Privacy Policy
1Introduction
Welcome to Expense Atlas ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal and financial information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our expense tracking and budget management service.
Our Core Privacy Commitment:
- We will never sell your data to third parties for advertising or marketing purposes.
- Your financial data is encrypted at rest using bank-grade encryption (AES-256-GCM).
- We only use your data to provide and improve the Expense Atlas service.
- You have full control over your data, including the right to export or delete it at any time.
2Information We Collect
2.1 Information You Provide
- Account Information: Email address, password (hashed), and display name when you create an account.
- Financial Documents: Receipts, bank statements, and other financial documents you upload or forward via email.
- Transaction Data: Merchant names, amounts, dates, categories, and payment methods extracted from your documents.
- Budget Information: Budget categories, limits, and preferences you set.
- Family Information: Names of family members you add to track shared expenses.
- Payment Information: Processed securely by PayPal; we do not store your credit card numbers.
2.2 Information Collected Automatically
- Usage Data: Features used, pages visited, actions taken within the application.
- Device Information: Browser type, operating system, device type, and screen resolution.
- Log Data: IP address, access times, and referring URLs.
- Cookies: Session tokens and preferences (see Section 8).
2.3 Information from Third Parties
- Email Providers: When you forward receipts, we receive the email content and attachments.
- PayPal: Subscription status, payment confirmations, and webhook events (no card numbers).
3How We Use Your Information
3.1 Primary Purposes
- Service Delivery: Process your receipts, extract transaction data, categorize expenses, and generate reports.
- AI-Powered Features: Use Google's Gemini AI to parse receipts, normalize merchant names, and provide budget insights.
- Account Management: Authenticate your identity, manage your subscription, and process payments.
- Communication: Send service-related emails (receipts processed, subscription updates, security alerts).
3.2 Platform Improvement
- Service Enhancement: Analyze anonymized, aggregated usage patterns to improve features.
- Bug Fixes: Identify and resolve technical issues.
- AI Training: We do NOT use your personal data to train AI models. Any improvements to categorization are based on anonymized patterns.
3.3 What We Will NEVER Do
- Sell your personal or financial data to advertisers
- Share your data with data brokers
- Use your financial data for targeted advertising
- Share your spending habits with credit agencies
- Allow third parties to access your receipts or transactions
4Data Storage & Security
4.1 Encryption
Your sensitive data is protected with multiple layers of encryption:
- At Rest: Sensitive fields (merchant names, OCR text, notes, payment details) are encrypted using AES-256-GCM with unique per-user keys.
- In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3.
- Key Management: User encryption keys are managed via AWS Key Management Service (KMS), a FIPS 140-2 validated service.
4.2 Password Security
Passwords are hashed using Argon2id (OWASP recommended), the winner of the Password Hashing Competition. We never store passwords in plain text.
4.3 Infrastructure
- Database: Hosted on Supabase (PostgreSQL) with daily backups.
- Backend: Hosted on Render with automatic HTTPS.
- Email Processing: AWS SES, Lambda, and S3 (US-East-1 region).
- Session Cache: Redis with encrypted session tokens.
4.4 Access Controls
- Database encryption keys are never exposed to application code directly.
- Admin access requires separate API key authentication.
- All data access is logged for audit purposes.
5Data Sharing & Third Parties
5.1 Service Providers
We share limited data with the following service providers who help us operate Expense Atlas:
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Cloud | OCR & AI processing | Receipt images (processed, not stored) |
| PayPal | Payment processing | Email, subscription status |
| AWS | Email, encryption, storage | Emails, encrypted keys |
| Supabase | Database hosting | Encrypted database records |
| Render | Backend hosting | Application logs (no PII) |
5.2 Legal Requirements
We may disclose your information if required by law, such as:
- Valid subpoena, court order, or legal process
- Fraud prevention or security investigations
- Protection of our rights or the safety of users
5.3 Business Transfers
If Expense Atlas is acquired or merged, your data may be transferred to the new entity. You will be notified via email and given the option to delete your account before the transfer.
6Your Rights
You have the following rights regarding your data:
π₯ Right to Access
Request a copy of all data we hold about you. Available via Profile β Export Data.
βοΈ Right to Rectification
Correct any inaccurate information in your account or transactions.
ποΈ Right to Deletion
Request permanent deletion of your account and all associated data.
π¦ Right to Portability
Export your data in JSON or CSV format for use elsewhere.
π« Right to Restrict
Limit how we process your data while disputes are resolved.
β Right to Object
Object to processing based on legitimate interests.
To exercise any of these rights, contact us at privacy@expenseatlas.com or use the in-app tools.
7Data Retention
- Active Accounts: Data retained while your account is active.
- Deleted Accounts: Data permanently deleted within 30 days of account deletion request.
- Backup Retention: Backups containing deleted data are purged within 90 days.
- Legal Holds: Data may be retained longer if required by law or ongoing legal proceedings.
- Anonymized Data: Aggregated, non-identifiable analytics data may be retained indefinitely.
9Children's Privacy
Expense Atlas is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at privacy@expenseatlas.com, and we will delete such information.
10International Data Transfers
Your data is processed and stored in the United States. By using Expense Atlas, you consent to the transfer of your data to the US.
For EU/EEA Users: We process your data based on:
- Contract: Processing necessary to provide the service you requested.
- Legitimate Interest: Fraud prevention, security, and service improvement.
- Consent: Optional features like AI budget analysis.
11Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be communicated via:
- Email notification to your registered address (for material changes)
- Notice posted on our website
- In-app notification banner
Continued use of Expense Atlas after changes are posted constitutes acceptance of the revised policy. The "Last Updated" date at the top of this page indicates when changes were made.
12Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
Email: privacy@expenseatlas.com
General Support: support@expenseatlas.com
We aim to respond to all privacy-related inquiries within 5 business days.
πͺπΊ Additional Rights for EU/EEA Residents
Under the General Data Protection Regulation (GDPR), you have additional rights including the right to lodge a complaint with your local data protection authority if you believe your data has been mishandled.
Our legal basis for processing: Contract performance (providing the service), Legitimate interests (security, fraud prevention), and Consent (optional AI features).
πΊπΈ California Privacy Rights (CCPA)
California residents have additional rights under the California Consumer Privacy Act:
- Right to Know: What personal information we collect and how it's used.
- Right to Delete: Request deletion of your personal information.
- Right to Opt-Out: We do not sell personal information, so this right does not apply.
- Non-Discrimination: We will not discriminate against you for exercising your rights.
To exercise your CCPA rights, email privacy@expenseatlas.com with "CCPA Request" in the subject line.
Β© 2025 Expense Atlas. All rights reserved.