How is Free really free?

Free is permanent. Hard daily caps (5 transactions, 1 OCR, 3 voice entries) — enough to actually use, not just trial.

Do you do PKR and USD?

Yes — and 60+ other currencies. Live FX rates. Multi-currency books in one workspace.

Workspace-scoped, end-to-end encrypted in transit and at rest. No ad networks. Full export any time. We never sell data.

Can I switch from QuickBooks / Wave / spreadsheets?

Yes. CSV import for transactions, vendors, categories. White-glove migration on Team plan.

Will it work on my phone?

Yes. The web app is fully optimised for mobile browsers and installs as a PWA — add it to your home screen on iOS or Android and it behaves like a native app, with offline support for recently-viewed pages.

What if I outgrow the Free plan?

Upgrade to Solo for $4.99/mo (no limits, full AI). Team plan unlocks roles and approvals for small companies.

Security · how we protect your data

Security at Expensely.

Expensely holds financial data. That puts security in a different bucket than "most SaaS apps". This page describes what we do — concretely, today — to keep your workspace safe, and what we're working toward. We'd rather under-promise here than make claims we can't back up.

🔒 TLS 1.3 in transit. AES-256 at rest. Workspace isolation. No third-party ad networks. Ever.

Encryption

In transit: All traffic uses TLS 1.3. HSTS is enforced with a 1-year max-age. HTTP redirects to HTTPS.
At rest: Customer data, including transactions and receipt images, is stored on disks encrypted with AES-256. Database backups are encrypted.
Receipts: Encrypted on upload, decrypted only at view time, encrypted at rest.
Passwords: Hashed with bcrypt (cost 12). We never see your plaintext password.

Access control

Workspace isolation: Each workspace is a logical tenant. Cross-workspace queries are not possible at the data-access layer.
Role-based access: Owner, Admin, Member, Contributor and Read-only — each with explicit permissions.
Internal access: Engineers do not have direct access to production data. Access for debugging is short-lived, approved and logged.
Two-factor authentication: TOTP-based 2FA available on all plans; required on Team plan owner/admin accounts.
Session management: Sessions expire after 30 days of inactivity. You can revoke any session from settings.

Infrastructure

Hosted on a Tier-1 cloud provider in an Asia region with full ISO 27001 / SOC 2 attestations at the infrastructure layer.
Edge served by Cloudflare with DDoS protection, WAF and bot management.
Automated database backups every 6 hours, retained 30 days.
Point-in-time recovery available.
Multi-region failover in the works for Team plan workspaces.

Application security

All dependencies scanned weekly for known CVEs.
CSP header restricts script sources.
Rate limiting on auth endpoints to prevent brute force.
Webhook signatures verified using HMAC.
Suspicious-login alerts (new device, new country) sent by email.

Audit logs

Team plan workspaces include a 90-day audit log of every transaction edit, role change, approval and export. See team collaboration for details.

What we don't do

We don't embed third-party ad networks or trackers.
We don't sell or share your data.
We don't use your transactions to train AI models.
We don't store voice clips after transcription.
We don't store full card numbers — payment is handled by our PCI-compliant payment processor.

Certifications and audits

SOC 2 Type I — in progress. ISO 27001 — in progress. We'll publish the reports here when they're complete. In the meantime, we're happy to share our security questionnaire (CAIQ-formatted) on request: [email protected].

Bug bounty

If you find a security vulnerability, report it to [email protected] with subject line "Security disclosure". We respond within 48 hours and pay bounties for valid vulnerabilities on a case-by-case basis. We follow responsible-disclosure practices; please don't test against production data that isn't yours.

Incident response

If a security incident affecting customer data occurs, we will notify affected customers within 72 hours of confirmation, by email to the workspace owner and via in-app banner. Post-mortems for material incidents are published.

Where to read more

Try Expensely with confidence

Start free — no card