Privacy Policy

1. Introduction

ExpensePro ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our expense tracking application and related services (collectively, the "Service").

By using ExpensePro, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Personal Information

When you create an account or use our Service, we may collect:

• Name (first and last name)
• Email address
• Phone number (optional)
• Profile image (optional)
• Password (stored securely using industry-standard hashing)

2.2 Financial & Receipt Data

To provide our expense tracking services, we collect:

• Receipt images and PDFs you upload
• Transaction details extracted from receipts (merchant names, amounts, dates, line items)
• Payment method information (card type, last four digits - we do not store full card numbers)
• Vendor information (names, addresses, phone numbers from receipts)
• Categories, tags, and notes you add to expenses
• Department and project assignments

2.3 Location Data

With your permission, we may collect:

• GPS coordinates for mileage tracking
• Addresses associated with receipts and trips
• Route information for mileage logs

You can disable location services at any time through your device settings. Some features like mileage tracking require location access to function.

2.4 Device & Usage Information

We automatically collect certain information when you access our Service:

• IP address
• Browser type and version
• Device type and operating system
• Login timestamps and session information
• Pages visited and features used
• Error logs and performance data

2.5 Organization & Team Data

For business accounts, we also collect:

• Organization name and business address
• Team member information (names, emails, roles)
• Department structures and budget information
• Approval workflows and expense policies

2.6 Survey & Onboarding Data

During account setup, we may ask about:

• Your current expense tracking methods
• Intended use cases (personal, business, team expenses)
• Team size and industry
• Monthly receipt volume

This information helps us customize your experience and improve our Service.

3. How We Use Your Information

We use the information we collect to:

• Provide the Service: Process receipts, track expenses, generate reports, and manage mileage logs
• OCR Processing: Extract text and data from receipt images using AI-powered optical character recognition
• Account Management: Create and manage your account, authenticate your identity, and process payments
• Communications: Send transactional emails (receipts, approvals, notifications), respond to inquiries, and provide customer support
• Improvements: Analyze usage patterns to improve our Service, fix bugs, and develop new features
• Security: Detect and prevent fraud, unauthorized access, and other security threats
• Legal Compliance: Comply with applicable laws, regulations, and legal processes

4. Third-Party Services & Data Sharing

We work with trusted third-party service providers to operate our Service. We do not sell your personal information to third parties.

4.1 Payment Processing (Stripe)

We use Stripe to process payments. When you subscribe to a paid plan, Stripe receives your payment card information directly. We do not store your full credit card number. Stripe's use of your information is governed by their privacy policy.

4.2 Financial Data Aggregation (Plaid)

We use Plaid Inc. to securely connect your bank accounts and credit cards for automatic transaction import. When you connect a financial account through Plaid:

• Plaid securely handles your financial institution login credentials
• Transaction history, account balances, and account details are retrieved
• We store transaction data (merchant name, amount, date, category) for expense tracking
• We do NOT store your bank login credentials or full card numbers
• Only masked card information (last 4 digits) is retained
• You can disconnect your connected accounts at any time in Settings

Plaid is a trusted financial data platform used by thousands of applications. Their handling of your data is governed by their End User Privacy Policy.

4.3 Email Communications (Resend)

We use Resend to send transactional emails (account verification, password resets, notifications, approval requests). Your email address and name are shared with Resend solely for email delivery purposes.

4.4 AI & OCR Processing (Google Gemini)

We use Google's Gemini AI to extract text and data from receipt images you upload. Receipt images are sent to Google's API for processing. Google's use of this data is governed by their privacy policy. We recommend not uploading receipts containing sensitive information beyond typical transaction details.

4.5 Maps & Geocoding (Mapbox)

We use Mapbox to display maps and convert addresses to coordinates. Address data is sent to Mapbox when you view receipt locations or track mileage.

4.6 File Storage (Vercel Blob)

Receipt images and user avatars are stored using Vercel's blob storage service. Files are stored securely and are only accessible through authenticated requests.

4.7 Hosting & Database (Vercel & Convex)

Our application is hosted on Vercel, and our database is powered by Convex. All application data is stored in these services with appropriate security measures.

4.8 Analytics (Vercel Analytics)

We use Vercel Analytics to understand how users interact with our Service. This collects anonymized usage data to help us improve performance and user experience. No personally identifiable information is collected by analytics.

4.9 Legal Disclosures

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to:

• Protect our rights, property, or safety
• Prevent fraud or illegal activity
• Comply with legal obligations

5. Data Storage & Security

We implement appropriate technical and organizational measures to protect your information:

• Encryption: All data is transmitted over HTTPS/TLS encryption
• Password Security: Passwords are hashed using bcrypt and never stored in plain text
• Access Controls: Role-based access control (RBAC) limits data access to authorized users
• Audit Logging: We maintain logs of significant actions for security and compliance
• Session Management: Secure session handling with automatic expiration

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you of any breaches as required by law.

6. Data Retention

We retain your information for as long as necessary to provide our Service and fulfill the purposes described in this policy:

• Active Account Data: Retained while your account is active
• Deleted Receipts & Mileage Logs: Moved to trash and permanently deleted after 30 days
• Audit Logs: Retained for 1 year for compliance and security purposes
• Security Logs: Retained indefinitely for fraud prevention and compliance
• Account Deletion: Upon account deletion request, all personal data is removed within 48 hours

Some information may be retained longer if required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).

7. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

7.1 Access & Portability

You can access most of your data directly through your account settings. You may request a copy of your personal data in a portable format.

7.2 Correction

You can update your personal information through your account settings at any time.

7.3 Deletion

You can delete individual receipts, mileage logs, and other content. You can also request complete account deletion through your privacy settings, which will remove all your personal data within 48 hours.

7.4 Consent Withdrawal

Where we rely on your consent to process data, you can withdraw consent at any time through your privacy settings.

7.5 California Residents (CCPA)

California residents have additional rights under the CCPA, including the right to know what personal information we collect, request deletion, and opt-out of the sale of personal information. We do not sell personal information.

7.6 European Residents (GDPR)

If you are in the European Economic Area, you have rights under GDPR including access, rectification, erasure, restriction, portability, and objection. To exercise these rights, contact us at privacy@expense-pro.com.

8. Cookies & Tracking

We use cookies and similar technologies for:

• Essential Cookies: Required for authentication, security, and basic functionality. These cannot be disabled.
• Analytics: We use Vercel Analytics to collect anonymized usage data. This does not track individual users or collect personal information.

We do not use advertising cookies or third-party tracking pixels. Your browser settings can be used to manage cookie preferences, but disabling essential cookies may affect Service functionality.

9. Children's Privacy

ExpensePro is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@expense-pro.com and we will delete such information.

10. International Data Transfers

Our Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

By using our Service, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence. We ensure appropriate safeguards are in place for international transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also send you an email notification.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

For privacy-related requests, please include "Privacy Request" in your email subject line and provide sufficient information for us to verify your identity.