Privacy Policy

    Last Updated: February 2026

    Introduction

    Primecode LLC, operating as Expense Flow ("we", "our", or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application. We strive to comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and California Privacy Rights Act (CPRA).

    Information We Collect

    We collect information you provide directly to us, including:

    • Account Information: Email address, name, phone number, and profile picture when you create an account.
    • Financial Data: Expense records, income entries, budget goals, bank account names (not actual bank credentials), loan information, and savings goals that you manually enter.
    • Usage Data: How you interact with the app, features you use, and your preferences (only with your consent).
    • Device Information: Device type, operating system, and unique device identifiers for push notifications.

    Legal Basis for Processing (GDPR)

    We process your personal data based on the following legal grounds:

    • Contractual Necessity: To provide our services and fulfill our agreement with you
    • Consent: For optional features like analytics and personalized recommendations
    • Legitimate Interests: To improve our services and protect against fraud
    • Legal Obligations: To comply with applicable laws and regulations

    How We Use Your Information

    We use the information we collect to:

    • Provide, maintain, and improve our services
    • Process and track your expenses, income, and financial goals
    • Send you push notifications about payment reminders and app updates
    • Respond to your comments, questions, and customer service requests
    • Generate insights and analytics to help you understand your spending habits

    Third-Party Service Providers

    We use trusted third-party services to operate the App. These providers may process your data on our behalf:

    Google Firebase (Data Processor)

    • Purpose: Authentication, database storage, cloud storage, push notifications
    • Data Processed: Account information, app data, device tokens
    • Location: Google Cloud data centers (US, EU based on configuration)
    • Privacy Policy: https://firebase.google.com/support/privacy

    Google Cloud Platform

    Apple App Store / Google Play Store

    • Purpose: App distribution, in-app purchases, subscription management
    • Data Processed: Purchase history, subscription status
    • Privacy Policies: Apple / Google

    OpenAI (Optional - AI Features)

    • Purpose: AI-powered features including receipt scanning (Vision AI), financial analysis, chat assistant, and language translation
    • Data Processed: Receipt images, expense descriptions, chat messages, and general financial queries
    • Privacy Policy: https://openai.com/policies/privacy-policy
    • Note: AI features are completely optional and can be disabled in Settings > AI Settings

    Important AI Data Handling:

    • No Sensitive Data Shared: We never send sensitive information to AI services, including: account IDs, passwords, bank account numbers, card numbers, CVV codes, or other credentials
    • AI features only process non-sensitive data you explicitly submit (e.g., receipt images, expense categories, general questions)
    • We do not automatically send your financial data to AI services
    • AI responses are generated insights and should not be considered professional financial advice
    • AI Chat History: AI chat history is retained for your convenience and cannot be individually deleted. You can delete your entire account to remove all associated data including chat history

    Your Own API Key: Depending on your subscription plan, you may use your own OpenAI API key for AI features, giving you direct control over your AI data processing. When using your own API key, data is sent directly to OpenAI under your account and you are responsible for any usage costs.

    We require all third-party processors to protect your data and use it only for the purposes we specify.

    Data Storage and Security

    Your data is stored using Firebase, a Google Cloud service that employs industry-standard security measures including encryption of data in transit and at rest.

    Sensitive Financial Data Encryption: Card numbers, CVV codes, expiry dates, and bank account numbers are encrypted using AES-256-CBC encryption before being stored. The encryption key is derived using PBKDF2 with a unique per-user salt.

    Cross-Platform Cloud Sync: Your data is synced to the cloud to enable access across all your devices (mobile, tablet, web). This sync is required for core app functionality.

    Security Measures: While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your data.

    Your Rights Under GDPR

    If you are in the European Economic Area (EEA), you have the following rights:

    • Right of Access (Article 15): Request a copy of your personal data
    • Right to Rectification (Article 16): Correct inaccurate personal data
    • Right to Erasure (Article 17): Request deletion of your personal data ("Right to be Forgotten")
    • Right to Restriction (Article 18): Restrict processing of your data
    • Right to Data Portability (Article 20): Export your data in JSON or CSV format
    • Right to Object (Article 21): Object to processing based on legitimate interests
    • Right to Withdraw Consent: Withdraw consent at any time in Settings > Privacy Controls

    Your Rights Under CCPA/CPRA

    If you are a California resident, you have the following rights:

    • Right to Know: Know what personal information we collect and how it's used
    • Right to Delete: Request deletion of your personal information
    • Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information
    • Right to Non-Discrimination: Equal service regardless of privacy choices
    • Right to Correct: Request correction of inaccurate personal information
    • Right to Limit Use: Limit use of sensitive personal information

    Data Sharing Practices

    We Do NOT Sell Your Data: Expense Flow does not sell your personal information to third parties for monetary consideration.

    Sharing Clarification: Under CCPA/CPRA, "sharing" for targeted advertising may be considered a "sale." If you have analytics enabled, anonymized usage data may be shared with analytics providers. You can opt out of this in Settings > Privacy Controls.

    When We May Disclose Data:

    • With your consent
    • To comply with legal obligations
    • To protect our rights or safety
    • In connection with a business transaction (e.g., merger or acquisition)

    What We Don't Do

    • We never sell your personal or financial data
    • We never share your data with third parties for advertising
    • We do not access or use your data beyond what is required to operate core features securely and with your consent

    Data Retention

    We retain your data only as long as necessary to provide our services. When you delete your account, we initiate deletion of associated data, which is typically completed within 30 days. Some data may be retained longer if required by law.

    International Data Transfers

    Your data may be transferred to and processed in countries outside your residence, including the United States. We rely on appropriate safeguards such as Standard Contractual Clauses for transfers from the EEA/UK.

    Children's Privacy

    Expense Flow is not intended for children under 13 (or 16 in the EEA). We do not knowingly collect data from children. If we learn we have collected data from a child, we will delete it promptly.

    Account Deletion

    You can permanently delete your account and all associated data at any time from Settings > Account Information > Delete Account.

    Changes to This Policy

    We may update this Privacy Policy periodically. We will notify you of material changes through the app or email at least 30 days before they take effect (where required by law).

    California Privacy Notice

    Categories of Personal Information Collected: Identifiers, financial information, usage data, device information.

    Categories of Sources: Directly from you, automatically from device.

    Business Purpose for Collection: Providing services, improving app, customer support.

    Categories of Third Parties: Service providers (Firebase, cloud hosting).

    Contact Us

    For privacy-related inquiries or to exercise your rights:

    For California residents, you may also submit requests through our in-app Privacy Controls.