expenseOS logo expenseOS

Privacy Policy

Last updated: June 2026 · Effective: June 2026

Your privacy is the foundation of our product. We are compliant with India's Digital Personal Data Protection (DPDP) Act 2023 and the GDPR. This policy explains, in plain language, exactly what we collect, why, and what you can do about it.

1. Who we are

expenseOS ("we", "our", "us") is a personal finance platform operated by 365 Web Developers, registered in Pune, Maharashtra, India. Our contact email is sumiet@expenseos.app.

2. Data we collect

We collect only what is necessary to provide the service:

  • Account data: Name, email address, hashed password (Argon2). Never stored in plaintext.
  • Financial data you enter: Transaction amounts, categories, merchants, account names, budget limits, savings goals. This is the data you voluntarily add to the app.
  • Usage data: Pages visited, features used, timestamps. Used to improve the product — not to build an advertising profile.
  • Device & technical data: Browser type, operating system, IP address (stored for security/fraud detection; not used for profiling).
  • AI interaction data: Queries you send to Finie, to improve answer quality. Queries are anonymized before any internal analysis.

We do not collect: bank login credentials, payment card numbers, Aadhaar numbers, PAN card numbers, or any biometric data.

3. How we use your data

  • To operate the expenseOS platform and provide features you use.
  • To generate AI insights, budgets, and recommendations through Finie.
  • To send transactional emails (account verification, alerts you configure).
  • To detect security anomalies and prevent fraud.
  • To improve product features using aggregated, anonymized data.
  • To comply with applicable laws.

We do not use your data for advertising, sell it to third parties, or use it to train generalized AI models without explicit consent.

4. AI and large language models

Finie is powered by large language models (LLMs) including Google Gemini, Anthropic, Ollama, and more. When you ask Finie a question:

  • Your query is sent to the LLM API along with anonymized financial context (aggregated amounts, not raw transactions).
  • Personally identifiable information (PII) is stripped before sending to any external LLM.
  • We do not use your data to train external AI models.
  • The LLM providers are subject to their own privacy policies and DPA regulations.

5. Data sharing

We share data with third parties only where strictly necessary:

Recipient Purpose Data shared
Resend.com Transactional email delivery Email address only
Razorpay Payment processing (Pro subscribers) Name, email, subscription details
Sentry.io Error monitoring Anonymized error logs
LLM Providers AI query processing Anonymized financial context

We do not share data with advertisers, data brokers, or government entities without a valid legal requirement.

6. Data security

  • All data in transit is encrypted with TLS 1.3.
  • Sensitive database fields (API tokens) are additionally encrypted at rest using field-level encryption.
  • Passwords are hashed using Argon2 — the strongest standard password hashing algorithm.
  • Access to production systems is restricted to key-based SSH only. Passwords are disabled.
  • We maintain an immutable audit log of all data access events.
  • We conduct periodic security reviews and plan to perform third-party penetration testing before public launch.

7. Data retention

We retain your data for as long as your account is active. If you delete your account:

  • All personal data is permanently deleted within 30 days.
  • Anonymized, aggregated statistical data (with no link to your identity) may be retained for product analytics.
  • Audit logs are retained for 7 years for legal compliance.

8. Your rights

Under the DPDP Act 2023 and GDPR, you have the right to:

  • Access: Request a copy of all personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Erasure: Request deletion of all your personal data ("right to be forgotten").
  • Portability: Request your data in a machine-readable format (CSV/JSON).
  • Objection: Object to specific processing activities.
  • Withdraw consent: Withdraw consent for optional processing at any time.

To exercise any of these rights, email us at sumiet@expenseos.app. We will respond within a week.

9. Cookies

We use only essential cookies required to operate the service:

  • Session cookie: Keeps you logged in.
  • CSRF token: Protects against cross-site request forgery attacks.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

10. Children's privacy

expenseOS is not directed at children under 18. We do not knowingly collect data from anyone under 18. If we discover we have inadvertently collected such data, we will delete it immediately.

11. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email and display a prominent notice in the app at least 14 days before changes take effect. Continued use of expenseOS after that date constitutes your acceptance of the updated policy.

12. Contact us

For any privacy-related questions or to exercise your rights, contact our Data Protection point of contact at:

expenseOS

Pune, Maharashtra, India

sumiet@expenseos.app