Privacy Policy

Last updated: April 10, 2026

1. Who we are

Field Cost Tracker is operated by 999 Solutions, with its registered address at Amsterdam, the Netherlands ("we", "us", "our").

For questions about this policy or your personal data, contact us at support@mail.fieldcosttracker.com.

2. What data we collect

We collect and process the following categories of personal data:

• Account data — your name and email address, provided by Google when you sign in.
• Job and cost data — job names, client names, budgets, cost entries, and time entries you create in the app.
• Receipt images — photos of receipts you upload. These may contain vendor names, addresses, purchase details, and payment information.
• Usage data — timestamps of your actions (e.g. when you last synced), device type, and browser information sent automatically with requests.

3. Why we collect it (legal basis)

We process your data on the following legal bases under GDPR:

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the Field Cost Tracker service: storing your jobs, costs, receipts, and time entries.
• Legitimate interest (Art. 6(1)(f)) — usage analytics to improve the service, security monitoring, and fraud prevention.
• Consent (Art. 6(1)(a)) — where applicable, for optional features such as marketing communications. You can withdraw consent at any time.

4. How we use receipt images

When you upload a receipt, our server sends the image to a third-party AI service to extract structured data (vendor name, date, line items, totals). The image is transmitted securely and is used solely for this extraction. We do not use your receipts to train AI models. Our AI provider's data processing terms apply to this processing.

5. Service providers (data processors)

We use the following third-party service providers to operate Field Cost Tracker:

• Google (authentication) — provides sign-in via Google OAuth. Google receives your authentication request. Subject to Google's Privacy Policy.
• AI processing provider (receipt processing) — processes receipt images to extract structured data. Bound by a data processing agreement that prohibits use of your data for model training.
• Cloud and hosting providers (infrastructure) — host the application, backend API, database, and stored files (including receipt images). Bound by data processing agreements as required by GDPR.

All service providers are bound by data processing agreements (DPAs) as required by GDPR Article 28.

6. Data storage and retention

• Account data — retained for as long as your account is active. Deleted within 30 days of account deletion.
• Job and cost data — retained for as long as your account is active. Soft-deleted data is permanently purged within 90 days.
• Receipt images — retained for as long as the associated job exists. Deleted when you delete the receipt or your account.

7. Data transfers outside the EU

Some of our service providers are based in the United States. Data transfers to the US are protected by the EU–US Data Privacy Framework (where the provider is certified) or by Standard Contractual Clauses (SCCs) included in our DPAs.

8. Your rights

Under GDPR, you have the right to:

• Access — request a copy of all personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure ("right to be forgotten") — request deletion of your data.
• Data portability — receive your data in a structured, machine-readable format.
• Restriction — restrict processing of your data in certain circumstances.
• Object — object to processing based on legitimate interest.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at support@mail.fieldcosttracker.com. We will respond within 30 days as required by GDPR.

9. Cookies and local storage

Field Cost Tracker does not use tracking cookies or third-party analytics cookies. We use browser local storage (IndexedDB) to enable offline functionality — this is strictly necessary for the service to work and does not require consent under the ePrivacy Directive. Authentication tokens (JWTs) are stored in local storage to keep you signed in.

10. Security

We protect your data with encryption in transit (TLS/HTTPS), encryption at rest for stored files, and access controls on all systems. Our application enforces multi-tenant data isolation — you can only access data belonging to your account.

11. Children

Field Cost Tracker is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this privacy policy from time to time. We will notify you of significant changes by email or through the application. The "last updated" date at the top of this page indicates when the policy was last revised.

13. Supervisory authority

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.