Privacy Policy

1. Introduction

ExpensesGuru ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our expense management service.

We are a UK-based company and comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (GDPR) where applicable.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect:

• Email address
• Name (first name, last name)
• Password (encrypted)
• Account type preference (Personal or Business)

2.2 Financial Documents

When you use our service, you may upload:

• Receipts (images, PDFs)
• Bank statements (PDFs, CSVs)
• Invoices and other financial documents

These documents may contain personal and financial information such as names, addresses, transaction amounts, merchant names, and dates.

2.3 Usage Data

We automatically collect:

• Device information (browser type, operating system)
• IP address (anonymised for analytics)
• Pages visited and features used
• Time and date of access

3. How We Use Your Information

We use your information to:

• Provide the Service: Process your documents, extract expense data, and categorize transactions
• Improve AI Accuracy: Train our AI models using anonymised and aggregated data only
• Communicate with You: Send service updates, security alerts, and support responses
• Ensure Security: Detect and prevent fraud, abuse, and unauthorized access
• Comply with Law: Meet legal obligations and respond to lawful requests

4. Anonymised Data for Service Improvement

To improve our AI categorization and service quality, we may use anonymised and aggregated data. This means:

• All personally identifiable information is removed
• Individual transactions cannot be traced back to any user
• Data is aggregated across many users to identify patterns
• Examples: "Coffee shops are commonly categorized as 'Dining Out'" (without any user-specific information)

This anonymised data helps us improve expense categorization accuracy and develop new features that benefit all users, while protecting your individual privacy.

5. Data Storage and Security

We implement robust security measures including:

• Encryption in Transit: All data transferred using TLS 1.3 encryption
• Encryption at Rest: All stored data encrypted using AES-256
• Access Controls: Strict access controls and authentication for all systems
• Regular Audits: Periodic security assessments and penetration testing
• Secure Backups: Encrypted backups stored in separate EU locations

6. Data Sharing

We may share your information only in these limited circumstances:

6.1 Service Providers

We use trusted third-party services to operate our platform, including:

• Google Cloud Platform: Cloud infrastructure (EU data centers)
• Google Gemini AI: Document processing (data processed but not stored by Google)

All service providers are bound by data processing agreements that require them to protect your data and use it only for providing services to us.

6.2 Legal Requirements

We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7. Your Rights

Under UK and EU data protection law, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Restriction: Request limitation of processing in certain circumstances
• Portability: Receive your data in a structured, machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at privacy@expensesguru.com. We will respond within 30 days.

8. Data Retention

We retain your data as follows:

• Account Data: Retained while your account is active
• Documents: Retained until you delete them or close your account
• Expense Data: Retained while your account is active
• Usage Logs: Anonymised logs retained for up to 2 years for analytics

When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes.

9. Cookies and Tracking

We use essential cookies to:

• Keep you logged in to your account
• Remember your preferences
• Ensure security of your session

We do not use third-party advertising or tracking cookies. Our analytics use anonymised, aggregated data only.

10. Children's Privacy

Our Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

11. International Data Transfers

Your data is stored and processed within the European Union. In the limited cases where data may be transferred outside the EU (such as when using AI services), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Data processing agreements with all service providers

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through a prominent notice on our Service. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact our Data Protection Team:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data protection rights have been violated:ico.org.uk