Privacy Policy

1. Information We Collect

We collect information you provide directly when you create an account and use SimplyExpensed:

• Account Information: Name, email address, and encrypted password
• Financial Data: Expense records, receipt images, categories, merchant names, amounts, and payment methods you enter
• Mileage Data: Odometer readings, GPS coordinates (when GPS tracking is enabled), trip destinations, and business purpose
• Device & Usage Data: IP address, browser type, device information, and usage patterns for security and service improvement
• Payment Information: Processed securely through Stripe — we do not store your full credit card number

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Service
• Process and categorize your expenses using AI-powered receipt scanning
• Calculate mileage deductions using IRS standard rates
• Generate financial reports and tax summaries
• Send transactional emails (account verification, password resets)
• Detect and prevent fraud, abuse, and security threats
• Comply with legal obligations

3. Data Storage & Security

Your data is stored on secure, encrypted servers. Receipt images are stored in encrypted cloud storage (AWS S3). Passwords are hashed using industry-standard bcrypt. We implement multiple security measures including:

• TLS/HTTPS encryption for all data in transit
• Encrypted storage for data at rest
• Brute-force detection and IP-based threat blocking
• Session tracking and audit logging
• Regular security monitoring

4. GPS & Location Data

GPS mileage tracking is entirely optional. When you choose to use GPS tracking, location data (coordinates and waypoints) is collected only during active trip recording. Location data is used solely to calculate trip distance and display route information. We do not track your location in the background or when a trip is not actively being recorded.

5. Data Sharing

We do not sell, rent, or trade your personal information. We may share limited data with:

• Service Providers: Stripe (payments), AWS (hosting/storage), and AI processing services — only as necessary to operate the Service
• Legal Requirements: When required by law, regulation, legal process, or governmental request
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to you

6. Data Retention

We retain your data for as long as your account is active. Deleted expenses are soft-deleted (marked as removed but retained for audit and tax compliance purposes for up to 7 years). You may request permanent deletion of your account and all associated data by contacting us at [email protected].

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access and receive a copy of your personal data
• Correct inaccurate data
• Request deletion of your data
• Object to or restrict certain processing
• Data portability (export your data in CSV/Excel format)

To exercise these rights, contact us at [email protected].

8. Cookies & Analytics

We use essential cookies for authentication and session management. We use Google Analytics (GA4) to understand how users interact with the Service. Analytics data is anonymized and used in aggregate form only. You can opt out of Google Analytics using browser extensions.

9. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and updating the effective date. We encourage you to review this policy periodically.

11. Contact

For privacy-related inquiries, contact us at [email protected].