Legal

Privacy Policy

Effective date: January 1, 2026  ·  Last updated: January 1, 2026

1. Overview

Expense Tracker ("we", "our", or "us") is a personal finance tool that helps you upload, categorize, and analyse your bank transactions. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

Your financial data belongs to you. We never sell, share, or monetise your personal or transaction data with any third party.

2. Data We Collect

When you use Expense Tracker, we collect only what is strictly necessary to provide the service:

  • Account information — your email address and a securely hashed password (bcrypt). We never store your password in plaintext.
  • Transaction data — the contents of CSV files you upload, including dates, descriptions, and amounts from your bank statements.
  • Categorisation rules — the categories and keyword rules you create to organise your transactions.
  • Usage data — basic analytics events (page views, feature usage) via Firebase Analytics, if enabled. No personally identifiable information is attached to these events.

3. How We Use Your Data

Your data is used solely to deliver the features of Expense Tracker:

  • Authenticating your account and keeping your session secure.
  • Storing and displaying your transactions, categories, and reports.
  • Auto-categorising transactions using your keyword rules.
  • Generating monthly and yearly spending summaries.
  • Improving the product through aggregated, anonymised usage analytics.

4. Data Storage & Security

All data is stored in a MongoDB database. Access tokens are short-lived (15 minutes) and refresh tokens expire after 30 days. Passwords are hashed with bcrypt before storage — they are never recoverable, even by us.

We take reasonable technical measures to protect your data. However, no system is 100% secure, and you should use a strong, unique password for your account.

5. Data Isolation

Every query in Expense Tracker is scoped to your user account. You can never access another user's transactions, categories, or reports — this is enforced at the database level on every request.

6. Self-hosted Instances

If you run your own instance of Expense Tracker using the Docker image, you are the sole data controller. All data resides on your own infrastructure and we have no access to it whatsoever.

7. Cookies & Local Storage

Expense Tracker stores your JWT access token and email address in browser localStorage to keep you logged in. No third-party tracking cookies are set. Firebase Analytics may use cookies to distinguish unique sessions — you can disable this by using browser privacy settings or an ad blocker.

8. Your Rights

You have the right to:

  • Access all data we hold about you.
  • Request deletion of your account and all associated data.
  • Export your transaction data at any time.
  • Correct any inaccurate account information.

To exercise any of these rights, contact us at the email address listed below.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top. Continued use of the service after changes constitutes acceptance of the revised policy.

10. Contact

For any privacy-related questions or requests, please contact us at [email protected].