Sapoto

Privacy Policy

Last updated: February 2026

Welcome to Sapoto ("we", "us", or "our"). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

1. Information We Collect

1.1 Account & Billing Data

We collect your username and email address during signup. When you subscribe to a paid plan, billing is handled directly by Stripe — we do not store your credit card details. If you use Google or Apple sign-in, we receive a unique identifier to authenticate you; this token and your login state are stored locally and are never transmitted to our servers.

1.2 Zero-Knowledge Credentials

Sapoto does not collect or store your portal passwords on any server. When you connect an integration, your credentials are encrypted using your device's native security framework (macOS Keychain-backed encryption or Windows Data Protection API) and stored locally on your device. Sapoto decrypts these only during an active automation run.

1.3 Usage & Billing Metrics

To maintain the service and manage subscriptions, we collect:

  • Device information (e.g., device type, operating system)
  • The names of integrations you have activated (e.g., "Chase Bank")
  • The total count of documents processed (for billing purposes)
  • Success and failure rates of automations to help us fix broken connectors

We do not collect account balances, transaction histories, or the files themselves.

1.4 Local Session Storage

Sapoto uses local session storage to maintain authenticated states with your service providers. This data is stored strictly on your device and is not accessible by Sapoto servers.

1.5 Diagnostic Data

To help us identify and fix issues, we collect basic telemetry data such as the integrations you use and whether certain pages loaded successfully. We do not collect any sensitive information, screenshots, or page content. All detailed logs are stored locally on your device.

If you need help debugging an issue, you can use our in-app feedback button or reach out to us directly. You may also choose to share your local logs with us to help resolve the issue, but this is always at your discretion.

1.6 Use of AI

Sapoto uses AI to navigate web portals on your behalf. Sensitive information such as account numbers, credentials, and personal identifiers are redacted on your device before anything leaves it. Sapoto also offers optional, opt-in AI document processing to extract metadata such as vendor name, date, and total amount; this can be disabled at any time in your settings. Your documents are never used for AI model training.

2. How We Use Your Information

We use your personal data for the following purposes:

  • To facilitate usage-based billing via Stripe, using document counts and integration names to ensure you are on the correct plan
  • To provide and maintain our service
  • To notify you about changes to our service
  • To provide customer support, including when you opt in to sharing local logs for debugging
  • To improve our integrations — for example, if telemetry shows a connector is failing for a large number of users, we use that data to update our automation scripts
  • To detect, prevent, and address technical issues

3. Legal Basis for Processing Personal Data

We process your personal data on the following legal bases:

  • Performance of a contract when we provide you with our services
  • Your consent, which you can withdraw at any time
  • Our legitimate interests, which are not overridden by your rights
  • To comply with legal obligations

You may withdraw your consent at any time by deleting your integrations, which will remove access and prevent any automations from running on your behalf.

4. Data Sharing and Disclosure

4.1 Data Sharing

We do not sell your personal data. We may disclose your personal information in the following situations:

  • To our payment service provider, Stripe, for processing payments
  • To comply with legal obligations
  • To protect and defend our rights or property

4.2 Data Security

Your documents, credentials, and session data are encrypted on your device and are never sent to our servers. We also implement industry-standard security measures to protect against unauthorized access, alteration, or destruction of your personal data.

5. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this Privacy Policy. We will retain and use your data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.

Server-side data (such as your email, integration names, and usage metrics) is retained for the duration of your account. If you close your account, we will delete this data within 30 days, except where retention is required by law.

6. Your Data Protection Rights

Depending on your jurisdiction, you may have the following data protection rights:

  • The right to access, update, or delete your personal information
  • The right to rectification
  • The right to object to processing
  • The right of restriction
  • The right to data portability (because your data is stored locally, you already have full access to it)
  • The right to withdraw consent

To exercise these rights, please contact us at contact@sapoto.xyz. If you request account deletion, we will remove your email, billing records, and any associated telemetry data from our servers within 30 days. Local data on your device can be removed by deleting the Sapoto application.

7. Children's Privacy

Our service is not directed to anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we take steps to remove that information.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or for other operational, legal, or regulatory reasons. When we do, we will post the updated Privacy Policy on this page and update the "Last updated" date at the top.

We encourage you to review this Privacy Policy periodically for any updates. Your continued use of Sapoto after changes to this Privacy Policy constitutes your acceptance of those changes.

If you do not agree with the changes, you should discontinue your use of Sapoto and contact us at contact@sapoto.xyz to close your account.

We built Sapoto because we were tired of giving our bank logins to cloud companies. If you have questions about our architecture, email us at contact@sapoto.xyz.