Privacy Policy
DATA & AI SOLUTIONS (SMC-PRIVATE) LIMITED ("Company," "we," "us," "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use Expensia (the "App").
1. Information We Collect
1.1 Information You Provide Directly
- Account information: name, email address, password (hashed)
- Financial data: expenses, income, receipts, transaction amounts, categories, payment methods, contact names
- Receipt images: photos you capture or upload for AI scanning
- Voice recordings: audio data processed for voice-to-text expense entry (processed in real-time, not stored)
1.2 Information Collected Automatically
- Device identifiers and device type
- App usage logs and error reports
- AI feature usage counts (for quota enforcement)
- Sync timestamps and device sync logs
- Location data (if you enable location-tagged receipts)
1.3 Information from Third Parties
- Authentication data from Supabase (our backend provider)
- AI processing results from our edge functions
2. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the App and its features
- Process and sync your financial data across your devices (paid tiers)
- Enforce subscription quotas and tier-based feature access
- Send transactional emails (account verification, password reset)
- Analyse aggregated, anonymised usage patterns to improve the App
- Comply with legal obligations
- Prevent fraud and enforce our Terms of Service
- Respond to your support requests
3. Legal Basis for Processing (GDPR – EU/EEA/UK Users)
For users in the European Union, European Economic Area, or United Kingdom, we process your personal data under the following legal bases:
- Contractual necessity: to provide the App services you have requested
- Legitimate interests: to improve the App, prevent fraud, and ensure security
- Legal obligation: to comply with applicable laws
- Consent: where you have explicitly consented (e.g., location data)
4. Data Storage and Security
Your financial data is stored locally on your device using SQLite. Cloud sync (paid tiers) uses Supabase infrastructure with data encrypted at rest (AES-256) and in transit (TLS 1.2+).
We implement reasonable technical and organisational security measures including access controls, encryption, and regular security reviews. However, no method of transmission over the Internet or electronic storage is 100% secure.
Your data may be processed on servers located outside your country of residence, including in jurisdictions that may not provide the same level of data protection as your home country.
5. Data Retention
We retain your account and financial data for as long as your account is active or as needed to provide services.
Upon account deletion, we will delete or anonymise your personal data within 90 days, except where retention is required by applicable law or legitimate business purposes (e.g., fraud prevention records, legal holds).
Locally stored data remains on your device until you uninstall the App or manually delete it.
6. Sharing Your Information
We may share your information with:
- Service providers: Supabase (cloud infrastructure), AI processing services — under data processing agreements that restrict use to service provision only
- Legal requirements: when required by law, court order, or government authority
- Business transfers: in connection with a merger, acquisition, or sale of assets, with appropriate confidentiality protections
- With your consent: in any other circumstances with your explicit consent
We do not share your financial data with other users or third parties for their commercial purposes.
7. Your Rights and Choices
All Users
- Access and export your data through the App
- Correct inaccurate data
- Delete your account and associated data
EU/EEA/UK Users (GDPR Rights)
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure ("right to be forgotten") (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object to processing (Article 21)
- Right to lodge a complaint with your supervisory authority
California Residents (CCPA/CPRA Rights)
- Right to know what personal information we collect and how it is used
- Right to delete personal information
- Right to opt-out of sale of personal information (we do not sell personal information)
- Right to non-discrimination for exercising your rights
- Right to correct inaccurate personal information
Canadian Users (PIPEDA)
- Right to access personal information we hold about you
- Right to challenge the accuracy and completeness of your information
- Right to withdraw consent (subject to legal and contractual restrictions)
To exercise any of these rights, contact us at support@expensia.dataisol.com.
8. Children's Privacy (COPPA)
The App is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that we have inadvertently collected such information, we will delete it promptly. For users in the EU/EEA, the App is not directed to children under 16 years of age (or the applicable age of digital consent in your member state).
9. Cookies and Tracking
The mobile App does not use browser cookies. We use local device storage (SQLite) for App functionality. We do not track your activity across third-party applications or websites.
10. Third-Party Links and Services
The App may contain links to third-party websites or integrate third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access.
11. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including Pakistan (where our company is based) and countries where our service providers operate. Where required by law (e.g., GDPR), we ensure appropriate safeguards are in place for international data transfers, such as Standard Contractual Clauses.
12. Automated Decision-Making
We use automated processing for AI features (receipt scanning, voice parsing, financial insights). These are assistive tools — no automated decisions with significant legal effects are made solely on the basis of automated processing. You always review and confirm AI suggestions before they are saved.
13. Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law (within 72 hours for GDPR, as soon as practicable for other jurisdictions).
14. Changes to This Privacy Policy
We may update this Privacy Policy periodically. We will notify you of material changes by updating the "Last Updated" date and, where appropriate, by in-app notification or email.
15. Contact Us
DATA & AI SOLUTIONS (SMC-PRIVATE) LIMITED
Email: support@expensia.dataisol.com
Subject line for privacy requests: "Privacy Request – Expensia"
For EU/EEA users: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.