Privacy Policy

1. Information We Collect

Registered Accounts

When you create a full account with Spendly AI, we collect the following information:

• Email address — used to identify your account and send important notifications (e.g., a welcome email upon registration). We do not collect or store your first or last name.
• Password — stored only as a bcrypt hash. Your actual password is never stored and cannot be recovered by us.
• Profile photo — if you choose to upload one, it is stored on Cloudinary under a path tied to your user ID (spendly/avatars/{userId}). Uploading a photo is optional.
• Preferred currency — the main display currency you select for your account.
• Favorite categories and currencies — your pinned categories (up to 10) and saved currency preferences.

Guest Accounts

You can use Spendly AI without creating a registered account. In guest mode, no email address or password is required. We only store the data you provide during setup: your selected currency, initial categories, and wallet configuration. Guest data is not linked to any personal identifier.

Financial Data You Enter

All financial data you create in the app is stored on our servers:

• Wallets — name, type (Cash, Debit Card, Credit Card, Savings, or Custom), and initial balance.
• Transactions — amount, date, description, category, type (income or expense), associated wallet, and currency.
• Categories — custom and default expense/income categories you create or organize.
• Daily balance snapshots — derived summaries of your wallet balances stored server-side to power spending analytics charts and cash flow trends.

Authentication Data

• Refresh tokens — stored in our database to maintain your logged-in session across app restarts. These can be revoked at any time by logging out.
• Access tokens (JWT) — stored locally on your device using expo-secure-store, which uses iOS Keychain on iPhone and Android Keystore on Android. These tokens are never sent to us in stored form.
• Two-factor authentication codes — temporary verification codes stored briefly in our database while 2FA is active. Codes expire after use.

Voice and Text AI Input

When you use the Text AI or Voice AI features to create transactions:

• Text input— your typed natural-language command (e.g., "coffee 4.50") is sent to OpenAI for parsing. The text is processed to extract the transaction amount, description, and category.
• Voice input — your voice audio is sent to OpenAI for transcription and transaction parsing. Spendly AI does not store voice audioafter it has been processed. OpenAI's data handling is governed by their Privacy Policy.

Support Communications

If you contact us via email or the in-app contact form, we collect the information you provide (name, email, and message content) to respond to your inquiry.

2. What We Do NOT Collect

The following data is not collected by Spendly AI:

• First or last name (entered in forms but not stored in our database)
• Device identifiers, hardware fingerprints, or advertising IDs
• GPS location or any location data
• Biometric data (Face ID / fingerprint usage stays on your device)
• Contacts, calendar, or any other phone data
• Crash reports or usage analytics (we do not use third-party analytics SDKs)

3. How We Use Your Information

We use the information we collect solely to:

• Create and manage your account and authenticate your sessions.
• Process and categorize transactions using our AI engine.
• Deliver spending analytics, cash flow charts, and budget summaries.
• Send transactional emails (e.g., welcome email on registration) via Resend.
• Respond to your support requests and communications.
• Maintain the security and integrity of the Service.
• Comply with applicable legal obligations.

We do not sell your personal data to third parties. We do not use your financial data for advertising purposes. We do not use your personal financial data to train AI models.

4. Third-Party Services

Spendly AI uses the following third-party services, each governed by their own privacy policy:

• OpenAI — processes text and voice input for AI transaction parsing. Voice audio is not retained by Spendly AI after processing. See OpenAI Privacy Policy.
• Cloudinary — stores user profile photos. Photos are stored under a path associated with your user ID. See Cloudinary Privacy Policy.
• Resend — sends transactional emails (e.g., welcome emails). Only your email address is shared for this purpose. See Resend Privacy Policy.

We only work with providers that meet our data protection standards and are bound by appropriate data processing agreements.

5. Data Storage and Security

Your financial data is encrypted in transit using TLS 1.3. Passwords are hashed using bcrypt and never stored in plain text. Authentication tokens on your device are protected by iOS Keychain and Android Keystore.

Data is stored on servers located in the European Union. You may request deletion of your data at any time by contacting support@spendly-ai.com.

6. Data Sharing

We do not share your personal information except in these limited circumstances:

• With your explicit consent.
• To comply with a legal obligation, court order, or government request.
• To protect the rights, property, or safety of Spendly AI, our users, or the public.
• In connection with a merger, acquisition, or sale of assets (you will be notified in advance).

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the data we hold about you.
• Correction: request correction of inaccurate data.
• Deletion: request deletion of your account and associated data.
• Portability: request an export of your data in a machine-readable format.
• Objection: object to certain processing of your data.

To exercise any of these rights, contact us at support@spendly-ai.com. We will respond within 30 days.

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where retention is required by law. Guest account data with no associated activity may be purged periodically.

9. Children's Privacy

Spendly AI is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you via email or an in-app notice. Your continued use of Spendly AI after changes take effect constitutes your acceptance of the revised policy.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:

• Email: support@spendly-ai.com
• Website: spendly-ai.com