Privacy Policy
Last updated: 16 July 2026
SpendSmart AI ("the app", "we", "us") is a personal expense tracker operated by KCH Labs, a sole proprietorship of Heston Baptist Dsouza based in Mumbai, India — the data controller (and Data Fiduciary under India's DPDPA 2023) for your personal data. This policy explains what data we handle and why. We do not sell your data and we do not show ads.
1. The short version
- The app is local-first: your data lives on your device and works fully offline. It syncs to the cloud only when you are online and signed in.
- We never sell your data. We never show ads. We never use your expense data to train AI models.
- Our staff cannot see your transactions, amounts, merchants, or receipts. Administrative tools expose account metadata only (see §8), and every administrative look-up is logged.
- Some features send your data to AI, speech, and payment providers to work. Those are listed in §4 and §11.
- You can export everything, and delete everything, from inside the app at any time (§7).
2. Data we collect
- Account: your email address, used for authentication, password recovery, and important service communications. We will never sell your email or use it for marketing without your consent.
- Expenses: the transactions you enter — amount, currency, merchant, category, date, payment method, and notes — plus your budgets, savings goals, custom categories, and recurring expenses.
- Receipts: receipt photos you choose to scan, stored privately so you can view them later.
- Country & preferences: the country you select, plus currency, language, and theme, which we store to provide localized currency, payment methods, and merchant recognition.
- Subscription state: your plan, status, renewal date, and a payment-provider customer identifier, so we know whether you have Pro.
- Notification token: if you enable notifications, a device push token is stored on your profile so we can deliver reminders. It is deleted when you sign out.
- Feedback you choose to send: a rating, an optional comment, an optional display name, and your country (see §6).
- Usage counters: a per-day and per-month count of how many AI parses you have run, used solely to enforce plan limits and prevent abuse. These are counts only — never the content.
3. Where your data is stored
Cloud data is stored with Supabase (PostgreSQL database, authentication, and file storage), running on cloud infrastructure (Amazon Web Services, US East — Ohio, USA). Access is protected by row-level security, so you can only read and write your own data. Receipt images are held in a private storage bucket scoped to your user account and served only through short-lived signed links.
4. AI, voice, and camera features
AI processing (Anthropic)
Several features send your financial data to Anthropic (the Claude AI API) for processing:
- Expense text you type or dictate, for smart categorization.
- Receipt images you scan, to read the amount, merchant, and date.
- Bank and credit-card statements you import — the parsed rows or the full statement file (CSV or PDF) — so the transactions can be read from it.
- A summary of a month's transactions when you generate monthly AI insights.
We never add your name, email, or account identifiers to these requests. A document you upload — particularly a bank or credit-card statement — may itself contain personal details such as your name, account number, or balance; that content is transmitted to Anthropic as part of the file. Under Anthropic's API data-use policy, data sent to the Claude API is not retained beyond the request and is not used to train models.
Voice input (Apple and Google)
If you use the Voice button to speak an expense, the app uses your device's built-in speech recognizer to turn your speech into text. To give the best accuracy on Indian merchant names and mixed Hindi–English speech, recognition runs in network mode: the audio is sent to your platform's speech service — Apple on iOS, Google on Android — which returns a transcript. That transcript is then handled exactly like typed text (see AI processing, above).
We do not record your audio, and we never store audio on our servers or send audio to Anthropic. The audio is processed by Apple or Google under their own privacy policies. The microphone is used only while you are actively holding or tapping the Voice control. If you prefer that no audio ever leaves your device, simply do not use the Voice feature — every other way of adding an expense works without the microphone.
Camera and photos
The camera and photo library are accessed only when you choose to scan a receipt. The image is downscaled on your device, sent to Anthropic to be read (see above), and stored in your private receipts bucket so you can view it later.
5. Analytics
In the app — off by default. If, and only if, you turn on "Share anonymous usage data", the app sends a small number of product events to PostHog to help us understand which features people use. These events are limited to milestones such as viewing the upgrade screen, starting a checkout, completing sign-up, activating Pro, and logging a first expense. The only details attached are your platform (iOS/Android/web), your country code, and a pseudonymous account identifier. No expense amounts, merchants, notes, names, or email addresses are ever sent. This is opt-in: nothing is sent until you switch it on, and you can switch it off at any time in Settings.
On our website (the marketing and blog pages) we use Google Analytics to understand aggregate traffic — such as page views and where visitors come from. Google Analytics sets cookies for this purpose and is blocked by default until you accept the cookie banner. It is never sent your expense content, name, or account identifiers.
We use Sentry for crash and error reporting, in both the app and our servers. It is configured so that it does not attach your IP address, cookies, request bodies, or account identifiers — only anonymous, content-free error information.
We do not run advertising, we do not use advertising or cross-site tracking cookies, and we never sell your data.
6. Feedback and testimonials
If you send feedback from inside the app, we store your rating, your optional comment, an optional display name, and your country. If — and only if — you tick the box giving permission, we may publish your rating, display name, and country as a public testimonial on our website. We never publish your email address. You can ask us to remove a published testimonial at any time by emailing us.
To stop automated abuse of this one publicly-writable form, we keep a one-way, salted cryptographic hash of the sending IP address for rate-limiting. The raw IP address is not stored and the hash cannot be reversed to recover it.
