Legal Information

GDPR Data Controller Information

No formal Data Protection Officer (DPO) has been appointed. Privacy inquiries should be directed to the contact email above.

Supervisory authority: CNPD (Comissão Nacional de Proteção de Dados), Portugal — www.cnpd.pt

For full details on how we process your data, see our Privacy Policy.

Email Access & Processing

When you scan for invoices, we use a three-phase, privacy-first approach:

• We use OAuth 2.0 authentication—we never see or store your password
• Phase 1 — Metadata fetch: We request email metadata (sender, subject, date, attachment info) from your inbox via Nylas for the selected date range. No email bodies are downloaded at this stage
• Phase 2 — AI prefilter: AI reviews only the metadata to identify emails that look like invoices. The vast majority of emails are discarded here—their content is never accessed
• Phase 3 — Classification: Only invoice candidates have their body text and attachments (PDF, JPG, PNG) analyzed by AI. This processing is ephemeral—body text is not stored
• Invoices are forwarded to your accountant and metadata is stored to prevent duplicates
• Optionally, real-time webhooks can automatically process incoming emails matching your configured vendor rules—without requiring a manual scan
• You can revoke access at any time through your email provider's security settings

Data Location & Transfers

Your data is processed and stored in data centers located in the United States. If you are accessing the service from outside the US, you consent to the transfer and processing of your data in the US. We ensure all transfers comply with applicable data protection laws, including GDPR Standard Contractual Clauses where applicable.

Breach Notification

In the unlikely event of a data breach affecting your personal information, we will notify you via email within 72 hours of becoming aware of the breach, as required by GDPR and applicable laws. We will also notify relevant regulatory authorities where required.

Technical Safeguards

• Encryption in Transit: All data is transmitted using TLS 1.3 encryption
• Encryption at Rest: Stored data is encrypted using AES-256
• OAuth Security: We use short-lived access tokens that are regularly refreshed
• Infrastructure: Hosted on enterprise-grade platforms (Convex, Vercel) that maintain SOC 2 Type II compliance
• Access Control: Strict internal access policies with audit logging
• Regular Audits: Periodic security reviews and vulnerability assessments

Essential Cookies & Privacy-Respecting Analytics

Expensent uses essential cookies for authentication, session management, and security (CSRF protection). We also use PostHog (EU-hosted, DNT-respecting) for product analytics and Vercel Analytics (cookieless) for page performance. For full details, see Section 8 of our Privacy Policy.

What We Don't Use

We do NOT use:

• Advertising pixels or retargeting cookies
• Analytics that track you across other websites
• Social media tracking widgets
• Any cookies for targeted advertising

For EU Residents (GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access your personal data
• Rectify inaccurate personal data
• Request erasure of your personal data
• Restrict processing of your personal data
• Data portability
• Object to processing
• Lodge a complaint with a supervisory authority

For California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

• Know what personal information is collected
• Know whether your personal information is sold or disclosed
• Say no to the sale of personal information (we don't sell your data)
• Access your personal information
• Request deletion of your personal information
• Equal service and price, even if you exercise your privacy rights

Do Not Sell or Share

Expensent does not sell or share your personal information for cross-context behavioral advertising. No opt-out mechanism is needed because we never sell data.

Sensitive Personal Information

Email content accessed through the service is used solely for invoice detection and forwarding. It is not used for profiling, advertising, or any purpose beyond service delivery.