Privacy Policy
Last updated: April 30, 2026
1. Introduction
Welcome to ExpenseMate ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you about how we look after your personal data when you visit our website at expensemate.app (regardless of where you visit it from) or use our mobile application, and tell you about your privacy rights and how the law protects you.
This privacy policy applies to both our website and mobile application (collectively referred to as "Services").
2. Data Controller
The controller responsible for your personal data is:
TK MEDIA S.à r.l.-S
13, In Bedigen
L-9283 Diekirch, Luxembourg
RCS Luxembourg: B306819
Email: contact@tkmedia.lu
For full company details, see our Legal Notice.
If you have any questions about this privacy policy, or if you wish to exercise any of your legal rights, please contact us at the email address above.
3. The Data We Collect
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes first name, last name, username or similar identifier.
- Contact Data includes email address and optionally telephone numbers.
- Financial Data includes expense records, receipt data, and payment information that you choose to share with the app.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Services.
- Profile Data includes your username and password, your preferences, feedback, and survey responses.
- Usage Data includes information about how you use our Services.
- Image Data includes photographs of receipts you upload to the application.
4. How We Collect Your Data
We use different methods to collect data from and about you including through:
- Direct interactions: You may give us your Identity, Contact, and Financial Data by filling in forms or by corresponding with us through the Services.
- Automated technologies or interactions: As you interact with our Services, we may automatically collect Technical Data about your equipment, browsing actions, and patterns.
- Third-party analytics providers: We use Google Analytics and PostHog (with your consent) and Vercel Analytics (cookieless, always active) to understand how visitors use our website. Vercel Analytics does not store personal data or set cookies, it collects only aggregated, anonymized metrics such as page views, referrer, device type, and approximate country.
5. How We Use Your Data & Legal Basis
We only process your personal data where we have a valid legal basis under the GDPR (Regulation (EU) 2016/679). The table below sets out the purposes for which we process your data and the legal basis we rely on for each.
| Purpose | Data categories | Legal basis (GDPR Art. 6) |
|---|---|---|
| Creating your account and providing the Services (receipt scanning, expense tracking, group splitting) | Identity, Contact, Financial, Image, Profile | Performance of a contract, Art. 6(1)(b) |
| Processing receipt images to extract items and amounts (AI-assisted OCR) | Image, Financial | Performance of a contract, Art. 6(1)(b) |
| Securing the Services, detecting fraud and abuse, and maintaining system integrity | Technical, Usage | Legitimate interests, Art. 6(1)(f) (running a secure service) |
| Analytics and product improvement (Google Analytics and PostHog) | Technical, Usage | Consent, Art. 6(1)(a) |
| Aggregated, cookieless audience measurement (Vercel Analytics) | Technical (transient) | Legitimate interests, Art. 6(1)(f) (measuring website reach without identifying visitors) |
| Responding to support requests and legal-rights requests | Identity, Contact, any other relevant data | Legal obligation, Art. 6(1)(c) and legitimate interests, Art. 6(1)(f) |
| Complying with accounting, tax and other legal obligations | Identity, Contact, Financial (to the extent applicable) | Legal obligation, Art. 6(1)(c) |
6. Recipients and Sub-Processors
We do not sell your personal data. We share it only with a limited number of service providers (processors under GDPR Art. 28) who process it on our behalf and under our instructions in order to operate the Services:
| Provider | Purpose | Location |
|---|---|---|
| Google LLC (Firebase Authentication, Cloud Storage, Cloud Run, Cloud SQL) | Authentication, file storage, API hosting, database | EU / United States |
| Google LLC (Gemini API) | Receipt OCR / item extraction | United States |
| OpenAI, L.L.C. | Receipt OCR / item extraction (fallback) | United States |
| Vercel Inc. | Website hosting and cookieless analytics | United States (global edge) |
| PostHog Inc. | Website product analytics and optional session replay, only after analytics consent | EU Cloud (Frankfurt) / United States company |
Receipt image content is sent to OCR providers only for the time needed to extract the data; we do not authorise them to use your content to train their models. We may additionally disclose personal data where required by law, court order, or a legitimate request from a public authority, or where necessary to protect our rights, the safety of our users, or the integrity of the Services.
