PRIVACY POLICY
THE WORLD'S LONGEST RECEIPT
WORLDSLONGESTRECEIPT.COM
============================================================
EFFECTIVE DATEMARCH 2026
LAST UPDATEDMARCH 2026
------------------------------------------------------------
THE SHORT VERSION
We collect your email (via Stripe, for your receipt).
We collect your line text (to put on the receipt).
We collect your images (if you upload one).
We use cookies (essential + analytics).
We screen content via automated moderation.
We never sell your data. Period.
------------------------------------------------------------
§1WHO WE ARE
The World's Longest Receipt ("the Service," "the Site") is operated by [YOUR FULL LEGAL NAME], a sole proprietorship, doing business as The World's Longest Receipt. Our principal place of business is [YOUR BUSINESS ADDRESS OR REGISTERED AGENT ADDRESS].
This Privacy Policy explains what personal data we collect, why we collect it, the legal basis for processing it, who we share it with, and what rights you have. It applies to all visitors and users of worldslongestreceipt.com.
Questions? Email [PRIVACY EMAIL]
------------------------------------------------------------
§2WHAT WE COLLECT
THINGS YOU GIVE US:
▸Email address — collected by Stripe at checkout. Used for payment confirmation and order fulfillment. Never displayed publicly. Basis: contract performance.
▸Display name— optional. Only shown publicly if you choose "Show my name." Otherwise you're anonymous. Basis: your consent (opt-in).
▸Line item text — your qty label, item name, and display price. This content is displayed publicly on the receipt. Basis: contract performance (this is the product you purchased).
▸Uploaded images — if you buy an image line, your thumbnail is displayed publicly on the receipt. Accepted formats: JPG, PNG, GIF. Images are cropped to a square. Basis: contract performance.
THINGS WE COLLECT AUTOMATICALLY:
▸Payment information — handled entirely by Stripe. We never see, store, or process your card number, CVV, or billing address. Stripe is a PCI-DSS Level 1 certified payment processor. Basis: contract performance.
▸Analytics data — PostHog collects pseudonymized usage data including pages visited, clicks, device type, browser type, and approximate geographic region. PostHog may set cookies (see §6). Basis: legitimate interest (improving the Service).
▸Server logs— our hosting provider Vercel automatically logs IP addresses, request timestamps, URLs accessed, and HTTP headers. These logs are retained per Vercel's data retention policies. Basis: legitimate interest (security, debugging).
THINGS PROCESSED FOR AUTOMATED MODERATION:
▸Your text → sent to the OpenAI Moderation API for automated content screening. OpenAI processes this data solely for classification and does not use it for model training. OpenAI may retain data for up to 30 days for abuse monitoring per their data usage policy. Basis: legitimate interest (enforcing content guidelines, legal compliance).
▸Your image → sent to AWS Rekognition for automated content screening (NSFW/offensive detection). AWS processes images solely for classification and does not retain images after processing unless required by their service terms. Basis: legitimate interest (enforcing content guidelines, legal compliance).
What is "legal basis"?Under laws like the GDPR (Europe) and similar regulations, we must have a valid reason to process your data. We've listed the basis for each data type above. "Contract performance" means we need the data to deliver what you paid for. "Legitimate interest" means we have a reasonable business need that doesn't override your rights. "Consent" means you actively opted in.
------------------------------------------------------------
§3HOW WE USE IT
WE DO:
▸Display your line on the receipt (that's the product)
▸Send your payment confirmation (via Stripe)
▸Screen content for policy violations using automated moderation tools (see §2). Submissions that are flagged may be automatically held for review or rejected. This is an automated decision — see §3a below.
▸Generate share card images containing your line text, line number, and display name (if opted in). These images are hosted on Cloudflare R2 and are publicly accessible via URL. They may be shared on social media platforms by you or others.
▸Analyze aggregate, non-identifying usage data to improve the site
▸Calculate and publish aggregate donation totals on our transparency page (e.g., total gross revenue, total meals funded). Individual purchase amounts are never disclosed.
WE NEVER:
▸Sell, rent, or trade your personal data to anyone, for any reason, ever.
▸Send unsolicited marketing emails. We do not maintain a marketing mailing list.
▸Build advertising profiles.We don't run ads and have no ad partners.
▸Use your data for AI/ML model training. Your content is not used to train any AI models.
§3a — AUTOMATED DECISION-MAKING:
We use automated systems (OpenAI Moderation API and AWS Rekognition) to screen submitted content against our Content Guidelines. These systems may automatically flag, hold, or reject content that violates our policies. If your submission is rejected by automated moderation, you will be notified and may contact [PRIVACY EMAIL] to request a manual human review. Refunds for rejected submissions are handled per our Terms of Service.
