SmartXpenseBack to app

Privacy Policy

Last updated: March 26, 2026

Plain language first. This policy is written to be read, not to obscure. We tell you exactly what we collect, who can see it, and what you can do about it.

1. Overview

SmartXpense ("we", "us", or "our") is a personal finance tracking app built and operated as an independent project. This Privacy Policy explains what data we collect when you use SmartXpense, how we use it, who can access it, and what rights you have over it.

We believe in plain language over legal boilerplate. If something is unclear, email us.

2. What Data We Collect

We only collect data you explicitly provide:

DataWhy we collect it
Email addressAccount creation, sign-in, and account recovery
Full name & usernameDisplayed in your profile
Profile avatarOptional. Displayed in your profile
Expense records (amount, date, category, note)Core app function — tracking your spending
Currency & theme preferencesPersonalizing your experience
Monthly budget (optional)Showing budget progress on your dashboard

We do not collect payment information, location data, device identifiers, or any behavioral tracking data. We do not run analytics scripts (e.g. Google Analytics) on this app.

3. Who Can Access Your Data

This is the most important section. We believe in being direct about it.

You

You have full access to your own data at all times. You can view, edit, export (CSV), and permanently delete it from within the app.

The app operator (us)

As the operator of this app, we have administrative access to the database via the Supabase dashboard. This is technically unavoidable for any hosted service — the infrastructure owner always has access at the infrastructure level.

Our commitment: We will not access, read, or use your individual expense data except in the specific case where you have reported a bug and explicitly asked us to investigate. We will tell you if we do. We do not browse user data for any other reason.

Supabase (our infrastructure provider)

Your data is stored on servers managed by Supabase, Inc. Supabase is our data processor — they store and serve the data on our behalf but do not use it for any other purpose. Supabase encrypts data at rest (AES-256) and in transit (TLS). See Supabase's Privacy Policy.

No one else

We do not sell, share, rent, or trade your data with any third parties. We do not use your data for advertising. We do not share it with data brokers.

4. How We Protect Your Data

  • Row Level Security (RLS): Every database query is scoped to your user ID. No user can read another user's data, ever.
  • TLS encryption in transit: All communication between your browser and our servers is encrypted.
  • Encryption at rest: The database is encrypted at the storage layer by Supabase.
  • No plaintext passwords: Passwords are hashed with bcrypt by Supabase Auth. We never store or see your password.
  • Minimal permissions: The app's database keys only have the permissions required to serve the app — no admin-level keys run in your browser.

5. Data Retention

We retain your data for as long as your account exists. When you delete your account, all associated data — expenses, categories, profile, and authentication credentials — is permanently deleted from our database. This deletion is irreversible. We do not keep backups of deleted accounts beyond Supabase's standard infrastructure backup window (up to 7 days), after which your data is unrecoverable.

6. Your Rights

You have the following rights over your data at any time:

  • AccessView all your data directly in the app.
  • CorrectionEdit any expense, category, or profile field.
  • ExportDownload all your expenses as a CSV file from the Expenses page.
  • DeletionDelete your account and all associated data from Settings → Security → Delete Account. This is immediate and permanent.
  • PortabilityThe CSV export gives you a copy of your data in a standard, machine-readable format.

If you are located in the European Union, you may also have rights under the GDPR including the right to object to processing and the right to lodge a complaint with your local supervisory authority.

7. Cookies & Local Storage

SmartXpense uses a single session cookie managed by Supabase Auth to keep you signed in. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No data is sold to or shared with ad networks.

8. Changes to This Policy

If we make material changes to this policy — such as sharing data with new third parties or changing how we store it — we will notify you by email before the change takes effect. Minor clarifications may be made without notice. The "Last updated" date at the top of this page always reflects the current version.

9. Contact

Questions, concerns, or data requests: privacy@smartxpense.com. We aim to respond within 5 business days.

© 2026 SmartXpense. All rights reserved.