Legal

Privacy Policy

Plain language. What we collect, why, and what you can do about it.

Last updated: 2026-05-17

This policy describes how the ExpensesHub mobile application ("ExpensesHub", "we", "our") collects, uses, and protects your information. It reflects what the app actually does today — not aspirational practices. If anything below is unclear, write to privacy@expenseshub.app and a real person will reply.

1. The short version

  • We collect what's needed to run the app: account credentials, your records (expenses, income, fuel, categories), and an optional avatar.
  • Receipt images for new expenses are uploaded to our private Supabase Storage bucket (private bucket, served via short-lived signed URLs) AND kept on your device as an offline fallback. Older receipts saved before the May 2026 cloud-image change remain on your device only. During a scan, image bytes are sent to Google's Document AI for OCR (text extraction only); the resulting text is then sent to Anthropic's Claude to structure receipt fields. Claude does not receive the image. No retention beyond the request at either provider.
  • We don't sell data, run ads, or share records with marketers.
  • You can export your records (Custom Report Builder PDF / CSV; Account Data Export via the Data Privacy flow) and delete your account at any time — see the Delete Account page.

2. What we collect

2.1 Account information

  • Email address and password (or Google sign-in identifier) — required to authenticate.
  • Profile name and company name — shown in the app UI; you can change them anytime.
  • Avatar image (optional) — if you upload one, it's stored in our cloud avatars storage.
  • Business profile — Trucking, Construction, Personal, etc. Determines default categories.

2.2 Records you create

  • Expenses, income, and fuel records — vendor, date, total, category, optional notes, gallons, price-per-gallon.
  • Categories, employees / drivers, vendors — names and structure you set up.
  • Workspace memberships — if you're invited to or invite someone to a workspace.

2.3 Receipt images

  • For new receipts, the captured photo is stored in our private cloud storage (Supabase Storage, private bucket) and is also kept on your device as an offline fallback. Older receipts saved before this build remain on your device only.
  • The cloud bucket is never public. Reads always go through short-lived signed URLs that are minted on demand and never persisted or logged. The image is never sent to Claude.
  • When you scan, the raw image bytes are sent to Google's Document AI (OCR) for the duration of the request only. The OCR text — not the image — is then sent to Anthropic's Claude for structured field extraction. See §4 for both processors.
  • Receipt images are visible to active members of the same workspace (Owner, Manager, allowed Member) per your team settings. Disabled or removed members cannot read the images. Members of other workspaces cannot read your images.
  • Receipt images are compressed to a document-style JPEG (≤ 1 MB; typical 150–500 KB) before upload. The original full-size phone photo is never sent to our cloud. Compression strips EXIF metadata such as GPS or camera serial.
  • Deleting a receipt removes both the database row and the corresponding cloud image (sibling-aware for split receipts).
  • Account Data Export (Settings → Privacy) covers structured account records only — it never includes receipt image bytes or storage paths. A full Backup & Restore feature is not part of v1.

2.3a Profile photos

  • Profile photos (avatars) are stored in a separate Supabase Storage bucket. Each user can only modify their own avatar. Avatars may be visible to other active members of the same workspace alongside the user's name. Removing your avatar in Profile → Photo deletes both the local copy and the cloud copy.

2.3b Gmail Import (optional)

Gmail Import is an opt-in feature. It is never enabled in the background; you must explicitly open the Gmail Import screen and tap the Connect Gmail action. We request only the read-only Gmail scope (https://www.googleapis.com/auth/gmail.readonly); we never request access to send, modify, label, or delete email.

  • When you run Gmail Import, the app searches your Gmail for receipt-style messages (subject keywords for receipt / invoice / order / payment / charge in EN / AR / ES) within a 7-, 30-, or 90-day window you choose. Each fetch lists up to 20 matching messages.
  • For each matching message, the app reads the Subject, From, and Date headers and the plain-text body (or Gmail's snippet preview if no plain-text body is available). Attachments are not downloaded.
  • The composed message text (capped at 3,000 characters) is sent through our Supabase Edge Function to Anthropic's Claude API for receipt-field extraction. Google's Document AI is not used in Gmail Import — only Claude parses email text. Claude does not retain prompts to train models on Anthropic's standard API tier.
  • The raw email body is not stored in our database. After the parse completes, the body is dropped from server memory.
  • If you choose to import a parsed result, we save a regular expense row containing the extracted vendor, amount, tax, date, and category. We also save the email Subject in the expense's notes field as "Gmail: <subject>" so you can see which email a receipt came from, and the Gmail message ID for duplicate-prevention.
  • Gmail Import counts against the same monthly Smart Scan allowance as the Document AI scanner. Deleting an imported expense does not restore allowance.
  • You can disconnect Gmail at any time from the Gmail Import screen, which clears the local OAuth token. You can also revoke ExpensesHub's access from myaccount.google.com/permissions.
  • We do not sell Gmail content. We do not use Gmail content for advertising. We do not use Gmail content for any feature unrelated to receipt import. We do not use Gmail content to train our own or any third-party AI/ML models.

