Privacy Policy

ExpenseTrackerHQ ("we", "our", or "us") operates expensetrackerhq.com and the ExpenseTrackerHQ application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information.

We comply with applicable data protection laws including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other international standards. By using our Service, you agree to this policy.

The data controller responsible for your personal data is ExpenseTrackerHQ.

3.1 Information You Provide Directly

• →Account information: Name, email address, and password when you register.
• →Profile information: First name, last name, profile picture, and currency/timezone preferences.
• →Financial data: Transaction records, budget settings, categories, and payment methods you enter.
• →Communications: Messages you send us via email or support channels.

3.2 Information Collected Automatically

• →Usage data: Pages visited, features used, and interaction patterns within the Service.
• →Device information: Browser type, operating system, and device identifiers.
• →Log data: IP address, access times, and referring URLs.
• →Cookies: Session cookies necessary for authentication and Service functionality.

3.3 Information We Do NOT Collect

• →We do not collect real bank account numbers, credit card numbers, or financial credentials.
• →We do not connect to your bank accounts or payment providers.
• →We do not collect sensitive personal data such as health data, biometric data, or political opinions.

• →To provide the Service: Operate, maintain, and improve the ExpenseTrackerHQ platform.
• →To personalize your experience: Display your financial data, insights, and reports.
• →To send notifications: Budget alerts, weekly/monthly reports, and daily reminders you have opted into.
• →To communicate with you: Respond to inquiries and provide customer support.
• →To ensure security: Detect fraud, abuse, and unauthorized access.
• →To comply with legal obligations: Meet applicable legal requirements.

Legal bases under GDPR:

• →Contract performance: Processing necessary to provide the Service you signed up for.
• →Legitimate interests: Security monitoring, fraud prevention, and Service improvement.
• →Consent: Marketing communications and optional notifications (withdrawable at any time).
• →Legal obligation: Compliance with applicable laws.

We do not sell, rent, or trade your personal data. We may share it only in these limited circumstances:

• →Service providers: Trusted vendors who help operate our Service (Vercel, Neon, Resend). Bound by contract to protect your data.
• →Legal requirements: If required by law, court order, or governmental authority.
• →Business transfers: In a merger or acquisition. We will notify you before any transfer.
• →Protection of rights: To protect the safety of ExpenseTrackerHQ, our users, or the public.

• →Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
• →Financial records: Retained as long as your account is active. Deleted upon account deletion.
• →Log data: Retained for up to 90 days for security and debugging.
• →Encrypted backups: May persist for up to 60 days after deletion.

You may request deletion at any time by contacting us or deleting your account in Settings.

• →Right of access: Request a copy of the personal data we hold about you.
• →Right to rectification: Request correction of inaccurate or incomplete data.
• →Right to erasure: Request deletion of your personal data ('right to be forgotten').
• →Right to restriction: Request that we limit how we process your data.
• →Right to data portability: Receive your data in a structured, machine-readable format.
• →Right to object: Object to processing based on legitimate interests.
• →Right to withdraw consent: Withdraw consent at any time without affecting prior processing.
• →CCPA: Right not to be discriminated against for exercising your privacy rights.

To exercise these rights, email notifications@expensetrackerhq.com. We will respond within 30 days.

• →Essential cookies: Required for authentication and session management. Cannot be disabled.
• →Preference cookies: Remember your settings such as language and currency.

We do not use advertising cookies or third-party tracking pixels.

• →All data is transmitted over encrypted HTTPS connections (TLS 1.2+).
• →Passwords are hashed using a secure cryptographic algorithm and never stored in plain text.
• →Database access is restricted to authorized personnel and services only.
• →We conduct regular security reviews of our infrastructure.

In the event of a data breach that affects your rights, we will notify you within 72 hours as required by GDPR.

Your data may be processed in countries outside your own. We ensure appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission and processing only with providers that maintain adequate data protection standards.

The Service is not directed to individuals under 13. We do not knowingly collect data from children under 13. If you believe we have, please contact us immediately and we will delete it.

• →Vercel — Hosting and deployment infrastructure.
• →Neon — Cloud PostgreSQL database hosting.
• →Resend — Transactional email delivery.
• →Google OAuth (optional) — Third-party sign-in governed by Google's privacy policy.

We may update this policy from time to time. For material changes, we will update the "Last updated" date and notify registered users by email at least 14 days before changes take effect.

For any questions or requests regarding this Privacy Policy:

If you are in the EEA and believe we have not addressed your complaint, you may lodge a complaint with your local data protection authority.