Privacy Policy

ExpenseBuddy ("we," "our," or "us") is a personal finance and expense-splitting application designed for iOS, developed by Surajit Roy (sole proprietor/individual developer). This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our mobile application ("App") and related services.

This Privacy Policy applies to all users of ExpenseBuddy worldwide, including users in the European Economic Area (EEA), United Kingdom (UK), United States (including California), Canada, India, United Arab Emirates (UAE), and all other jurisdictions where the App is available.

By downloading, installing, or using ExpenseBuddy, you acknowledge that you have read and understood this Privacy Policy. Where required by applicable law, we will obtain your consent before collecting or processing your personal data. If you do not agree with the terms of this Privacy Policy, please do not use the App.

For the purposes of applicable data protection laws (including the EU General Data Protection Regulation, UK GDPR, and other applicable privacy laws), the data controller is:

If you are a resident of the EEA/UK and have concerns about our data processing that we cannot resolve, you have the right to lodge a complaint with your local Data Protection Authority (DPA).

We collect the following categories of information to provide and improve ExpenseBuddy:

3.1 Information You Provide Directly

3.2 Information Collected Automatically

3.3 Camera & Photo Access

ExpenseBuddy may request access to your device camera or photo library for the following purposes:

• AI Receipt Scanner: Photographs of receipts are processed entirely on your device using Apple's Vision framework (on-device OCR). Receipt images are never uploaded to our servers or transmitted over the internet.
• Profile Picture: If you choose to set a custom profile picture, the image is stored securely and shared only with your added friends and group members.

3.4 Information We Do NOT Collect

We want to be transparent about data we do not collect:

• We do not collect your precise geolocation or GPS data
• We do not access your contacts, address book, or call logs
• We do not collect health, biometric, or genetic data
• We do not collect payment card numbers, bank account details, or financial instrument information
• We do not record, monitor, or analyze your browsing history outside the App

EU/EEA UK Under the General Data Protection Regulation (GDPR) and UK GDPR, we process your personal data on the following legal bases:

Where we rely on consent, you may withdraw your consent at any time by contacting us or adjusting your device settings. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

We use the information we collect for the following purposes:

• Account Management: To create and manage your account, authenticate your identity, and maintain your profile
• Core Functionality: To calculate shared expenses, splits (equal, unequal, percentage, or exact), track balances, and synchronize data across your devices
• Friend Matching: To match your email address with other users so you can connect with friends and split expenses together
• Group Management: To manage collaborative expense groups and ensure all members can view shared expenses and balances
• Push Notifications: To deliver payment reminders, new expense alerts, and settlement confirmations via Firebase Cloud Messaging
• Recurring Expenses: To automatically create recurring expense entries based on your configured schedules (Premium feature)
• Budget Tracking: To monitor your spending against category budgets and provide alerts (Premium feature)
• PDF Reports: To generate downloadable expense reports for groups and friends (Premium feature)
• Advertising: To display relevant advertisements to non-premium users through Google AdMob
• In-App Purchases: To manage your premium subscription status and unlock premium features

ExpenseBuddy displays advertisements to non-premium users through Google AdMob. We respect your choices regarding ad personalization:

• App Tracking Transparency (ATT): On iOS 14.5 and later, we request your explicit permission before accessing your device's Advertising Identifier (IDFA) for ad personalization. You may decline this request at any time.
• If you allow tracking: Google AdMob may use your IDFA and device information to serve personalized advertisements based on your interests and activity across other apps and websites.
• If you deny tracking: You will still see advertisements, but they will not be personalized to your interests. We will not access your IDFA.
• Premium Users: If you upgrade to ExpenseBuddy Premium, all advertisements are permanently removed, and no advertising-related data is collected or processed.

EU/EEA For users in the European Economic Area, personalized ads are only served with your explicit consent in compliance with the ePrivacy Directive and GDPR. If you do not provide consent, only non-personalized ads will be shown.

CALIFORNIA California residents may opt out of the "sale" or "sharing" of personal information for advertising purposes. See Section 13 for details on your CCPA/CPRA rights.

We take the security of your data seriously and implement multiple layers of protection:

• Cloud Storage: Your data is stored in Google Cloud Firestore, which provides enterprise-grade encryption at rest (AES-256) and in transit using TLS/SSL protocols.
• Firestore Security Rules: We enforce strict server-side security rules that ensure you can only access, read, or modify data that you are explicitly authorized to access (your own user profile, groups you belong to, and expenses you participate in).
• Authentication: All user authentication is handled by Firebase Authentication, which manages credentials securely. We never store raw passwords — Firebase uses industry-standard hashing and salting.
• Data Isolation: Users cannot view or modify data belonging to other users outside of shared groups and friend connections.
• On-Device Processing: Sensitive operations like receipt scanning are processed entirely on your device and never transmitted externally.
• Access Controls: Administrative access to backend systems is strictly limited and protected by multi-factor authentication.

