Privacy Policy

Last updated: 20 April 2026

1. Introduction

Expensa ("we", "our", or "us"), operated by Andrew Sereda, is committed to protecting your privacy. This Privacy Policy explains what information is collected, how it is used, how it is shared, and what rights you have when you use our mobile application and website at expensa.andrewsereda.com (collectively, the "Service").

Please read this policy carefully. By using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.

2. Information We Collect

Expensa is designed to minimise data collection. We only process the following:

• Data you enter — transactions (amount, date, merchant, notes, category, tags), accounts, budgets, recurring rules, custom merchant rules, and app preferences such as your base currency and display settings.
• Receipts and imports — photos of receipts, checks, statements, and imported files you explicitly choose to process with the AI features.
• Approximate location — used only to suggest a default currency when adding a transaction, if you grant the permission. Precise location is never stored.
• Subscription status — an anonymous app-user identifier and the Apple receipt that prove your subscription entitlement.
• Diagnostic information — only what Apple forwards to us from crash reports, if you have opted in to share these at the iOS level.

We do not collect advertising identifiers, behavioural analytics, contact lists, browsing history, or any data that would let us identify you personally.

3. How We Use Your Information

Your information is used exclusively to provide and improve the Service:

• Display your transaction history, accounts, and budgets.
• Sync your data across your devices using your personal iCloud account.
• Convert between currencies using exchange rates fetched from external services.
• Process receipts, imports, categorisation, and budget suggestions when you actively use our AI-powered features.
• Manage and verify your subscription status.

We do not use your information to train AI models, profile you, or show ads.

4. Third-Party Services

We use a small set of third-party providers, each of which processes only the minimum data necessary to perform its function. Their own privacy policies apply to the data they handle on our behalf.

• Apple iCloud / CloudKit — device-to-device sync and shared Space collaboration. Data is encrypted in transit and at rest by Apple. We have no access to your iCloud data. Governed by Apple's Privacy Policy.
• OpenExchangeRates — current currency exchange rates. Only an anonymous HTTPS request is made; no personal or financial data is sent.
• Supabase — cache layer for historical currency rate snapshots. Only anonymous read requests for exchange rate data; no user data is sent.
• RevenueCat — verifies App Store subscription entitlements using an anonymous app-user ID and Apple receipt data.
• OpenAI — powers optional AI features. Data is sent only when you actively use a feature, and only the minimum needed:
  • AI receipt & document scan — the selected receipt, check, or statement image.
  • File import (PDF, RTF, ODT, unstructured TXT) — the extracted text of the imported document.
  • Merchant categorisation — the merchant name of a transaction, your list of category names, and an optional currency hint.
  • Smart budget allocation — your chosen budget amount, currency, cycle, locale, and the list of category names in that budget.
  No account identifiers, full transaction history, notes, iCloud data, or contact information are ever sent to OpenAI. Data sent is not used by Expensa or OpenAI for model training (per OpenAI's API data usage policy).

5. How We Share Your Information

We do not sell, rent, or trade your personal information. We share data only in these limited circumstances:

• With your permission — if you invite another iCloud user to a shared Space, the data in that Space becomes visible to that specific collaborator via CloudKit sharing.
• With the third-party services listed above, solely to operate the Service.
• If required by law — to respond to valid legal process, or to protect our rights, privacy, safety, or property.

6. Data Retention and Deletion

Financial data lives on your device and in your personal iCloud account. When you delete a transaction, account, or the entire app, it is removed locally and, via CloudKit sync, from your other devices.

You can erase all Expensa data from your iCloud account at any time via iOS Settings → [your name] → iCloud → Manage Account Storage → Expensa → Delete Data. Deleting the app from your device does not automatically delete its iCloud data — use the step above to remove it.

Exchange rate snapshots cached by us and anonymous subscription records retained by RevenueCat are kept only as long as operationally necessary.

7. Tracking and Advertising

Expensa does not track you across apps or websites, does not use advertising identifiers, and does not serve advertising. The mobile app contains no third-party trackers. The website uses only the storage described in our Cookie Policy — this includes optional, opt-in Google Analytics 4 for anonymous usage statistics, which stays disabled until you consent through the on-site banner.

8. Your Rights and Choices

Because your financial data lives in your own iCloud account, you already have direct control over it. In addition, depending on where you live, you may have the following rights:

• Access — request a copy of any personal information we hold about you.
• Correction — ask us to correct inaccurate or incomplete information.
• Deletion — ask us to delete personal information, subject to limited legal exceptions.
• Portability — receive your personal information in a structured, machine-readable format.
• Object or restrict — object to or restrict certain processing.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us using the details at the bottom of this page. We will respond within 30 days.

9. Cookies and Website Analytics

Our website uses strictly necessary storage (theme preference and your cookie consent choice) and, if you consent, Google Analytics 4 for anonymous usage statistics. Analytics uses Google Consent Mode v2 and is disabled by default — it only runs after you opt in via the consent banner. See our Cookie Policy for the list of cookies, what they do, and how to change your preferences at any time.

10. Data Security

We take reasonable technical and organisational measures to protect your information:

• Data in transit is encrypted via HTTPS/TLS.
• Data at rest in iCloud is encrypted by Apple.
• No user financial data is ever stored on Expensa-operated servers.
• API keys for third-party services are injected at build time from a secrets file that is never committed to source control.

No method of electronic storage is 100% secure, so we cannot guarantee absolute security. If we become aware of a breach that affects your personal information, we will notify you and the relevant authorities in line with applicable law.

11. International Data Transfers

Some of our third-party providers (notably OpenAI and RevenueCat) are based in the United States. When you use AI features or manage your subscription, data may be transferred to and processed in countries outside your own, including outside the European Economic Area (EEA) and the United Kingdom. These transfers are protected by the legal mechanisms each provider maintains (such as Standard Contractual Clauses). Apple iCloud data remains subject to Apple's own cross-region arrangements.

12. Children's Privacy

The Service is not directed to children under the age of 13 (or the equivalent minimum age in your jurisdiction, such as 16 in parts of the EEA). We do not knowingly collect personal information from children. If you believe a child has provided information to the Service, please contact us and we will delete it.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you additional rights, including:

• The right to know what personal information is collected and how it is used.
• The right to request deletion of personal information.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of personal information.
• The right to non-discrimination for exercising these rights.

We do not sell or share personal information for cross-context behavioural advertising. To exercise any California rights, contact us using the details below.

14. European Privacy Rights (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR and UK GDPR apply. The lawful bases we rely on are:

• Performance of a contract — to deliver the Service and your subscription.
• Legitimate interests — to keep the Service secure and improve it, balanced against your rights and expectations.
• Consent — where required (for example, optional cookies or access to device features).
• Legal obligation — to comply with applicable law.

You have the right to lodge a complaint with your local supervisory authority. For residents of Ukraine, similar rights apply under the Law of Ukraine "On the Protection of Personal Data".

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by updating this page and, where appropriate, by an in-app or on-site notice. The "Last updated" date at the top of this page reflects the most recent change. Continued use of the Service after an update constitutes acceptance of the updated policy.

16. Contact Us

Questions or requests about this Privacy Policy or our data practices? Contact us at hello@andrewsereda.com.