2.4 What we do not collect

  • No GPS / location tracking.
  • No advertising identifiers.
  • No analytics SDKs that profile individual users.
  • No contacts, calendar, or microphone access.
  • Camera access is used only when you tap to scan a receipt.

3. How we use your information

  • Run the app: authenticate you, store your records, sync between devices when applicable.
  • Receipt extraction: send image bytes to OCR providers for the duration of the request.
  • Email notifications: transactional emails (account confirmation, password reset, team invites) and — only if you opt in — monthly summary digests of your activity.
  • Support: investigate issues you report and help you recover access.

4. Service providers (sub-processors)

We use a small set of trusted providers to operate ExpensesHub. None of them receive marketing data; each is used only for the specific job listed below.

4.1 Supabase (database, auth, storage, edge functions)

Stores your account credentials, your records, your workspace memberships, and any avatar images you upload. Row-level security restricts every query to data you're entitled to see. Operated on the EU/US infrastructure offered by Supabase. Supabase privacy policy.

4.2 Google Document AI (receipt OCR)

Receives raw receipt image bytes during a scan and returns structured fields (vendor, date, total, line items). Per Google's terms, no data is retained beyond the request. Document AI terms.

4.3 Anthropic Claude (receipt field extraction)

Receives the OCR text returned by Document AI (not the receipt image) and extracts structured fields — vendor, date, total, fuel details, classification — for the duration of the request. Claude does not receive any image bytes. Anthropic does not train on data submitted via the API. Anthropic privacy policy.

4.4 Resend (transactional email)

Delivers transactional email from notifications@expenseshub.app: account confirmations, password resets, team invites, optional monthly summaries. Resend privacy policy.

4.5 Google sign-in (optional)

If you choose to sign in with Google, Google authenticates you and shares your email address with us. We do not receive a Google password.

4.6 Gmail API — Limited Use compliance

ExpensesHub's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:

  • Information received from Google API Services is used only to provide and improve the user-facing Gmail Import feature — detecting receipt-style emails and extracting receipt fields for your own expense records.
  • Information received from Google API Services is not transferred to others except as necessary to provide or improve those features (Anthropic Claude as receipt-parsing sub-processor; Supabase as our backend hosting), or as required by law.
  • Information received from Google API Services is not used or transferred for advertising — including retargeting, personalized advertising, or interest-based advertising.
  • Information received from Google API Services is not read by humans except (a) when you give explicit consent for support troubleshooting on a specific receipt, (b) automated processing by Anthropic Claude as the receipt parser, or (c) as required by law or security investigations.

5. Data retention

  • Account and records: retained until you delete your account.
  • Receipt images: the cloud copy (private Supabase Storage bucket) is retained until you delete the underlying expense or your account. The device-local copy is retained on your device until you delete the expense, clear app cache, or uninstall the app. Receipt-bytes sent to Document AI / Claude for OCR are not retained beyond the request.
  • Email logs: minimal metadata (recipient, send timestamp, success/failure) is retained for deliverability troubleshooting.
  • Deleted accounts: records are removed promptly after a deletion request — see Delete Account.

6. Your rights

  • Access & portability: use the Custom Report Builder for PDF / CSV report exports, or Account Data Export (Settings → Privacy) for a structured copy of your account records. Account Data Export excludes receipt image bytes and storage paths.
  • Correction: edit any record directly in the app.
  • Deletion: delete individual records in-app, or delete your account via Delete Account.
  • Withdrawal of consent: opt out of monthly summary emails in Settings; uninstall the app at any time.
  • Right to a human: email privacy@expenseshub.app for any privacy question, data request, or complaint.

7. Children

ExpensesHub is not directed to children under 13 (or the equivalent age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has created an account, write to privacy@expenseshub.app and we'll remove it.

8. Security

  • All traffic between the app and our backend is encrypted with HTTPS / TLS.
  • Account passwords are hashed by Supabase Auth (bcrypt) and never stored in plain text.
  • Workspace data is gated by row-level security at the database — a user can only read or modify rows they're authorized to.
  • Team invite tokens are stored only as SHA-256(token); the raw token is sent once via email and never persisted.
  • We never share or commit secrets (API keys, service-account credentials) in source.

9. International transfers

Our providers operate globally. By using ExpensesHub you understand that your data may be processed in countries other than your own. We use providers that offer standard contractual clauses or equivalent safeguards where applicable.

10. Changes to this policy

If we change this policy materially we will note it at the top of this page and, where appropriate, in the app. The current version is dated above.

11. How to reach us