Privacy Policy

Last updated: February 2026

SpendTrak ("we", "our", or "us") is committed to protecting the privacy of our users ("you"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service").

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address
• Display name (optional)
• Authentication credentials (managed securely via Supabase Auth or Apple/Google sign-in)

1.2 Transaction Data

We collect financial transaction data including:

• Merchant names, transaction amounts, dates, and categories
• Receipt images you manually upload
• Budget and goal configurations you set

1.3 Device and Usage Data

We automatically collect:

• Device type, operating system, and version
• App usage patterns and feature interactions (anonymized analytics)
• Crash reports and performance data

2. How We Use Your Information

We use the information we collect to:

• Provide the Service: Process scanned receipts, categorize transactions, track budgets, and generate financial insights.
• AI Processing: Send receipt content to AI services for extraction and categorization. Receipt data is processed but not used to train AI models.
• Improve the Service: Analyze anonymized usage data to improve features and user experience.
• Communicate: Send transactional emails related to your account (e.g., password resets, subscription confirmations).
• Security: Detect and prevent fraud, abuse, or unauthorized access.

3. Third-Party Services

We use the following third-party services to operate SpendTrak:

• Supabase: Database hosting, user authentication, and serverless functions. Data is stored in Supabase-managed infrastructure with Row Level Security (RLS) policies.
• Google Gemini AI: Receipt parsing and transaction categorization. Receipt content is sent for processing; Google does not use this data for model training under our API agreement.
• OpenAI: AI financial consultant feature and advanced analysis. Conversations are processed via API and not used for training.
• Resend: Transactional email delivery (account notifications).
• RevenueCat: Subscription and in-app purchase management. RevenueCat receives anonymized purchase data.
• Sentry: Error monitoring and crash reporting. Sentry receives anonymized diagnostic data only.

4. Data Storage and Security

• All data is stored on Supabase-managed servers with encryption at rest.
• Email access tokens are encrypted using AES-256-GCM encryption before being stored in our database.
• All data in transit is protected via TLS 1.2+.
• Database access is controlled by Supabase Row Level Security (RLS) policies, ensuring users can only access their own data.
• We perform regular security reviews and follow industry best practices.

5. Data Retention

We retain your data for as long as your account is active. If you delete your account:

• Your personal data and transaction history will be permanently deleted within 30 days.
• Anonymized, aggregated analytics data may be retained.
• Data required for legal compliance may be retained as required by law.

6. Your Rights

You have the right to:

• Access: Request a copy of all personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request permanent deletion of your account and data.
• Export: Export your transaction data in CSV format from within the app.
• Restrict processing: Request that we limit how we use your data.
• Withdraw consent: Disconnect your email at any time from the app settings.

To exercise these rights, contact us at [email protected].

7. GDPR Compliance (European Users)

If you are in the European Economic Area (EEA), the following applies:

• Legal basis for processing: We process your data based on (a) your consent, (b) performance of a contract (providing the Service), and (c) legitimate interests (improving the Service, security).
• Data transfers: Your data may be processed outside the EEA. We ensure appropriate safeguards (Standard Contractual Clauses) are in place.
• Data Protection Officer: For GDPR-related inquiries, contact [email protected].
• Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

8. CCPA Compliance (California Users)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You can request what personal information we collect, use, and disclose.
• Right to Delete: You can request deletion of your personal information.
• Right to Opt-Out: We do not sell your personal information to third parties.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

9. Cookies and Tracking

SpendTrak is a mobile application and does not use cookies. We do not use web-based tracking technologies within the app. Anonymized analytics are collected via our analytics service to improve app functionality.

10. Children's Privacy

SpendTrak is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete that information immediately. If you believe a child has provided us with personal data, please contact us at [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the app and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: [email protected]