// PRIVACY POLICY

What we collect and why.

Last updated: April 22, 2026

// PLAIN ENGLISH

Here's what you actually need to know.

Your bill content is never stored. We process it, analyze it, then destroy it.
We collect your email if you want your report emailed. That's it.
Affiliate partners set tracking cookies when you click their links. That's how we make money.
You can opt out of tracking via the cookie banner at the bottom of every page.
We don't sell your data. We don't share your bill content with anyone.
Email privacy@sneakyfees.com to delete your data or ask questions.

// FULL DETAILS BELOW

The full legal version, broken into chunks. Click any section to expand.

SECTION 01Introduction

Who we are. Cypher Works LLC, operator of SneakyFees at sneakyfees.com, a Delaware limited liability company with registered office at 8 The Green, Suite B, Dover, DE 19901.

What this policy covers. How we collect, use, protect, and share data when you use our service.

Contact. privacy@sneakyfees.com.

This policy applies only to sneakyfees.com, not to any third-party sites we link to.

SECTION 02What we collect directly from you

Email address. Captured via our analysis gate, stored in Supabase, retained until you unsubscribe plus 30 days.
Uploaded bill content. Processed through our security pipeline: SHA-256 fingerprinting, EXIF and metadata stripping, AES-256-GCM encryption with a one-time key, plaintext buffer zeroing, transient decryption only for the Claude API call, key wiping after analysis. Only the file hash and timestamps are logged. Bill content is never persisted anywhere.
Session and analysis metadata. Analysis ID, bill category, click events, timestamps. Retained 24 months.
Server logs. IP address, user agent. Via Vercel and Cloudflare. Retained 30 days.

SECTION 03Affiliate tracking technology

When you click a partner recommendation on our site, affiliate networks and partners may set tracking cookies to attribute the click for commission purposes.

Partners that may set tracking cookies

CJ Affiliate (Commission Junction LLC, part of Publicis Groupe)
Impact.com
Direct affiliate partners including BillShark, Rocket Money, and others

Purposes

Attributing referrals to SneakyFees for commission
Cross-device tracking
Fraud prevention
Aggregated analytics

Retention

CJ Affiliate retains pseudonymized data for 6 years
Impact.com retains per their policy
Our direct click logs: 24 months

Partner privacy policies

CJ Affiliate: cj.com/legal/privacy-policy
Impact.com: impact.com/privacy-policy

Opt-out

Cookie consent banner on our site
Browser cookie controls
Network Advertising Initiative: optout.networkadvertising.org
CJ direct: 1 (833) 983-0087

SECTION 04Cookies and similar technologies

We use essential cookies for session management and consent tracking.
Affiliate partners use tracking cookies as described in Section 3.
Essential cookies are always active. Non-essential tracking requires your consent via the cookie banner.
You can revisit your preferences via the "Cookie settings" link in the footer at any time.

SECTION 05How we share data

Service providers we use to operate SneakyFees

Anthropic. Claude API processes bill content transiently.
Supabase. Stores metadata (not bill content).
Vercel. Hosting and serverless functions.
Cloudflare. CDN, DNS, and security.
Resend. Transactional email.

Other sharing

Affiliate partners and networks. Click data only, as described in Section 3.
Law enforcement. Only when legally required and with minimum data necessary.
Corporate transactions. Merger, acquisition, or sale of assets.

We do NOT sell user data outside the affiliate attribution context.

We do NOT share bill content with any third party. Ever.

SECTION 06California privacy rights (CCPA/CPRA)

California residents have the right to:

Know what personal information we collect
Delete personal information
Opt out of "sale" or "sharing" of personal information (cookie-based affiliate tracking may be classified as sharing under CPRA)
Non-discrimination for exercising these rights

To exercise: email privacy@sneakyfees.com with subject "CCPA Request". We will verify your identity against our records before responding. Response time: 30 days, may extend to 45 days for complex requests.

SECTION 07EU and UK residents

SneakyFees is a US-only service. Access from the European Economic Area and United Kingdom is blocked at the network level. We do not knowingly collect data from EU or UK residents. If you believe you have accessed the service in error, email privacy@sneakyfees.com and we will confirm no data was retained.

SECTION 08Data security

Bill content security pipeline. AES-256-GCM encryption, EXIF metadata stripping, transient processing, zeroed memory buffers. Never stored.
Supabase. Row-level security and service-role-only writes.
HTTPS. Enforced across all traffic via Cloudflare.
We use commercially reasonable security measures, but acknowledge no system is 100% secure.

SECTION 09Children's privacy

Service is not directed to children under 13.
We do not knowingly collect data from minors under 13.
If a parent or guardian believes we have collected data from a child, email privacy@sneakyfees.com. We will delete within 30 days.

SECTION 10Data retention summary

Email addressUntil unsubscribe + 30 days

Analysis metadata24 months

Bill contentNever stored

Server logs30 days

Affiliate click logs24 months

Partner-held tracking dataPer partner policies (CJ Affiliate retains 6 years)

SECTION 11Changes to this policy

We may update this policy.
Changes effective when posted.
Check "Last updated" date at top.
Material changes will be announced via email to users on our list.

SECTION 12Contact

Privacy inquiries. privacy@sneakyfees.com
Legal notices. legal@sneakyfees.com
General. hello@sneakyfees.com
Mail. Cypher Works LLC, 8 The Green, Suite B, Dover, DE 19901
Response time. 30 days.

A Cypher Works LLC product (Delaware).