Frequently-Asked Questions

Q. What is Secure Receipt Wallet?

Answer:

Secure Receipt Wallet is world’s first and only end-to-end encrypted tamper-resistant smart receipts and anonymously-individualized loyalty management & marketing platform backed with multiple patents (2019100146 and 2019100775). Secure Receipt Wallet includes a suite of products for different stakeholders involved in the issuance and reception of receipts in an anonymous and secure manner, facilitating full GDPR and CCPA compliance for you and your business.

  •  For end-users and buyers, we have a range of mobile apps for Android, iOS and Universal Windows Platform (UWP)
  •  For Point-Of-Sale (POS) or accounting/book keeping systems developers or for those businesses with dedicated IT/ICT capabilities, we have a range of Software Development Kits (SDKs) and Application Programming Interfaces (APIs) through our Developer’s Portal that facilitate the issuance and transfer of end-to-end encrypted receipts using the patented Secure Receipt Transfer Protocol
  • For independent or small businesses with legacy POS systems, we provide “Secure Receipt Wallet CloudConnect Agent”. Based on a patented idea, the CloudConnect Agent extracts receipt data from such legacy POS systems and adds capabilities to them to issue end-to-end encrypted smart receipts and directly deliver them to buyers, eliminating one of the biggest blocks against receipt digitization (i.e. legacy systems integration hassles)
  •  For all issuers of receipts, we provide “Receipt Issuer’s Portal” which is a web-based system that allows businesses to extract meaningful insights from their issued receipts and create loyalty management and marketing campaigns.
    One of the most novel aspects of our product suite is that via anonymous digital signatures, the Secure Receipt Transfer Protocol makes possible for a receipt recipient to sign all the receipts they receive from the same receipt issuer with the same one-way transaction marker. This novel outcome has a number of benefits, including that
    • the seller will not be able to know the identity of the buyer,
    • even Secure Receipt Wallet will not be able to know who the buyer of a receipt despite being in the position of the intermediary between receipt issuers and recipients,
    • with all receipts received by the same recipient being marked with the same marker, the receipt issuer will be able to bundle and group receipts without knowing the identity of the recipient of the receipt
    • bundling and grouping allows the issuer to extract insights from their raw sales data (e.g. whether different items have been bought together or whether there are patterns between sales items
    •  all these have become possible without ANY data processing on our back-end servers hence the end-to-end encrypted nature of the data we transfer between issuers and recipients

Q. Why does Secure Receipt Wallet exist?

Answer:

At Secure Receipt Wallet, we exist because we LOVE trees and we hate to see millions of them being killed and turned into paper receipts every year. However, we also LOVE humans and especially, we LOVE to protect OUR privacy and anonymity.

See, everything about turning live trees into paper receipts is absolutely WRONG but you have to realize that there is ONE value out of this very wrong thing that no one seems to be appreciating enough: The fact that trees are giving away their lives by being turned into receipts has resulted in you enjoying the liberty to go to your favourite shop, buy things and receive your receipts without being identified or worrying that someone in between can know all about your purchase history and use the data to benefit or even to know things about you without your knowledge and consent.

We have seen the emergence of some companies trying to solve the receipts problems (some of whom happen to be backed by some banks) but TOTALLY, maybe intentionally or unintentionally, missing the implications behind the idea of digital receipts, especially in a world of the likes of Cambridge Analytica, General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). The outcome is the same though. With their products, you will LOSE your privacy and anonymity and you have to “trust” them if you think you are not losing it.

If someone asks what the “core” of Secure Receipt Wallet as a business is, or “why” it exists, or, what is the “theory of business” for Secure Receipt Wallet, we would simply answer “to save the tress and people’s privacy and anonymity at the same time”, in other words, “to get the receipts done right”, and for that, we possess the unique competencies that differentiate us from others.

We have set the industry standard in creating end-to-end encrypted systems and we are 100% confident that our rivals and competitors will switch to our products the second they realize what we have done to make all of this possible!

We have totally eliminated the need for you to trust an intermediary who may have access to your purchase history; all you need to trust is proven cryptography science that is the foundation of information security on the plant at this point in time. With our platform, no one except you can ever know the contents of the receipts that you have received, hence preserving your privacy and anonymity as you are enjoying with paper receipts.

Q: Who are Secure Receipt Wallet customers?

Answer:

Any business or entity issuing receipts or trying to run effective loyalty management and marketing can use Secure Receipt Wallet to reach their sales/marketing goals while also contributing to the higher goal of saving trees from being turned into paper receipts.

Through our suite of products, our end users who use our mobile apps to receive their receipts and their individualized offers enjoy unmatched security, privacy and anonymity, just like paper receipts knowing that they will not provide any details when receiving receipts and that their purchase history remains available ONLY to them, not even to Secure Receipt Wallet, nor to the sellers thanks to the end-to-end encrypted transfer and storage of receipts.

