Security
Tripl handles your medical receipts and expense data. Here is exactly how we protect it.
Last updated: April 27, 2026
Encryption
All data is encrypted in transit using TLS 1.2 or higher. Your receipt images and expense records are encrypted at rest with AES-256. Storage runs on Supabase, which runs on AWS.
Data isolation
Every user's data is completely isolated. Tripl uses Supabase Row Level Security (RLS) on every database table. RLS policies enforce that you can only access your own expenses, receipts, integrations, and account data. No other user can see your data through the application or through direct database queries.
Receipt images live in a private bucket. They are served through signed URLs that verify your account before generation. Even if someone guesses a file path, they cannot retrieve your receipts without owning the corresponding expense record.
Receipt storage
Your receipt images are stored in a private storage bucket scoped to your user ID. They are not publicly accessible and can only be retrieved through authenticated requests tied to your account. You can delete any receipt at any time, and the file is permanently removed from storage.
AI receipt parsing
When you upload a receipt, Tripl can use AI (Anthropic's Claude) to extract the provider name, date, amount, and category. Your receipt image is sent to Anthropic's API for processing. Anthropic does not use your data to train their models. You can read their privacy policy for details.
You can opt out of AI parsing entirely.
In Settings, toggle off "AI Receipt Parsing" and your receipts will never be sent to any third-party AI service. You can still upload receipts and enter expense details manually. The toggle applies to all upload methods: drag-and-drop, phone camera, and email forwarding.
Analytics
Tripl uses Vercel Analytics for basic page view counts. It does not use cookies and does not track individuals.
With your consent, we also use Google Analytics (GA4) to understand traffic sources and usage patterns. GA4 only loads after you accept cookies via the banner. IP addresses are anonymized. No health, expense, or receipt data is sent to Google. We do not use advertising pixels or sell your data in any way.
Data export and deletion
You own your data. From Settings you can export all expenses as a CSV file. You can also download every receipt image as a ZIP archive. You can delete your entire account and all associated data at any time. Deletion is permanent and irreversible.
Authentication
All authentication is handled by Supabase Auth. Passwords are hashed using bcrypt and never stored in plaintext. Google OAuth uses the authorization code flow with PKCE (Proof Key for Code Exchange) for secure token exchange.
Every API request is verified server-side against Supabase's auth servers. We do not rely on client-side JWT validation for authorization decisions.
Third-party integrations
If you connect Google Drive, your OAuth tokens are encrypted with AES-256-GCM before storage. Tripl requests the minimum scope needed (drive.file). It can only access files you explicitly select or that Tripl creates for backups. Tripl cannot browse your entire Google Drive.
Infrastructure
- Hosted on Vercel (application) and Supabase (database, auth, storage)
- Database: PostgreSQL on Supabase (AWS us-west-1)
- Automated daily database backups with point-in-time recovery
- Authentication: Supabase Auth with email/password and Google OAuth
- Email: Cloudflare Email Routing (inbound), Resend (outbound)
- Content Security Policy headers restrict script execution sources
- X-Frame-Options: DENY prevents clickjacking
- Strict-Transport-Security enforces HTTPS
Sub-processors
Tripl uses a small set of sub-processors. Each one is independently audited for security and compliance. Their public attestations are linked below.
- Vercel — application hosting. SOC 2 Type 2.
- Supabase — database, auth, storage. SOC 2 Type 2, HIPAA-eligible architecture.
- Cloudflare — DNS, email routing, edge. SOC 2 Type 2, ISO 27001.
- Anthropic — AI receipt parsing (Claude API). SOC 2 Type 2. Opt-out available in Settings.
- Resend — outbound email. SOC 2 Type 2.
- Google — OAuth and optional Drive sync. Drive scope is limited to
drive.file.
Compliance scope
Tripl as a standalone entity has not completed its own SOC 2 audit. Our infrastructure providers are independently audited and listed above. We do not display compliance badges we have not earned. If you need a specific compliance assurance for your own audit or vendor review, email security@triplapp.com and we will share what we have.
HIPAA
Tripl is a personal finance tool, not a healthcare provider, health plan, or healthcare clearinghouse. HIPAA applies to these "covered entities" and their business associates. Tripl is neither. You voluntarily upload your own receipts to track expenses and manage HSA reimbursements.
Receipt images may contain health-related financial information. This data is not "protected health information" (PHI) under HIPAA (45 CFR 160.103). PHI is data created or received by a covered entity. Receipts you upload to Tripl come directly from you. We treat all uploaded data as sensitive and protect it accordingly.
Reporting a vulnerability
If you find a security issue, email security@triplapp.com. We respond within 48 hours. We do not pursue good-faith security research and will work with you on responsible disclosure.
Questions
For questions about how your data is handled, email security@triplapp.com.