Your data stays on your device by default.

Controller and scope

ExpensiFamily is operated by an independent individual developer (not a registered company at this stage), acting as controller for this website, support communications, and optional Ask George requests. Contact: support@expensifamily.com. The current version has no account system and no cloud sync; expense records remain on your device unless you actively share data with us or use Ask George.

Data categories and purposes

We process only data needed to operate the site, provide support, and maintain service security.

• Contact and correspondence data you submit (such as email address and message content).
• Files or screenshots you choose to attach to support requests.
• Basic technical security/operational data (for example IP address, user agent, request metadata) processed by hosting and infrastructure providers.
• If you use Ask George: recent normalized expense records, optional budget targets, selected currency, locale, timezone, and an anonymous client ID used for quota enforcement.
• The current data sent to Ask George does not include expense or budget notes/descriptions, attached place metadata, or GPS metadata.

Legal bases (Article 6 GDPR)

Depending on the request, one or more legal bases apply.

• Article 6(1)(b): contract steps or service delivery at your request.
• Article 6(1)(f): legitimate interests (support operations, abuse prevention, service reliability).
• Article 6(1)(c): compliance with legal obligations when required.
• Article 6(1)(a): consent, where we specifically ask for it (you can withdraw at any time).

Recipients and international transfers

Data may be processed by service providers acting as processors (for example hosting, email, support tooling, and AI service providers for optional Ask George requests). OpenAI is the current external AI provider used by the server for Ask George. Where data is transferred outside the EEA/UK, transfers are based on approved safeguards (such as adequacy decisions or Standard Contractual Clauses with supplementary measures where required).

Retention

We keep personal data only for as long as necessary for the stated purposes, then delete or anonymize it. Retention depends on purpose, legal obligations, and security/dispute needs.

• Support correspondence: targeted retention up to 12 months after closure, unless a longer period is required for legal or security reasons.
• Security/operational logs: kept according to infrastructure provider retention settings and security requirements.

Your rights

You may request access, rectification, erasure, restriction, portability, or objection, and you may withdraw consent where processing is based on consent. To exercise rights, contact support@expensifamily.com. We may verify identity before fulfilling requests, and we target responding within one month.

Automated decision-making and children

We do not use personal data for solely automated decisions producing legal or similarly significant effects. The service is not directed to children under the age applicable in your jurisdiction for independent consent.

Complaints

You have the right to lodge a complaint with your local supervisory authority (Article 77 GDPR), without prejudice to any other administrative or judicial remedy.