Q. How secure are my passwords in Secure Receipt Wallet Receipt Issuer's Portal and Developer's Portal?

Answer:

Secure Receipt Wallet has adopted a zero-knowledge password proof protocol for authentication purposes. All our web applications, mobile apps use the Secure Remote Password (SRP) 6a for the purpose of authentication. Our POS SDKs use a custom password-less key-based authentication model without dependence on passwords. Effectively, this means we do not save your passwords in any form or shape, not even in hashed format, on our back-ends. SRP 6a uses a combination of cryptographic methods to avoid the hassles of maintaining passwords on server infrastructure with the goal to improve security. As a direct result, you can rest assured that your passwords never leave your browsers or devices (even in hashed format) and that even if you use a common password in Secure Receipt Wallet, there is literally no chance for that password to be jeopardized.

Q. You cannot know the contents of the end-to-end encrypted receipts you transfer to buyers, right? How come you can help businesses make sense of their data and reach customers with individualized loyalty management and marketing?

Answer:

This is probably the best question one can ask and can be framed as the “anonymity-individualization paradox”. In a practical example, if one is supposed to give you an individualized offer, say because you have bought 10 items from a seller, then they should know this fact about you that you have bought 10 items so that they can give you an individualized offer, right? If there remains no way for them to know that (e.g. because the data is unreadable by them), then how can they give you this individualized offer? In other words, if the buyer remain anonymous to the world, how can offers for them be individualized by the world?

The truth is that proving theories or statements about encrypted data (e.g. whether you have bought an item or not) has a long history and rich literature. Techniques like Zero-Knowledge Proofs, Ring Signatures and Bullet Proofs are being actively expanded in the field of blockchain and cryptocurrencies in the context of anonymous transaction proofs but they are all mechanisms of proving statements about encrypted data useful in a public setting.

We are the first company to solve this paradox, using a method that does not involve ANY server-side or public domain processing of your encrypted data. What this means is that your receipts get encrypted before leaving the seller’s premises and is delivered directly to your phone where the history of your purchases is securely stored using encryption keys that are stored in the hardware-backed keychain storage of your device, and are encrypted at rest.

This has become possible through our new patented concepts: Anonymous Transaction Markers and Signatures, Abstract Anonymous loyalty Management and Marketing Rules, and, client-side Offer Mining

Briefly, when a receipt is received by our apps, the app marks and signs the issuer’s copy of the receipt in an anonymous way in such a way that a) even we, Secure Receipt Wallet, can never know who the buyer in a transaction is and, b) all receipts received by the same recipient from the same issuer get marked with the same identifier while also being signed thru our anonymous digital signatures, used for proof of purchase at later stages.

Businesses then publicize a set of Abstract Anonymous Loyalty Management and Marketing Rules like “whoever buys 5 items in a month, can receive the 6th with a 10% discount”. These abstract rules get broadcast to all buyers through our mobile apps. The mobile app, WITHOUT sending anything out of your secure receipt wallet, then “pulls” these abstract rules from our servers and then applies them to your purchase history at real-time in client side, using the processing power and resources of your own phone without any server-side processing or handling of information. This means that nothing about your purchase history is ever revealed to anyone. This “rule applicability process” is called “offer mining” which results in a set of uniquely individualized offers that may be applicable to you and you only, without you revealing your purchase history to anyone.

This paradigm is designed and proposed by Secure Receipt Wallet for the first time in the world.

Q. What is end-to-end encryption?

Answer:

End-to-end encryption (E2EE) is a paradigm with which data gets encrypted and decrypted at both ends of a data transfer transaction in such a way that it becomes impossible for the intermediary who transfers the data to know what the contents of the data are. This paradigm has been widely used (and popularized by) instant messaging products (e.g. Signal Secure Messenger, WhatsApp and others). For the first time in the world, Secure Receipt Wallet has designed an end-to-end encryption and transfer protocol for receipts that brings the end-to-end encryption paradigm to the world of smart digital receipts.

Q. Do I need to download an app to receive my receipts?

Answer:

The short answer is NO.

Secure Receipt Wallet also comes as a Progressive Web App that can run in almost all modern browsers on all mobile operating systems and provides a strong subset of the features of Secure Receipt Wallet native apps, except for the fact that you do not have to download and install an app before being able to receive your receipts, if you use the Secure Receipt Wallet web app. Like all our native apps, our progressive web app also works based on end-to-end encryption and in fact follows the very same secure statement protocol as our native apps do. 