ExpenseBuddy uses Google Firebase services, which store and process data on servers located in the United States and other countries where Google operates data centers. This means your personal data may be transferred to and processed in countries outside your country of residence.

EU/EEA UK For transfers of personal data from the EEA/UK to countries not recognized as providing adequate data protection, we rely on the following safeguards:

• Google's Data Processing Terms: Google LLC complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, as well as Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequate Safeguards: We ensure that any international transfer of personal data is subject to appropriate safeguards as required under Chapter V of the GDPR.

INDIA For users in India, your data may be transferred outside India in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and any rules issued thereunder. Such transfers are only made to jurisdictions not restricted by the Central Government.

UAE For users in the UAE, cross-border data transfers comply with the requirements of the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL).

We do not sell, trade, or rent your personal information to third parties.

CALIFORNIA Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), we confirm that we do not "sell" or "share" (as those terms are defined under CCPA/CPRA) your personal information.

Your information may be shared in the following limited circumstances:

• With Your Friends & Group Members: Your name, email, and profile picture are visible to friends you have added and members of groups you join. Expense and settlement data within a group is visible to all group members.
• Service Providers: We use trusted third-party services (listed below) that process data on our behalf to operate the App. These providers are contractually obligated to protect your information and process it only according to our instructions.
• Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request, in any jurisdiction.
• Safety & Protection: We may share information to protect the rights, property, or safety of ExpenseBuddy, our users, or the public.

ExpenseBuddy integrates with the following third-party services, each with their own privacy policies. These are our "sub-processors" for the purposes of GDPR:

Each of these service providers has been selected for their robust security practices and compliance with applicable data protection regulations, including GDPR, CCPA, and other international standards.

ExpenseBuddy offers a one-time, lifetime premium upgrade ("ExpenseBuddy Premium") that unlocks additional features:

• AI Receipt Scanner (on-device OCR)
• Recurring Expenses automation
• Spending Budgets with category tracking
• Export to PDF reports
• Complete ad-free experience

All purchases are processed securely through Apple's App Store using StoreKit. We do not collect or store any payment information (credit card numbers, billing addresses, etc.). Your purchase status is stored in your Firestore user profile to persist across devices.

We use Firebase Cloud Messaging (FCM) to send push notifications. Upon granting notification permission, your device's FCM token is saved to your user profile in Firestore. We use notifications for:

• Payment reminders sent by friends
• New expense alerts within shared groups
• Settlement confirmations
• Recurring expense due date reminders

You can disable push notifications at any time via your device's Settings → Notifications → ExpenseBuddy. When you log out, your FCM token is removed from our systems.

Depending on your jurisdiction, you have specific rights regarding your personal data. We honor all applicable rights under the laws of your region:

13.1 All Users — Universal Rights

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete personal data
• Deletion: Request deletion of your personal data (via in-app account deletion)
• Opt-Out of Tracking: Decline IDFA tracking via App Tracking Transparency prompt or device Settings
• Notification Control: Enable or disable push notifications at any time via device Settings
• Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time

13.2 European Economic Area & United Kingdom (GDPR / UK GDPR)

EU/EEA UK In addition to the universal rights above, you have the right to:

• Data Portability: Receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV)
• Restriction of Processing: Request that we limit processing of your data in certain circumstances
• Object to Processing: Object to processing based on legitimate interests, including any direct marketing
• Lodge a Complaint: File a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu. UK users may contact the Information Commissioner's Office (ICO).
• Right Not to be Subject to Automated Decision-Making: We do not perform automated decision-making or profiling that produces legal effects on you

13.3 California, USA (CCPA/CPRA)

CALIFORNIA If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA/CPRA
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by the CPRA beyond what is necessary for the App's functionality

13.4 Canada (PIPEDA & Provincial Laws)

CANADA Canadian users have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws:

• Consent: We collect, use, and disclose personal information only with your knowledge and consent, except where permitted or required by law
• Access & Correction: You may request access to your personal information and challenge its accuracy
• Accountability: We are responsible for all personal information under our control
• Complaint: You may file a complaint with the Office of the Privacy Commissioner of Canada

13.5 India (DPDP Act, 2023)

INDIA Indian users ("Data Principals") have rights under the Digital Personal Data Protection Act, 2023:

