This Privacy Policy explains how ExpenzX ("ExpenzX", "we", "us", or "our") collects, uses, stores, and protects your personal information when you use the ExpenzX application and website (together, the "Service"). We are committed to protecting your privacy and handling your data transparently in line with the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU GDPR.
By using ExpenzX, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Account Information
ExpenzX uses Google OAuth for authentication. When you sign in, we receive the following information from Google:
- Your name
- Your email address
- Your Google profile picture
- A unique Google account identifier
We never receive or store your Google password. Authentication is handled by Google. Depending on whether you use the web app or mobile app, we may process Google-issued ID tokens, access tokens, refresh tokens, and session tokens so that you can stay signed in securely.
1.2 Financial Data You Provide
ExpenzX stores the financial information you enter or upload, including:
- Income and expense transactions (date, description, category, amount, type)
- Budgets and budget categories
- Recurring transaction templates
- Receipt images you upload for scanning, including text extracted from those images
- Documents you upload to document storage (e.g. invoices, statements, PDFs, or images), together with file names, descriptions, and year-period metadata you provide
- Your settings and preferences (currency, fiscal year configuration, theme)
ExpenzX does not connect to your bank accounts. We have no access to your banking credentials or the ability to move money. All financial data is entered manually by you or extracted from receipts you choose to scan.
1.3 Mobile App Permissions
If you use the ExpenzX mobile app, we may request access to your camera, photo library, files, or local device storage so you can scan receipts, upload documents, view downloaded files, and keep your sign-in session secure. These permissions are used only when needed for the relevant app feature.
1.4 Payment Information
If you subscribe to a paid plan (Pro or Premium), payments are processed by Stripe. We do not store your full card details on our servers. We retain a Stripe customer identifier and your current subscription tier to manage your account. Please review Stripe's Privacy Policy for how they handle payment data.
1.5 Technical Information
We collect limited technical data necessary to operate, monitor, and secure the Service. This may include your last login time, IP address, device or browser information, API request metadata, error reports, diagnostic logs, and telemetry collected through Microsoft Application Insights or similar operational tools. We use this data for security, rate limiting, reliability, fraud prevention, and troubleshooting.
2. How We Use Your Information
We use your information to:
- Provide, maintain, and operate the Service
- Authenticate you and secure your account
- Process your receipts using AI (Azure Document Intelligence and Azure OpenAI) to extract amounts and suggest categories (Pro)
- Generate AI budget suggestions based on your spending history (Premium)
- Process recurring transactions on schedule (Premium)
- Generate financial reports and dashboards
- Process subscription payments and manage your plan
- Communicate with you about your account or the Service
- Monitor service health, investigate errors, and improve reliability
- Detect, prevent, and address technical issues, fraud, and abuse
3. AI Processing
ExpenzX uses Microsoft Azure AI services to enhance your experience:
- Azure Document Intelligence performs optical character recognition (OCR) on receipt images you upload.
- Azure OpenAI analyses the extracted text to suggest a category and description, and analyses your historical spending to generate budget suggestions.
Your data is processed within Microsoft Azure's enterprise infrastructure. Azure OpenAI does not use your data to train its foundation models. If AI processing is unavailable, ExpenzX falls back to non-AI methods where possible. AI-generated results may be inaccurate, so you should review extracted receipt fields, categories, and budget suggestions before relying on them.
4. How We Store and Protect Your Data
Your app data is hosted on Microsoft Azure infrastructure in the United Kingdom. Some third-party providers, such as Google and Stripe, may process account, authentication, or payment data in other regions as described in their own privacy notices.
- Transaction and account data is stored in Azure Cosmos DB.
- Receipt images and uploaded documents are stored in Azure Blob Storage.
We protect your data with:
- 256-bit AES encryption for data at rest
- TLS encryption for data in transit
- Authentication via Google OAuth with secure token validation
- Per-user rate limiting on all API endpoints
- Access controls ensuring you can only access your own data
5. How We Share Your Information
We do not sell your personal information. We share data only with the third-party service providers necessary to operate ExpenzX:
| Provider | Purpose |
|---|---|
| Authentication (OAuth sign-in) | |
| Microsoft Azure | UK data hosting, storage, operational telemetry, and AI processing |
| Stripe | Subscription payment processing |
We may also disclose information if required to do so by law or in response to valid legal requests.
6. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. You can delete individual transactions, receipts, documents, budgets, categories, and recurring transaction records inside the Service where those features are available. If you want to delete your account, contact us at support@expenzx.com. We will delete or anonymise personal data and financial records from active systems within a reasonable period, except where we need to retain limited information for legal, accounting, tax, security, backup, dispute-resolution, or fraud-prevention purposes.
7. Your Rights
If UK GDPR, EU GDPR, or similar data protection laws apply to you, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data
- Export your transaction data
- Object to or restrict certain processing
- Withdraw consent at any time
- Lodge a complaint with your local data protection authority
To exercise any of these rights, contact us at support@expenzx.com.
8. Children's Privacy
ExpenzX is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
9. International Data Transfers
ExpenzX app data is hosted in the United Kingdom. Some providers we rely on, including Google and Stripe, may process limited account, authentication, payment, support, or diagnostic information outside the UK. Where personal data is transferred internationally, we rely on appropriate safeguards consistent with applicable data protection laws, such as adequacy regulations, standard contractual clauses, or equivalent transfer mechanisms.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the "Last updated" date above. Significant changes may be communicated to you directly.
11. Contact Us
If you have questions about this Privacy Policy or how we handle your data, please contact us at support@expenzx.com.