However, due to its dependency on WebCrypto API, IndexedDB and WebRTC, it can not run on all browsers. The other important fact about it is that like all other progressive web apps, it uses the storage of the device to save its data (including your receipts), not on any backend servers. As a result there are a number of important facts to consider with the web app:

  1. If your browser gets under pressure with available storage, it may actually delete locally saved data of progressive web apps (including your receipts) without informing you.
  2. Our novel implementation of our protocols in web using JavaScript provides encryption at rest based on AES256-CBC with randomly-created keys that are independent per each information item (i.e. receipt). These keys are then saved in non-extractable format in indexedDB in your local browser. Your browser, as per the WebCrypto API standards, only and only allows our app to access the keys it has persisted, not any other apps. The non-extractable keys are also un-debugable. However, we have had to trust these implementations by the browsers to bring our end-to-end encryption into web. If the browser implementation does not align to the WebCrypto API standards, the security of the encryption-at-rest model will fall apart. For this matter, we highly recommend you to use our native apps that make use the keychain storage of the device for key storage. The level of protection and security one gets out of a device's hardware-backed keychain storage is simply not comparable to non-extractable keys persisted in indexedDB in a browser.
  3. For the above reasons, we only recommend the use of our progressive web apps on a temporary basis. This is why, it will automatically guide you to install the native apps at the right stage. Its mere purpose is to eliminate a temporary need for installing our native apps that could be inconvenient in a retail store while you wait to receive your recceipts.

Q. What is a user's “Master Key” in Issuer's Portal?

Answer:

Each user in Issuer's Portal owns a master key which is generated upon the first time they log into the portal, which we have called a 'Master Key'. The generation of this key, which is a 2048-bit RSA key, is carried at client side. Secure Receipt Wallet does not hold the private component of the master key! This key is used to perform end-to-end encryption for the data that Issuer's Portal handles. In other words, using this key assures that Secure Receipt Wallet will not be able to know what the contents of Issuer's data in Issuer's Portal are hence assuring its Zero Knowledge over the data even for the web-based portal receipt issuers use.

Q. How is the “Master Key” belonging to a user in Issuer's Portal saved and handled?

Answer:

Each user in Issuer's Portal owns a master key which is generated upon the first time they log into the portal which we have named a 'Master Key'. The generation of this key, which is a 2048-bit RSA key, is carried at client side. Secure Receipt Wallet does not hold the private component of the master key! This key is used to perform end-to-end encryption for the data that Issuer's Portal handles. In other words, using this key assures that Secure Receipt Wallet will not be able to know what the contents of Issuer's data in Issuer's Portal are hence assuring its Zero Knowledge over the data even for the web-based portal receipt issuers use.

Q. My instance of 'Secure Receipt Wallet CloudConnect Agent' shows me a warning about 'processing engine needing training'. What is the message about?

Answer:

Secure Receipt Wallet CloudConnect Agent's receipt text extraction engine uses custom configuration to extract receipt data during the printing process. For this to work, it needs to be trained. The training process is necessary after the initial installation, or every time that the engine fails to extract receipt data correctly. By including a receipt in the training process, the structure of the receipt is analyzed and configuration is updated for a receipt issuer within 24 hours after the training data is updated.

Q. What is Issuer's Digital Signature?

Answer:

Secure Receipt Wallet uses a range of digital signatures in its operation for a range of reasons. When an issuer issues a receipt, it signs the contents of the receipt using its currently-active identity key (whose ID is also included in each receipt under Digital Signature Key ID). The signature assures tamper-resistance of the receipt and can be used to verify the receipt has genuinely been issued by the relevant issuer. If an issuer, re-registers a POS station, the previous public key of the POS station will still remain on the server to help with the verification of previously-issued receipts with older identity keys. The installation process will lead to a new key being generated and the Digital Signature Key ID to increment.

Q. What is Recipient's Digital Signature?

Answer:

Secure Receipt Wallet uses a range of digital signatures in its operation for a range of reasons. Upon receiving a receipt, the recipient also signs a combination of ID and timestamp of a receipt using a private key only shared between issuer and the recipient, as a private transaction singing key. As a result, during the transfer of receipt, the recipient also signs the reception of the receipt in an anonymous way. Since Secure Receipt Wallet and the issuer have zero knowledge over the identity of the recipient, this signature remains the only mechanism for the recipient to prove purchase at later stages by providing the same keys used to generate the signature in an interactive way.

Q. What is Recipient's Transaction Marker?

Answer:

When a recipient receives a receipt, a random private transaction marker is either generated (if the recipient is receiving the first receipt from an issuer), or, re-used (if it is not the first transaction between the recipient and issuer). The transaction marker can only be known to the issuer and recipient (not Secure Receipt Wallet) since its generation depends upon private keys that are not shared with Secure Receipt Wallet. These markers are then used to mark the transaction for the issuer. Having them helps the issuer bundle sale transactions and group them by the same buyer in an anonymous way. This is the key to extract extra intelligence from sales data and be able to slice and dice the data for the purpose of marketing and loyalty management, all in a zero-knowledge fashion against Secure Receipt Wallet.

Q. How does Secure Receipt Wallet handle passwords?

Answer:

Secure Receipt Wallet has adopted the 'Secure Remote Password 6a protocol' which is a zero-knowledge password proof protocol. This makes it possible for Secure Receipt Wallet to avoid having to maintain any of your credentials in any form or shape (not even in hashed format). As a result of this, you can rest assured that the chance of the password you choose with your accounts in Secure Receipt Wallet ever being exposed is almost nil.