This page says exactly what we do with your data and how it's protected — in specifics, because "bank-grade security" is a phrase, not a control. It will grow as the product does; nothing on it will ever get vaguer.
"We will never sell your data. We will never show you ads. Your data exists to serve you — nobody else. If we ever recommend a financial product, it will be explicitly opt-in, clearly labeled, and fully disclosed — including what we earn from it."
The same wording appears in our privacy policy, the app's onboarding, and our Play Store listing. Internally it is product law: features that would violate it are rejected at design time.
gmail.readonly scope, used solely to detect bank-alert emails from a fixed registry of bank senders. Every email must pass cryptographic sender authentication (SPF and DKIM, with exact-domain matching) before we store a byte — a spoofed "bank" email is rejected, logged, and never enters your ledger.| Layer | Control |
|---|---|
| In transit | TLS everywhere; the backend accepts connections only through an authenticated tunnel — it exposes no open ports to the internet. |
| At rest | Full-disk encryption (LUKS) on India-resident servers; Gmail tokens carry a second layer of database-level encryption. |
| Backups | Encrypted with public-key cryptography before leaving the server; the decryption key is stored offline only. A stolen backup is ciphertext. |
| AI processing | Fewer than 1 in 5 transactions ever needs AI. Before any AI call, account numbers, card numbers, emails and phone numbers are masked; your identity and location are never sent. |
| Community learning | Merchant knowledge is contributed under anonymous, monthly-rotating salted hashes. There is no user-identity column in the shared registries — it cannot leak what it never stores. |
| Retention | Raw email text: purged at 30 days. GPS: rounded before storage. Account deletion: one tap, cascades through every table, covered by automated tests. |
We maintain a written threat model — stolen server, breached backup bucket, spoofed bank email, malicious PDF, stolen phone, leaked founder credential, Play-Store impersonator, and AI-provider exposure — with a named control for each. Independent verification: our Gmail integration undergoes Google's CASA security assessment (in progress), and every release passes an adversarial security review of authentication, ingestion, and deletion paths.
We welcome good-faith security research. Report vulnerabilities to hello@myexpensecontrol.com — we commit to acknowledging within 48 hours, and we will never take legal action against good-faith research that respects user data.
Page version 1.0 · Last updated July 2026 · Questions welcome — specific ones especially.