Security at My Expense Control

We assume one leak would end this company. We build accordingly.

This page says exactly what we do with your data and how it's protected — in specifics, because "bank-grade security" is a phrase, not a control. It will grow as the product does; nothing on it will ever get vaguer.

The pledge (binding, verbatim, everywhere)

"We will never sell your data. We will never show you ads. Your data exists to serve you — nobody else. If we ever recommend a financial product, it will be explicitly opt-in, clearly labeled, and fully disclosed — including what we earn from it."

The same wording appears in our privacy policy, the app's onboarding, and our Play Store listing. Internally it is product law: features that would violate it are rejected at design time.

What we access — and the longer list of what we don't

How your data is protected

LayerControl
In transitTLS everywhere; the backend accepts connections only through an authenticated tunnel — it exposes no open ports to the internet.
At restFull-disk encryption (LUKS) on India-resident servers; Gmail tokens carry a second layer of database-level encryption.
BackupsEncrypted with public-key cryptography before leaving the server; the decryption key is stored offline only. A stolen backup is ciphertext.
AI processingFewer than 1 in 5 transactions ever needs AI. Before any AI call, account numbers, card numbers, emails and phone numbers are masked; your identity and location are never sent.
Community learningMerchant knowledge is contributed under anonymous, monthly-rotating salted hashes. There is no user-identity column in the shared registries — it cannot leak what it never stores.
RetentionRaw email text: purged at 30 days. GPS: rounded before storage. Account deletion: one tap, cascades through every table, covered by automated tests.

We threat-model, and we'll show you

We maintain a written threat model — stolen server, breached backup bucket, spoofed bank email, malicious PDF, stolen phone, leaked founder credential, Play-Store impersonator, and AI-provider exposure — with a named control for each. Independent verification: our Gmail integration undergoes Google's CASA security assessment (in progress), and every release passes an adversarial security review of authentication, ingestion, and deletion paths.

Compliance posture

Found something? Tell us.

We welcome good-faith security research. Report vulnerabilities to hello@myexpensecontrol.com — we commit to acknowledging within 48 hours, and we will never take legal action against good-faith research that respects user data.

Page version 1.0 · Last updated July 2026 · Questions welcome — specific ones especially.