------------------------------------------------------------
§4WHAT'S PUBLIC VS PRIVATE
VISIBLE TO EVERYONE:
▸Your line text (qty label, item name, display price)
▸Your uploaded image (if image tier)
▸Your display name (only if you opted in at checkout)
▸Your line number on the receipt
▸Your share card image (a generated image containing your line details, hosted publicly)
NEVER VISIBLE:
▸Your email address
▸Your payment details or the amount you paid
▸Your IP address or precise location
Important: Once published, your line content and share card image are publicly accessible on the internet. Third parties (search engines, social media platforms, other users) may cache, screenshot, or redistribute this public content. We cannot control third-party use of publicly displayed information.
------------------------------------------------------------
§5WHO ELSE SEES YOUR DATA
We share personal data only with the following service providers ("sub-processors"), only for the purposes listed, and only under data processing agreements that require them to protect your data:
CLOUDFLARE R2Image/media storage
OPENAIAutomated text moderation
AWS REKOGNITIONAutomated image moderation
Each of these providers operates under their own privacy policy and data processing terms. We have reviewed their terms and, where applicable, executed data processing agreements (DPAs) to ensure your data is handled appropriately.
We do not sell your data. We may disclose personal information if required by law, legal process, or government request, or to protect the rights, property, or safety of the Service, our users, or the public.
------------------------------------------------------------
§6COOKIES & TRACKING
We use a limited number of cookies and similar technologies. Here's exactly what they are:
ESSENTIAL COOKIES (required):
▸Stripe checkout session — a temporary cookie set during the payment flow. Necessary to complete your purchase. Expires when the session ends. Cannot be disabled without breaking checkout.
ANALYTICS COOKIES (optional):
▸PostHog — sets first-party cookies to track pseudonymized session data (pages viewed, clicks, device type, approximate region). PostHog does not track you across other websites. These cookies persist for up to 1 year.
Your choices:You can disable non-essential cookies through your browser settings. You can also opt out of PostHog analytics by enabling a "Do Not Track" signal in your browser. Disabling essential cookies may prevent checkout from functioning.
For EU/UK visitors: Analytics cookies are loaded only after you provide consent via our cookie banner. If you decline, only essential cookies are used.
------------------------------------------------------------
§7HOW LONG WE KEEP IT
▸Line content (text + images) and display names — retained permanently. This is the core product: purchased lines are intended to be permanent entries on the receipt. The legal basis for permanent retention is that the published line constitutes the delivered product under your purchase agreement.
▸Share card images — retained as long as the corresponding line exists on the receipt.
▸Email addresses — retained as long as the receipt exists and your account is associated with a line. You may request disassociation (see §8).
▸Payment records — retained by Stripe per their data retention policy and as required by applicable tax and financial reporting laws (typically 7 years).
▸Moderation logs — retained indefinitely for audit trail and legal compliance purposes.
▸Analytics data— retained per PostHog's default retention settings. You can review PostHog's retention policy at posthog.com/privacy.
▸Server logs— retained per Vercel's data retention policies (typically up to 30 days).
------------------------------------------------------------
§8YOUR RIGHTS
Depending on where you live, you may have the following rights regarding your personal data. We honor these rights regardless of your location wherever reasonably practicable:
ALL USERS:
▸Access — request a copy of the personal data we hold about you.
▸Correction — request correction of inaccurate personal data.
▸Opt out of analytics — disable PostHog tracking via browser settings or Do Not Track.
▸Anonymization — request that your email be disassociated from your line and your display name be removed, making your line fully anonymous.
ADDITIONAL RIGHTS FOR EU/UK RESIDENTS (GDPR):
▸Erasure ("right to be forgotten") — request deletion of your personal data, subject to the limitations below.
▸Restriction — request that we limit how we process your data.
▸Portability — receive your personal data in a structured, machine-readable format.
▸Object — object to processing based on legitimate interest.
▸Withdraw consent — where processing is based on consent (e.g., display name, analytics cookies), you may withdraw consent at any time.
▸Complaint — lodge a complaint with your local data protection authority (e.g., the ICO in the UK, CNIL in France).
ADDITIONAL RIGHTS FOR CALIFORNIA RESIDENTS (CCPA/CPRA):
▸Right to know— request details about the categories and specific pieces of personal information we've collected about you.
▸Right to delete — request deletion of personal information, subject to exceptions.
▸Right to opt out of sale/sharing— we do not sell or share (as defined by the CCPA) your personal information. No opt-out is necessary, but we honor any "Do Not Sell or Share" browser signals (e.g., Global Privacy Control).