• Right to Information: You have the right to obtain a summary of the personal data being processed and the processing activities
• Right to Correction & Erasure: You may request correction of inaccurate data or erasure of data no longer necessary for the purpose for which it was collected
• Right of Grievance Redressal: You may raise grievances via our contact details below, and we will respond within the time period prescribed under the Act
• Right to Nominate: You have the right to nominate another individual to exercise your rights in case of death or incapacity
• Complaint: You may file a complaint with the Data Protection Board of India

13.6 United Arab Emirates (PDPL)

UAE Users in the UAE have rights under the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection:

• Right to Access: Request access to your personal data and information about how it is processed
• Right to Correction: Request correction, amendment, or update of inaccurate data
• Right to Erasure: Request deletion of your personal data when it is no longer necessary
• Right to Object: Object to processing if it causes mental or physical harm
• Right to Data Portability: Request transfer of your data to another controller in a commonly used format

13.7 Other Jurisdictions

If you reside in a jurisdiction not specifically mentioned above (e.g., Australia, Brazil, Japan, South Korea, etc.), we will respect and comply with the applicable data protection laws of your region. Please contact us to exercise your rights under your local law.

To exercise any of these rights, please contact us at surajitroy9064@gmail.com. We will respond within the timeframe mandated by your applicable law (typically 30 days, or 45 days for CCPA requests).

We retain your data for as long as your account is active and as needed to provide our services. We apply the principle of storage limitation — data is not kept longer than necessary. Specifically:

• Account Data: Retained for the lifetime of your account. Deleted upon account deletion request (subject to balance settlement requirements).
• Expense & Group Data: Retained as part of shared group ledgers. Upon account deletion, your data within shared groups may be anonymized to preserve financial integrity for other group members.
• FCM Tokens: Removed from our system when you log out or delete your account.
• Receipt Images: Never stored by us — processed entirely on your device and discarded after scanning.
• Advertising Data: Advertising identifiers are not stored on our servers. They are processed by Google AdMob in accordance with their data retention policies.

You have the right to delete your account and associated data at any time. Here's how the process works:

• In-App Deletion: Navigate to Profile → Delete Account within the App to initiate account deletion.
• Balance Requirement: To protect the financial integrity of shared groups, your account cannot be deleted while you have outstanding balances (money owed or owing). All balances must be settled first.
• What Gets Deleted: Your personal authentication data (email, password hash, Google credentials), profile information, FCM tokens, and preferences are permanently removed.
• What Gets Anonymized: Your previous interactions within shared groups and expenses are anonymized (your name and email are removed) to preserve the financial ledger for other group members.
• Timeframe: Deletion is processed immediately upon confirmation. In compliance with applicable laws, all personal data is purged from active systems within 30 days.
• Irreversible: Account deletion is permanent and cannot be undone.

ExpenseBuddy is not intended for use by children. We adhere to the following age requirements based on your jurisdiction:

• USA Under 13 (COPPA — Children's Online Privacy Protection Act)
• EU/EEA Under 16 (GDPR — though member states may lower this to 13–16)
• UK Under 13 (UK Age Appropriate Design Code)
• CANADA Under 13 (PIPEDA guidance)
• INDIA Under 18 (DPDP Act, 2023)
• UAE Under 18 without parental consent (PDPL)

We do not knowingly collect personal information from children below the applicable minimum age in their jurisdiction. If we become aware that we have inadvertently collected personal information from a child below the applicable age, we will take immediate steps to delete such information from our records.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at surajitroy9064@gmail.com so we can take appropriate action.

The ExpenseBuddy mobile application does not use cookies. However, our third-party service providers may use the following similar technologies:

• Firebase SDK: Uses device identifiers to authenticate sessions and deliver push notifications. These are functional identifiers required for the App to operate.
• Google AdMob SDK: May use device identifiers and advertising IDs (with your consent) to serve and measure advertisements. This is subject to Apple's App Tracking Transparency framework.
• Apple StoreKit: Uses device and account identifiers to process and verify in-app purchases.

Our hosted web pages (privacy policy and terms pages) do not set any cookies or use any tracking technologies.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Effective Date" at the top of this page
• Notify you through the App or via push notification for significant changes
• Post the revised Privacy Policy on this page
• Where required by law (e.g., GDPR), obtain your renewed consent before applying material changes to the way we process your data

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

We will respond to your inquiry within a reasonable timeframe:

• EU/EEA/UK Within 30 days (GDPR)
• CALIFORNIA Within 45 days (CCPA/CPRA)
• CANADA Within 30 days (PIPEDA)
• INDIA As prescribed under the DPDP Act and rules
• UAE Within 14 days (PDPL)
• All other regions: Within 30 days