1. Information We Collect
We collect information you provide directly when you create an account and use SimplyExpensed:
- Account Information: Name, email address, and encrypted password
- Financial Data: Expense records, receipt images, categories, merchant names, amounts, and payment methods you enter
- Mileage Data: Odometer readings, GPS coordinates (when GPS tracking is enabled), trip destinations, and business purpose
- Device & Usage Data: IP address, browser type, device information, operating system, screen resolution, and usage patterns for security and service improvement
- Payment Information: Processed securely through Stripe — we do not store your full credit card number
Information Collected Automatically
When you use the Service, certain information is collected automatically through cookies, pixels, and similar technologies (see Section 8 below). This includes:
- Pages visited, features used, and interactions with the Service
- Referring URLs, landing pages, and exit pages
- Device identifiers and browser fingerprint data
- Approximate geographic location derived from your IP address
2. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Service
- Process and categorize your expenses using AI-powered receipt scanning
- Calculate mileage deductions using IRS standard rates
- Generate financial reports and tax summaries
- Send transactional emails (account verification, password resets)
- Detect and prevent fraud, abuse, and security threats
- Analyze usage trends to improve the Service (via Google Analytics)
- Measure the effectiveness of our advertising campaigns (via Google Ads)
- Comply with legal obligations
3. Data Storage & Security
Your data is stored on secure, encrypted servers. Receipt images are stored in encrypted cloud storage (AWS S3). Passwords are hashed using industry-standard bcrypt. We implement multiple security measures including:
- TLS/HTTPS encryption for all data in transit
- Encrypted storage for data at rest
- Brute-force detection and IP-based threat blocking
- Session tracking and audit logging
- Regular security monitoring
4. GPS & Location Data
GPS mileage tracking is entirely optional. When you choose to use GPS tracking, location data (coordinates and waypoints) is collected only during active trip recording. Location data is used solely to calculate trip distance and display route information. We do not track your location in the background or when a trip is not actively being recorded.
5. Data Sharing & Third-Party Services
We do not sell your personal information (such as your name, email, financial records, or receipt data) to third parties.
However, we use third-party services that receive certain data as part of operating the Service. We want to be fully transparent about what is shared and why:
- Stripe (Payment Processing): Receives your billing and payment information to process subscription charges. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
- Amazon Web Services (AWS) (Hosting & Storage): Hosts the Service and stores encrypted receipt images on our behalf as a data processor.
- AI Processing Services: Receipt images are sent to AI services for text extraction (OCR). Images are processed in real-time and are not retained by the AI service after processing.
- Google Analytics (GA4) (Usage Analytics): We use Google Analytics to understand how users interact with the Service. Google Analytics collects data such as pages visited, session duration, device type, approximate location (from IP address), and browser information. This data is used by Google to provide us with aggregated analytics reports. Google may also use this data in accordance with its own privacy policy. See Google's Privacy Policy.
- Google Ads (Advertising & Conversion Tracking): We use Google Ads conversion tracking to measure the effectiveness of our advertising campaigns. When you arrive at SimplyExpensed through a Google ad, a conversion tracking cookie is placed on your device. If you complete certain actions (such as signing up, subscribing, or uploading your first receipt), this conversion event — along with limited data such as the action taken and its monetary value — is reported back to Google so we can understand which ads drive meaningful engagement. We do not share your name, email address, financial records, expense data, receipt images, or any other personal account information with Google Ads. Google may use conversion data in accordance with its own policies. See Google's Advertising Policies.
- Legal Requirements: We may disclose information when required by law, regulation, legal process, or governmental request.
- Business Transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
6. Data Retention
We retain your data for as long as your account is active. If you deactivate your account, your data — including expenses, mileage logs, receipts, and financial records — is retained for seven (7) years from the date of deactivation in compliance with IRS record-keeping requirements (26 CFR § 1.6001-1). You may reactivate your account at any time during this retention period. Deleted expenses are soft-deleted (marked as removed but retained for audit and tax compliance). After the 7-year retention period, your data may be permanently purged. You may request a data export at any time by contacting us at [email protected].
7. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access and receive a copy of your personal data
- Correct inaccurate data
- Request deletion of your data
- Object to or restrict certain processing
- Opt out of advertising tracking (see Section 8 below)
- Data portability (export your data in CSV/Excel format)
To exercise these rights, contact us at [email protected].
8. Cookies, Tracking Technologies & Your Choices
We use the following types of cookies and tracking technologies:
Essential Cookies
Required for the Service to function. These manage your login session, authentication state, and security protections. You cannot opt out of essential cookies while using the Service.
Analytics Cookies (Google Analytics / GA4)
Help us understand how visitors use the Service so we can improve it. Google Analytics uses cookies and collects data including pages visited, time spent, device type, and approximate location. This data is transmitted to and processed by Google.
Advertising Cookies (Google Ads)
Used to track conversions from our Google Ads campaigns. When you arrive through a Google ad, a cookie is placed to determine whether you completed a valuable action (like signing up). This data helps us measure ad performance and allocate our marketing budget effectively. Google may use this information to show you relevant ads on other websites within the Google Display Network.
How to Manage Cookies
You have several options to control cookies and tracking:
Please note that blocking analytics or advertising cookies does not affect the core functionality of the Service.
9. Do Not Track
Some browsers transmit a “Do Not Track” (DNT) signal. There is currently no industry standard for how websites should respond to DNT signals. We do not currently alter our data collection or use practices in response to DNT signals. If a universal standard for DNT is adopted, we will update this policy accordingly.
10. Children's Privacy
The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy, updating the effective date, and requiring re-acceptance within the application. We encourage you to review this policy periodically.