts privacy FAQ. |
We do not use: any advertising network, retargeting pixel, analytics tool, data broker, third‑party cookie, or hidden third‑party email‑open tracking pixel. The public web surface is monthaudit.com — a static marketing page and this privacy notice. No signup form is operated.
International data transfers
The bulk of your data — forwarded receipts, parsed records, summaries, and state — is processed within the European Union. AWS handles SES and Bedrock requests in eu‑west‑1 (Ireland) with storage in the same region.
- For EU users: no transfer outside the EU for receipt‑processing data. The contracting AWS entity is US‑based, but data residency is EU.
- For UK users: data moves from the UK to the EU (Ireland) for processing, relying on the UK's EU adequacy decision.
- For UAE, Singapore, Australia, and US users: data is transferred into the EU for processing. Equivalent cross‑border transfer mechanisms in your jurisdiction apply.
A separate, narrower flow involves Google Workspace (the operator's hello@monthaudit.com mailbox and engagement routing). Workspace Data Regions are configured to EU. For any incidental US‑bound transfer of Workspace data, transfers rely on:
- EU‑US Data Privacy Framework — Google is DPF‑certified. Verify current status at dataprivacyframework.gov.
- UK Data Bridge for UK residents.
- 2021 Standard Contractual Clauses.
Your data sent to AWS Bedrock is not used to train any AI model. AWS Bedrock does not use customer prompts or outputs for training by default, and we have an AWS organisation AI services opt‑out policy in effect on top of that. Invocations are not shared with Anthropic outside the request/response cycle.
Email us for specifics for your location.
Your rights
Depending on where you live, you have some or all of the following rights:
- Access — you can ask what we hold about you and get a copy.
- Rectification — you can ask us to correct anything inaccurate.
- Erasure (“right to be forgotten”) — you can ask us to delete everything we hold about you (see deletion mechanic below).
- Portability — you can ask for your data in a machine‑readable format.
- Restriction — you can ask us to stop processing while a dispute is resolved.
- Objection — you can object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting processing already done. Asking to delete everything has the same effect.
- Lodge a complaint with your local data‑protection authority — the UK ICO, the relevant EU Member State supervisory authority, the UAE Data Office, the Singapore PDPC, or the OAIC in Australia. We'd prefer you write to us first so we can fix the issue, but you don't have to.
To exercise any of these rights, including deletion: reply to any email from us in plain English. The system infers what you're asking for; you don't need to remember special keywords. For deletion, we'll send a one‑time 6‑digit confirmation code (single‑use, 24‑hour expiry) — this is to defend against an attacker who has spoofed your email address. Reply with the code and the purge completes within 24 hours, with confirmation in writing.
You can also email hello@monthaudit.com directly. We will respond within 7 days; for deletion requests, we'll confirm in writing once the purge is complete.
For California residents: you also have the rights described under the CCPA and CPRA, including the right to know, delete, correct, and limit use of sensitive personal information. We do not sell your personal information and have not done so in the past 12 months.
Cookies and tracking
We don't operate a tracked website, set cookies that identify you, or run analytics on the privacy‑notice page. The only web touchpoint is monthaudit.com hosting this notice, which uses no cookies and no analytics tool.
Our summary emails do contain a single 1×1 open‑tracking pixel, delivered by AWS SES. When your email client loads remote images, the pixel request reaches AWS, which records that the email was opened and the metadata your client reveals when fetching it (IP address, derived approximate location, user‑agent). We use this to judge whether summaries are landing — nothing more.
If you'd rather not be tracked, disable remote image loading in your email client before opening our emails. This is supported by every major mail client (Gmail, Apple Mail, Outlook, Fastmail, Proton) and typically lives under image‑display or external‑content settings.
Children
This service is not intended for anyone under 16. We do not knowingly collect data from children. If you believe a minor has signed up, email hello@monthaudit.com and we will delete the account.
Security
- All inbound and outbound email passes through Amazon SES with TLS 1.2+ encryption in transit where supported by the counterpart server. Receipts you forward are encrypted at rest inside AWS.
- AWS access uses short‑lived IAM credentials following least‑privilege; no operator access to your data except via auditable IAM roles.
- AWS Bedrock invocation logging is enabled with a 30‑day retention window for operational debugging. An AWS organisation‑level AI services opt‑out policy is in effect, on top of Bedrock's default no‑training posture.
- We do not store banking credentials, credit card numbers, or government IDs at any point. Redaction happens before parsing.
- A monthly AWS budget cap is in place as a safety measure against runaway processing.
Changes to this notice
We'll update this notice when we add or remove a sub‑processor, change a retention period, change the legal entity, or add a new use of data. For material changes, we will email every user with an active or paused record at least 14 days before the change takes effect. For minor edits (typos, formatting), we'll just update the page and bump the “Last updated” date at the top.
The full version history of this notice is available on request.
Contact
Email: hello@monthaudit.com
Response time: typically within one working day, no later than 7 days for formal data‑rights requests.
Postal address: available on request to verified data‑rights requests.