Privacy & Data

Privacy Policy

Last updated: March 2026

1. Introduction

SPENDI ("we", "us", or "our") is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data when you use the SPENDI mobile application.

2. Information We Collect

Account Information

When you sign in with Google or Apple, we receive your email address and display name. We do not store your password — authentication is managed by Firebase Auth.

Expense Data

All expense entries, categories, notes, amounts, and transaction dates you create are stored in your personal account. This data is yours and is never shared with third parties for commercial purposes.

Device & Usage Information

We collect anonymized crash reports and device identifiers (OS version, device model) solely to improve app stability. We do not track user behavior for advertising purposes.

Receipt Images

When you use the receipt scanner feature, images are temporarily processed by Google ML Kit on-device for OCR text extraction. Receipt images are not permanently stored on our servers unless you explicitly save them.

3. How We Use Your Information

  • Provide, maintain, and improve the SPENDI service
  • Authenticate your identity and manage your account sessions
  • Sync your expense data across your devices
  • Diagnose crashes and fix technical issues
  • Send important service updates and security notifications

4. Data Storage & Security

Your expense data is stored in Supabase with row-level security (RLS) enabled — only you can read or write your own records. Authentication tokens are managed by Firebase Auth. All data in transit is encrypted with TLS 1.3, and data at rest uses AES-256 encryption.

Supabase
Postgres + RLS
Firebase
Auth & Sessions
AES-256
Data at rest

5. Third-Party Services

SPENDI uses the following third-party services. Each has its own privacy policy:

Firebase Auth (Google) – Handles sign-in with Google and Apple. Subject to Google's Privacy Policy.
Supabase – Cloud database hosting your expense records. Data is stored in US-based data centers with GDPR compliance.
Google ML Kit – On-device OCR for receipt scanning. Processed locally; no data sent to Google's servers for this feature.
RevenueCat – Manages in-app subscription purchases. Handles transaction validation only; no financial data is stored by SPENDI.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, all associated expense records, categories, and profile information are permanently deleted within 30 days. Anonymized, aggregated usage statistics may be retained for up to 2 years for analytics purposes.

7. Your Rights

You have the following rights regarding your personal data:

Access
Request a copy of all your data
Delete
Permanently remove your account and all data
Export
Download your data in CSV or JSON format

To exercise these rights, use the in-app settings or contact us at support@spendi.app.

8. Children's Privacy

SPENDI is not intended for children under the age of 13. We do not knowingly collect personal information from children. If you believe a child under 13 has provided us with personal data, please contact us immediately so we can delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top and notify you via in-app notification or email for significant changes. Continued use of SPENDI after changes constitutes your acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or your data, please reach out:

support@spendi.app