▸Right to non-discrimination — we will not discriminate against you for exercising your CCPA rights.
Limitation on content deletion: Purchased line content (text and images) is the delivered product of your transaction and is intended to be permanently displayed on the receipt. Under applicable law, we may retain this content as necessary to fulfill the contract and to maintain the integrity of the public record that constitutes the Service. However, you may request that we: (1) disassociate your email address from your line, (2) remove your display name, and (3) remove any link between your identity and your line. This effectively makes your line anonymous while preserving the receipt. To make any request, contact [PRIVACY EMAIL].
We will respond to all verifiable rights requests within 30 days (or 45 days for complex requests, with notice). To verify your identity, we may ask you to confirm the email address associated with your purchase.
------------------------------------------------------------
§9CALIFORNIA PRIVACY DISCLOSURES
The following disclosures are provided pursuant to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
CATEGORIES OF PERSONAL INFORMATION COLLECTED:
▸Identifiers — email address, display name (if provided), IP address
▸Commercial information — records of purchases (line purchases, tier selected)
▸Internet or network activity — browsing history on our Site, interaction data, device/browser information
▸Geolocation data — approximate location (via IP address and analytics)
▸User-generated content — line item text, uploaded images
Sale/sharing: We do not sell your personal information as defined by the CCPA. We do not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.
Sensitive personal information: We do not knowingly collect sensitive personal information as defined by the CCPA (e.g., Social Security numbers, financial account details, precise geolocation, racial/ethnic origin).
------------------------------------------------------------
§10CHILDREN'S PRIVACY
The Service is not directed to and is not intended for use by children. We do not knowingly collect personal data from children under 16 years of age. This threshold reflects the higher age requirements under GDPR in certain EU member states.
The Service requires a financial transaction (credit/debit card via Stripe) to participate, which itself requires users to be of legal age to enter into a contract.
If you believe a person under 16 has used the Service or that we have collected data from a child, please contact [PRIVACY EMAIL] immediately. We will promptly investigate and delete any data confirmed to belong to a child.
------------------------------------------------------------
§11INTERNATIONAL DATA TRANSFERS
The Service is operated from the United States. If you access the Service from outside the US, your personal data will be transferred to and processed in the United States, which may have different data protection standards than your country of residence.
For EU/UK/EEA residents:Where your data is transferred outside the European Economic Area, we rely on one or more of the following safeguards: (a) Standard Contractual Clauses (SCCs) approved by the European Commission, (b) the data recipient's participation in a recognized certification framework (such as the EU-US Data Privacy Framework), or (c) other lawful transfer mechanisms. Our sub-processors (Stripe, Supabase, Vercel, PostHog, Cloudflare, OpenAI, AWS) each maintain their own GDPR-compliant data processing agreements and transfer mechanisms, details of which are available in their respective privacy policies.
By using the Service, you acknowledge that your data will be processed in the United States and potentially in other jurisdictions where our sub-processors operate.
------------------------------------------------------------
§12SECURITY
We implement reasonable technical and organizational measures to protect your personal data, including:
▸HTTPS encryption for all data in transit
▸Database-level access controls via Supabase Row-Level Security (RLS)
▸No direct handling of payment card data (processed exclusively by Stripe, a PCI-DSS Level 1 certified provider)
▸Access to production systems restricted to authorized personnel
▸Regular review of sub-processor security practices
No system is 100% secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security of data transmitted to or stored by the Service.
DATA BREACH NOTIFICATION:
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will: (1) notify affected users via email within 72 hours of becoming aware of the breach (where feasible), (2) notify the relevant supervisory authority as required by applicable law, and (3) provide information about what data was affected and what steps we are taking in response.
------------------------------------------------------------
§13CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. When we do:
▸The "Last Updated" date at the top of this page will change.
▸For material changes (new categories of data collected, new third-party processors, changes to your rights), we will post a prominent notice on the Site at least 30 days before the changes take effect.
▸If we have your email address and the changes materially affect how we use your data, we will make reasonable efforts to notify you by email.
▸Your continued use of the Service after the updated policy takes effect constitutes acceptance of the revised terms.
------------------------------------------------------------
§14CONTACT
For privacy questions, data requests, or to exercise any of the rights described in this policy:
▸Email: [PRIVACY EMAIL]
▸Mailing address: [YOUR BUSINESS ADDRESS OR REGISTERED AGENT ADDRESS]
Please include "Privacy Request" in your subject line to help us route your inquiry. We will acknowledge your request within 5 business days and respond substantively within 30 days.
============================================================
WE MADE THIS READABLE ON PURPOSE
BECAUSE NOBODY READS PRIVACY POLICIES
AND WE THINK THAT'S A PROBLEM
============================================================