← Back to Home

Privacy Policy

Last updated: 16 July 2026

SpendSmart AI ("the app", "we", "us") is a personal expense tracker operated by KCH Labs, a sole proprietorship of Heston Baptist Dsouza based in Mumbai, India — the data controller (and Data Fiduciary under India's DPDPA 2023) for your personal data. This policy explains what data we handle and why. We do not sell your data and we do not show ads.

1. The short version

2. Data we collect

3. Where your data is stored

Cloud data is stored with Supabase (PostgreSQL database, authentication, and file storage), running on cloud infrastructure (Amazon Web Services, US East — Ohio, USA). Access is protected by row-level security, so you can only read and write your own data. Receipt images are held in a private storage bucket scoped to your user account and served only through short-lived signed links.

4. AI, voice, and camera features

AI processing (Anthropic)

Several features send your financial data to Anthropic (the Claude AI API) for processing:

We never add your name, email, or account identifiers to these requests. A document you upload — particularly a bank or credit-card statement — may itself contain personal details such as your name, account number, or balance; that content is transmitted to Anthropic as part of the file. Under Anthropic's API data-use policy, data sent to the Claude API is not retained beyond the request and is not used to train models.

Voice input (Apple and Google)

If you use the Voice button to speak an expense, the app uses your device's built-in speech recognizer to turn your speech into text. To give the best accuracy on Indian merchant names and mixed Hindi–English speech, recognition runs in network mode: the audio is sent to your platform's speech service — Apple on iOS, Google on Android — which returns a transcript. That transcript is then handled exactly like typed text (see AI processing, above).

We do not record your audio, and we never store audio on our servers or send audio to Anthropic. The audio is processed by Apple or Google under their own privacy policies. The microphone is used only while you are actively holding or tapping the Voice control. If you prefer that no audio ever leaves your device, simply do not use the Voice feature — every other way of adding an expense works without the microphone.

Camera and photos

The camera and photo library are accessed only when you choose to scan a receipt. The image is downscaled on your device, sent to Anthropic to be read (see above), and stored in your private receipts bucket so you can view it later.

5. Analytics

In the app — off by default. If, and only if, you turn on "Share anonymous usage data", the app sends a small number of product events to PostHog to help us understand which features people use. These events are limited to milestones such as viewing the upgrade screen, starting a checkout, completing sign-up, activating Pro, and logging a first expense. The only details attached are your platform (iOS/Android/web), your country code, and a pseudonymous account identifier. No expense amounts, merchants, notes, names, or email addresses are ever sent. This is opt-in: nothing is sent until you switch it on, and you can switch it off at any time in Settings.

On our website (the marketing and blog pages) we use Google Analytics to understand aggregate traffic — such as page views and where visitors come from. Google Analytics sets cookies for this purpose and is blocked by default until you accept the cookie banner. It is never sent your expense content, name, or account identifiers.

We use Sentry for crash and error reporting, in both the app and our servers. It is configured so that it does not attach your IP address, cookies, request bodies, or account identifiers — only anonymous, content-free error information.

We do not run advertising, we do not use advertising or cross-site tracking cookies, and we never sell your data.

6. Feedback and testimonials

If you send feedback from inside the app, we store your rating, your optional comment, an optional display name, and your country. If — and only if — you tick the box giving permission, we may publish your rating, display name, and country as a public testimonial on our website. We never publish your email address. You can ask us to remove a published testimonial at any time by emailing us.

To stop automated abuse of this one publicly-writable form, we keep a one-way, salted cryptographic hash of the sending IP address for rate-limiting. The raw IP address is not stored and the hash cannot be reversed to recover it.

7. Your rights and controls

What survives account deletion, and why. A small amount of data is deliberately retained after you delete your account, because we are legally or operationally required to keep it: payment and subscription records (needed for tax, accounting, refunds, and chargebacks), administrative access logs (needed to prove our staff did not misuse your data), and cookie-consent records (needed to prove we honoured your consent choice). If you sent feedback, your name and comment are erased, and only an anonymous rating and country remain. None of this retained data contains your expenses, receipts, or email address.

8. Staff and administrative access

We think you should know exactly what we can see. Our administrative tools let us view account metadata only: your email address, sign-up date, last sign-in, country, subscription status, and whether your account contains data at all.

Our staff cannot read your transactions, amounts, merchants, notes, or receipt images through any administrative tool. That restriction is enforced in the database itself, not merely by policy. Every time a staff member opens a user record, the access is written to an audit log first — if the log write fails, the access is refused.

We may send ourselves an internal operational summary (for example, counts of new subscriptions and a record of administrative actions) through a private team messaging channel. It contains no expense data.

9. Data retention

We retain your account information and expense data for as long as your account remains active. When you delete your account, that data — including receipt images — is removed from our active systems immediately and purged from encrypted backups within 30 days.

Other records are kept as follows:

10. Children

SpendSmart AI is intended for users aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you are under 18, please do not use the service or provide any personal information. If you believe a person under 18 has provided us with personal information, contact us at kchlabs@gmail.com and we will delete it.

11. Sub-processors and international data transfers

We use the following sub-processors to operate the service. Some are located outside India; where personal data is transferred internationally, we rely on the transfer mechanism noted below (such as Standard Contractual Clauses or an applicable adequacy decision). This list is maintained for transparency and is reviewed before any new sub-processor is added.

We will update this section when sub-processors change. This section is provided for transparency and is subject to legal review.

12. Changes to this policy

If we make a material change to how we handle your data, we will update the "last updated" date above and, where the change is significant, notify you in the app before it takes effect.

13. Jurisdiction

This service is operated from India and governed by the laws of India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 (DPDPA).

14. Contact

Questions about your privacy, or want to exercise any right above? Email us at kchlabs@gmail.com, or write to KCH Labs, Legend II, D201, Kandarpada, Dahisar West, Mumbai 400068, India.