ExpendWise — Privacy Policy

Effective date: 2026-05-24 Version: 1.0 Hosted at: https://expendwise.pro/privacy

Closed beta notice. ExpendWise is in closed beta. This policy applies to all invited TestFlight users (≤50 users in the European Union) during the beta period. We will publish a refreshed policy before general availability.

1. Who we are

ExpendWise ("we", "us", "our") provides a mobile application that helps you manage personal finances by extracting transaction data from receipts, bank statements, and other financial documents you choose to share with us.

Controller: ExpendWise (operating as a sole-proprietor data controller during beta).
Contact: privacy@expendwise.pro
EU representative (during beta): the operator, contactable at the address above.

If you have questions, exercise a data right, or want to file a complaint, write to that address. We aim to respond within 30 days.

2. What this policy covers

This policy explains what personal data we collect when you use the ExpendWise mobile app, why we collect it, who we share it with, and your rights under the EU General Data Protection Regulation (GDPR).

The public marketing website at https://expendwise.pro collects:

Waitlist (early access): email address, optional first name, consent timestamp, and a privacy-friendly hash of your IP address for abuse prevention. We use this only to email you about iOS TestFlight access.
Server logs: standard technical logs from our hosting provider.

The mobile app privacy practices below apply once you create an account.

3. Data we collect

3.1 Account data

When you register, we collect:

Email address
Hashed password (handled by Supabase Auth; we never see the plaintext)
For Google sign-in: your Google account email and the OAuth subject identifier

3.2 Document content

When you scan a receipt, share a PDF, or import a CSV, we receive and store:

The original file (image, PDF, or CSV)
Extracted structured data: merchant name, amounts, dates, line items, tax (VAT), receipt identifiers (ATCUD, receipt_id), tax-payer numbers (NIF), IBAN, BIC, card-last-4, post-transaction balance
Categorisation labels and your manual corrections

3.3 Usage data

Device type and OS version (to size UI and surface compatibility issues)
Push-notification token (only if you opt in to notifications)
Coarse application logs containing request IDs, timestamps, and edge-function names — never document content, never card numbers, never authentication tokens

3.4 What we do not collect

Precise location (no GPS, no IP-based geolocation beyond what's in server logs)
Contacts, calendar, microphone, or any sensor outside the camera (camera is used only when you actively trigger a scan)
Biometric data
Health, religious, political, or any other special-category data under GDPR Article 9

4. Why we use your data (lawful basis)

Purpose	Lawful basis (GDPR Article 6)
Operate the service (store + display your data)	Contract — Art. 6(1)(b)
Extract structured data from documents you share	Contract — Art. 6(1)(b)
Send transactional emails (verification, password reset)	Contract — Art. 6(1)(b)
Send push notifications for budget alerts	Consent — Art. 6(1)(a), revocable in Settings
Detect duplicate transactions (dedup engine)	Legitimate interests — Art. 6(1)(f), to keep your data clean
Diagnose crashes and improve reliability	Legitimate interests — Art. 6(1)(f), strictly aggregated; PII scrubbed
Comply with legal obligations (tax authority requests)	Legal obligation — Art. 6(1)(c)

We do not sell your data, share it for advertising, or profile you for marketing purposes.

5. Who we share data with (sub-processors)

We rely on the following sub-processors. Each is bound by a Data Processing Agreement and processes data only under our instructions.

Sub-processor	Role	Region	Safeguard
Supabase (PostgreSQL, Auth, Storage, Edge Functions)	Hosting + auth + storage	EU (Frankfurt)	Hosted in EU; no data leaves EU
Anthropic (Claude API)	Vision-extraction and categorisation of your documents	US	Zero Data Retention enabled — Anthropic does not retain, train on, or persist your content beyond the API call
Expo (push notifications)	Routing push notifications	US	Only the device push token is shared; no document content
Apple (TestFlight)	App distribution during beta	US / EU	Apple Developer Agreement; Data Privacy Framework + Standard Contractual Clauses

If we add or change a sub-processor we will update this policy and notify you.

6. Where your data lives

At rest: in the EU (Frankfurt) on Supabase infrastructure.
In transit to Anthropic for extraction: US, on a per-request basis, with Zero Data Retention enabled so the data is not retained after the API response. The transfer is covered by Standard Contractual Clauses (Art. 46 GDPR).
Push notifications: push tokens (not content) routed through Expo (US), also covered by Standard Contractual Clauses.

7. How long we keep your data

Data	Retention
Account record + transactions + documents	Until you delete your account
Application logs (PII filtered out)	90 days, then deleted
Anthropic API call records	Not retained (ZDR enabled)
Backups	Rolling 30 days, then overwritten
Account-deletion audit trail	12 months, minimal record (user id + timestamp), no personal content

When you delete your account (see § 9), we purge your data within 30 days across primary storage and backups.

8. Security

All connections use TLS 1.2 or higher.
Passwords are hashed by Supabase Auth (bcrypt-equivalent).
Storage objects are scoped per user via Row-Level Security; no user can read another user's files.
Edge-function logs are filtered to redact card numbers, IBANs, NIFs, ATCUDs, email addresses, merchant names, and amounts before they're written.
We never log authentication tokens, push tokens, or session keys in clear text.
Backups are encrypted at rest.

In the event of a data breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours and, where required, notify you directly.

9. Your rights

Under GDPR you have the right to:

Access your data — email privacy@expendwise.pro and we will send you a CSV export within 30 days.
Rectify inaccurate data — most fields can be edited in-app; for the rest, email us.
Erase your data ("right to be forgotten") — email privacy@expendwise.pro from the address on your account; we identity-verify you, export your data on request, then delete your account and all associated data within 30 days. A self-service "delete account" button is on our roadmap for general availability.
Restrict processing — email us; we will pause processing while a dispute is open.
Object to processing based on legitimate interests — email us.
Portability — your CSV export is in a machine-readable format suitable for transfer to another service.
Withdraw consent for notifications — toggle off in Settings; effective immediately.
Lodge a complaint with your local supervisory authority. In Portugal this is the Comissão Nacional de Protecção de Dados (CNPD); a list of all EU authorities is at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

We do not make automated decisions that produce legal or similarly significant effects.

10. Cookies and trackers

The mobile app uses no cookies and embeds no third-party trackers, analytics SDKs, or advertising SDKs.

11. Children

ExpendWise is not directed at users under 16. We apply the strictest EU member-state digital-consent age (16; under GDPR Art. 8 the minimum can be 13-16 depending on the country, and we choose the higher bar). We do not knowingly collect data from anyone under 16. If you believe a child has provided us data, email privacy@expendwise.pro and we will delete it.

12. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced in-app at next sign-in and via email. The version number and effective date at the top of this document always reflect the live policy.

This policy is provided as a plain-language summary of how ExpendWise processes personal data during its closed beta. It is not legal advice. If you need legal advice about your data rights, consult a qualified lawyer.