How is Free really free?

Free is permanent. Hard daily caps (5 transactions, 1 OCR, 3 voice entries) — enough to actually use, not just trial.

Do you do PKR and USD?

Yes — and 60+ other currencies. Live FX rates. Multi-currency books in one workspace.

Workspace-scoped, end-to-end encrypted in transit and at rest. No ad networks. Full export any time. We never sell data.

Can I switch from QuickBooks / Wave / spreadsheets?

Yes. CSV import for transactions, vendors, categories. White-glove migration on Team plan.

Will it work on my phone?

Yes. The web app is fully optimised for mobile browsers and installs as a PWA — add it to your home screen on iOS or Android and it behaves like a native app, with offline support for recently-viewed pages.

What if I outgrow the Free plan?

Upgrade to Solo for $4.99/mo (no limits, full AI). Team plan unlocks roles and approvals for small companies.

Privacy · effective 2026-01-01

Privacy Policy

Last updated: 2026-05-25. This policy explains what data Expensely ("we", "us") collects, how we use it, who we share it with, and what rights you have over it. It is written in plain English. If anything is unclear, email [email protected].

1. Who we are

Expensely is operated by the Expensely team. We provide a software-as-a-service expense-tracking product accessible at expensely.xyz and the application at app.expensely.xyz.

2. What data we collect

Account data

Your email address and a hashed password (or OAuth identity from Google/Microsoft if you sign in that way).
Your display name and optional profile photo.
Your billing address and payment method — handled by vetted PCI-DSS compliant payment processors (Paddle, Stripe). We never see or store your full card number.

Workspace and transaction data

Every transaction you create, with vendor, amount, currency, date, category and any notes you add.
Receipts you photograph or upload (stored encrypted for 90 days unless you disable retention).
Voice clips during processing only — audio is discarded after transcription.
Workspace settings, categories, vendors and saved views.

Usage data

Aggregate, anonymised metrics about feature usage (e.g. "OCR was used 12 times today") to improve the product.
Crash reports and error logs (PII-redacted where possible).
Approximate location derived from IP for security checks (not stored long-term).

3. What we do not collect

We do not run third-party advertising trackers (no Google Ads, Facebook Pixel, TikTok Pixel, etc.).
We do not sell, rent or share your transaction data with anyone, ever.
We do not use your transactions to train any AI model — your data is only used to provide you with insights inside your workspace.

4. How we use your data

To provide the service: store transactions, run OCR on receipts, parse voice entries, produce AI insights, and render dashboards.
To bill you (paid plans only) via our payment processor.
To send you product-critical email (receipts, security alerts). You can opt out of marketing email at any time.
To detect and prevent fraud, abuse and security incidents.
To comply with our legal obligations.

5. Third-party processors

We use a small number of vetted vendors:

Cloud hosting — Cloudflare and a Tier-1 cloud provider (Asia region). Encryption at rest enforced.
Payment processors — Paddle handles paid-plan billing for new customers; Stripe handles a small number of legacy subscriptions. Both are PCI-DSS compliant. We never see your full card number.
Email delivery — for transactional email only.
OCR and language models — operated under data-processing agreements that prohibit training on customer data and require deletion after processing.
Crash reporting — PII-redacted.

A current sub-processor list is available on request via [email protected].

6. Data retention

Active workspace data is retained for as long as your account is active.
Receipt images are retained 90 days by default. You can opt to disable storage entirely.
Audit logs are retained 90 days on the Team plan.
When you delete your account, we delete your data within 30 days, except where retention is legally required (e.g. tax records for paid customers — typically 7 years).

7. Your rights (GDPR, CCPA and similar)

You can:

Access your data — full export from Settings → Export, anytime.
Correct any data — edit transactions, vendors and categories directly.
Delete your data — from Settings → Delete Account, irreversible after 30 days.
Port your data — CSV and PDF export in standard formats.
Restrict processing — disable AI features in Settings.
Object to processing — email us and we'll respond within 30 days.
Not be subject to automated decisions — our AI insights are advisory; nothing is auto-actioned without your consent.
Lodge a complaint with a supervisory authority — EU/EEA residents may complain to their national data-protection authority; UK residents to the ICO; California residents to the California Privacy Protection Agency. We'd prefer you come to us first so we can fix it, but the right is yours.

For GDPR, CCPA or other data-protection inquiries, email [email protected] with subject "Data Protection" and we'll route it to the right person.

8. International transfers

If you are in the EU or UK, your data may be processed in our Asia cloud region under Standard Contractual Clauses. We assess each sub-processor for transfer mechanisms before engagement.

9. Children

Expensely is not intended for users under 16. We do not knowingly collect data from minors. If you believe we have, email [email protected] and we will delete it.

10. Security

Transactions and receipts are encrypted in transit (TLS 1.3) and at rest (AES-256). Workspaces are logically isolated. We follow industry best practices for access control and incident response. See our security page for details.

11. Cookies and similar technologies

We use a small set of first-party cookies, no third-party ad cookies.

Authentication — a session cookie keeps you logged in to app.expensely.xyz.
CSRF protection — a short-lived token prevents cross-site request forgery on form submissions.
Preferences — a cookie remembers your currency and theme on the marketing site.

We do not run Google Ads, Facebook Pixel, TikTok Pixel or any third-party advertising tracker. You can clear cookies at any time from your browser settings — clearing the authentication cookie will sign you out.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email and in-app notification at least 14 days before they take effect. The "last updated" date at the top reflects the most recent revision.

13. Contact

Privacy questions, deletion requests, complaints — email [email protected]. We respond within 5 business days.