7. Your rights and controls
- Access & export: you can export your transactions to CSV/PDF, or download a complete JSON copy of all your data (transactions, budgets, goals, recurring expenses, settings) from within the app at any time.
- Deletion: Settings includes "Delete my account", which permanently erases your account and all associated data — including your receipt images — from our servers, in line with the GDPR right to erasure and India's DPDPA 2023. A separate "Delete all data" option clears your expense data while keeping the account.
- Correction: you can edit or delete any individual transaction, budget, goal, or preference directly in the app.
- Withdraw consent: you can turn off usage analytics in Settings, and change your website cookie choice at any time from the banner.
- Complaint: if you are in the EU/UK you may lodge a complaint with your local supervisory authority; in India, with the Data Protection Board.
What survives account deletion, and why. A small amount of data is deliberately retained after you delete your account, because we are legally or operationally required to keep it: payment and subscription records (needed for tax, accounting, refunds, and chargebacks), administrative access logs (needed to prove our staff did not misuse your data), and cookie-consent records (needed to prove we honoured your consent choice). If you sent feedback, your name and comment are erased, and only an anonymous rating and country remain. None of this retained data contains your expenses, receipts, or email address.
8. Staff and administrative access
We think you should know exactly what we can see. Our administrative tools let us view account metadata only: your email address, sign-up date, last sign-in, country, subscription status, and whether your account contains data at all.
Our staff cannot read your transactions, amounts, merchants, notes, or receipt images through any administrative tool. That restriction is enforced in the database itself, not merely by policy. Every time a staff member opens a user record, the access is written to an audit log first — if the log write fails, the access is refused.
We may send ourselves an internal operational summary (for example, counts of new subscriptions and a record of administrative actions) through a private team messaging channel. It contains no expense data.
9. Data retention
We retain your account information and expense data for as long as your account remains active. When you delete your account, that data — including receipt images — is removed from our active systems immediately and purged from encrypted backups within 30 days.
Other records are kept as follows:
- Crash and error logs (which never contain your expense content or identifiers) — up to 90 days.
- Payment and subscription records — retained as required by Indian tax and accounting law.
- Administrative access logs — retained so we can demonstrate our staff did not misuse your data.
- Cookie-consent records — a random visitor identifier, your choice, a timestamp, and the policy version in effect. This record contains no name, email address, or IP address, and exists solely to demonstrate we honoured your consent decision. For abuse prevention, the sending IP address is recorded for the day to rate-limit this endpoint. It is not linked to your consent record and is not used for anything else.
- Anti-abuse usage counters — counts only, no content, retained while your account is active.
10. Children
SpendSmart AI is intended for users aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you are under 18, please do not use the service or provide any personal information. If you believe a person under 18 has provided us with personal information, contact us at kchlabs@gmail.com and we will delete it.
11. Sub-processors and international data transfers
We use the following sub-processors to operate the service. Some are located outside India; where personal data is transferred internationally, we rely on the transfer mechanism noted below (such as Standard Contractual Clauses or an applicable adequacy decision). This list is maintained for transparency and is reviewed before any new sub-processor is added.
- Supabase (hosted on Amazon Web Services, US East — Ohio, USA) — database, authentication, and receipt storage. Transfer basis: Standard Contractual Clauses.
- Anthropic, PBC (United States) — AI processing of expense text, receipt images, bank/credit-card statements, and monthly insights via the Claude API. Inputs are not retained beyond the request and are not used to train models. Transfer basis: Standard Contractual Clauses.
- Apple Inc. (United States) — speech recognition for the Voice feature on iOS; App Store subscription billing. Transfer basis: Standard Contractual Clauses.
- Google LLC (United States) — speech recognition for the Voice feature on Android; Google Play subscription billing; Google Analytics on our public website. Transfer basis: Standard Contractual Clauses.
- RevenueCat, Inc. (United States) — subscription management for the mobile apps. Receives a pseudonymous account identifier, not your email. Transfer basis: Standard Contractual Clauses.
- Dodo Payments — subscription payments on the web. Receives your email address and a pseudonymous account identifier to create your billing record.
- PostHog, Inc. (United States) — product analytics, only if you opt in. Receives funnel event names, platform, country, and a pseudonymous account identifier. No expense content, name, or email. Transfer basis: Standard Contractual Clauses.
- Functional Software, Inc. (Sentry) (United States) — crash and error reporting. Receives anonymous, content-free error data only — never your expense content, name, or account identifiers. Transfer basis: Standard Contractual Clauses.
- Expo (650 Industries, Inc.) (United States) — push-notification delivery and over-the-air app updates. Receives a device push token. Transfer basis: Standard Contractual Clauses.
- Intuition Machines (hCaptcha) (United States) — bot and abuse prevention on sign-up and sign-in. Receives your IP address and interaction data to perform that check. Transfer basis: Standard Contractual Clauses.
We will update this section when sub-processors change. This section is provided for transparency and is subject to legal review.
12. Changes to this policy
If we make a material change to how we handle your data, we will update the "last updated" date above and, where the change is significant, notify you in the app before it takes effect.
13. Jurisdiction
This service is operated from India and governed by the laws of India, including the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 (DPDPA).
14. Contact
Questions about your privacy, or want to exercise any right above? Email us at kchlabs@gmail.com, or write to KCH Labs, Legend II, D201, Kandarpada, Dahisar West, Mumbai 400068, India.