7. International Data Transfers
Some of our sub-processors are established outside the European Economic Area (EEA), notably in the United States. When we transfer your personal data outside the EEA, we ensure an adequate level of protection using one or more of the following safeguards:
- Transfer to providers certified under the EU–US Data Privacy Framework (where applicable).
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision (EU) 2021/914), supplemented with technical and organisational measures where required.
- For Google services, Google's published cross-border transfer mechanisms.
You may request a copy of the safeguards in place for a given transfer by contacting us at the email address listed in section 2.
8. Infrastructure
Your data is processed and stored on Google Cloud infrastructure. We specifically use Google Cloud Storage for receipt images and files, Firebase Authentication for sign-in, Google Cloud Run for our API services, and Google Cloud SQL for the database.
Our website is hosted on Vercel, which also provides cookieless, privacy-first website analytics. Vercel processes request metadata (such as IP addresses) transiently to derive aggregate country-level statistics. IP addresses are not stored by Vercel Analytics. For more information, see Vercel's Privacy Policy.
With your analytics consent, we also use PostHog on the website to measure product funnels such as app-store clicks, downloads, and join-link outcomes. We configure PostHog to avoid sending invite group IDs and to disable session replay unless explicitly enabled in deployment settings.
9. Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
10. Data Retention
We keep your personal data only for as long as reasonably necessary for the purposes set out in section 5, including to meet any legal, regulatory, tax, accounting or reporting requirements. Concretely:
- Account data (Identity, Contact, Profile): kept for as long as your account exists. On deletion, identifying fields are removed within 30 days.
- Expense and group data (Financial): kept while your account is active. When you delete your account, data that is strictly tied to you is deleted, and data that remains linked to shared groups or expenses of other users is anonymised (your identity is removed) rather than deleted, so that the expense history of other group members stays intact and the app continues to function correctly.
- Receipt images (Image): kept while linked to an expense; deleted when you delete the expense, the group, or your account.
- Technical and server logs: typically kept for up to 90 days for security, debugging, and abuse-prevention purposes.
- Google Analytics data: retained for 14 months by default at the GA4 level.
- PostHog analytics data: retained according to the PostHog project retention settings and only collected after analytics consent.
- Accounting and tax records: retained for 10 years in accordance with Luxembourg accounting law where applicable.
Once anonymised, data is no longer considered personal data under the GDPR and may be retained for statistical and operational purposes.
11. Your Legal Rights
Under the GDPR, you have the following rights in relation to your personal data:
- Access (Art. 15): request a copy of the personal data we hold about you.
- Rectification (Art. 16): ask us to correct inaccurate or incomplete data.
- Erasure (Art. 17): ask us to delete your personal data, subject to the anonymisation approach explained in section 10.
- Restriction (Art. 18): ask us to limit the processing of your data in certain circumstances.
- Portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
- Objection (Art. 21): object to processing based on legitimate interests.
- Withdraw consent (Art. 7(3)): where processing is based on consent, withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, contact us at contact@tkmedia.lu. We will respond within one month of receiving your request.
12. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Luxembourg, the competent authority is the Commission nationale pour la protection des données (CNPD):
13. Children
Our Services are not directed at children under 16. Under Luxembourg law, the age of digital consent under GDPR Art. 8 is 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.
14. Automated Decision-Making
Receipt OCR uses AI models to extract items and amounts from images. This is purely a data-extraction step; it does not produce decisions that have legal effects on you or similarly significantly affect you within the meaning of GDPR Art. 22. You remain in control of every expense you save in the app.
15. Cookies and Tracking
Our website uses cookies and similar tracking technologies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.
16. Changes to the Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top of this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
17. Contact Us
If you have any questions about this Privacy Policy, please contact us at contact@tkmedia.lu.