You point your camera at a receipt and tap upload. From there, three things matter: what Marvin does with it, what we don't, and what happens when you decide to walk away.
The photo, before you tap upload
The image lives only on your phone until you decide to send it. We don't auto-upload, we don't pre-process, we don't sneak it onto our servers in the background. If you take a picture and change your mind, it never leaves the device.
Marvin reads it
When you do tap upload, Marvin reads the receipt to pull out the merchant, the total, the date, and the category — the boring fields that turn a photo into a useful line on your timeline.
Two things we promise about that step. Your receipt is never used to train any shared AI model. Not ours, not anyone else's. And the AI provider we work with doesn't keep your image after the read is done — it's not added to some growing pile that another customer might one day benefit from.
It gets stored, securely
The receipt and its parsed fields end up in Marvin's database, encrypted at rest. Sensitive personal fields — your name, your email — get an additional layer of encryption on top, so even in the worst case they aren't lying around in plaintext.
Your data is tied to your account. It's never bundled, aggregated, or "anonymised" and sold (anonymisation is reversible far more often than companies admit — we just don't go down that road).
Nobody is browsing your stuff
There's no internal dashboard where someone at Marvin can scroll through your receipts. There's no analytics tool that exposes per-user content to the team. The only times anyone touches your data are the obvious ones: an incident we're investigating, a support session you explicitly opened with us, or a legal request we're required to honour. Each one is logged.
What we never do with it
- We don't sell it, in any form, to anyone.
- We don't share it with marketing partners. We don't have any.
- We don't run ads. So we have nothing to target you with.
- We don't generate "wellness scores" or "credit health" signals to sell to insurers or lenders.
- We don't keep ghost copies of your data after you delete your account.
When you leave, your data leaves
Tap delete and within 30 days every receipt photo, every line, every chat message, every setting, every billing reference is gone. We don't keep an archive "just in case." We don't soft-delete and quietly hold on. You're done, we're done.
And before you go: you can export everything — receipts, expenses, chat history — as CSV, PDF, or JSON from Settings. On every plan, including Free. Your stuff is your stuff.
The honest part
We can't claim end-to-end encryption. Marvin has to be able to read your data to draw your timeline, give you insights, and answer questions in chat. Anyone who promises you a smart financial AI and full zero-knowledge encryption is bending the truth somewhere.
What we can promise is everything above: encrypted storage, extra protection on personal fields, no human browsing, no AI training on your data, no selling, no ads, real delete. That's the honest best an app like this can do — and we do all of it.
The honest version
Most privacy pages are designed to make you stop reading. We tried to write the version that, if you actually read it, leaves you knowing who can touch your stuff and what happens to it. The short answer is: you, the people you choose to give access to, and a small team here only when you ask or the law requires. That's the list.
You handed Marvin a photo of a coffee receipt. Now you know what happens to it.
The structured short version of all of this lives on our privacy page.