Privacy Policy

Last updated: March 2026

We know privacy policies can be a pain to read — so we've tried to write this one in plain English. No legal jargon, no waffle. Just a straightforward explanation of what we collect, why we need it, and how we keep it safe. If something isn't clear, just get in touch and we'll explain it.

Data Controller

Devespresso, trading as Expensio

Expensio is operated by Devespresso, an independent operator.

For any privacy-related enquiries, contact: [email protected]

1. Legal Basis for Processing

We are committed to protecting your data. Your personal and financial information is yours, and we treat it that way.

Access to your data within Expensio is strictly limited to senior-level engineers who may require it solely for the purpose of maintaining, debugging, or improving the platform. No one accesses your data out of curiosity or for any unauthorised reason.

We do not access, review, or share your personal data unless we are legally required to do so — for example, in response to a valid court order, law enforcement request, or other legal obligation. If we are ever required to disclose your data to a third party by law, we will notify you as soon as we are legally permitted to do so.

The legal bases under which we process your personal data are:

  • Contract performance — processing your account information is necessary to provide the Expensio service you have signed up for.
  • Legitimate interests — processing usage and technical data to maintain security, prevent abuse, and improve the platform.
  • Legal obligation — disclosing data when required by applicable law or court order.
  • Consent — where you have explicitly agreed to specific processing, such as receiving communications from us.

2. Information We Collect

We collect the following types of information when you use Expensio:

  • Account information: the only details required to use Expensio are your name, email address, and a password. Phone number, postal address, and postcode are entirely optional and can be added later in your account settings if you choose to provide them.
  • Financial data: transactions, categories, budgets, and any other data you enter or import into the platform.
  • Usage data: pages visited, features used, and general interaction patterns to help us improve the service.
  • Technical data: IP address, browser type, device information, and cookies for session management.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Expensio service.
  • Authenticate your account and keep it secure.
  • Send transactional emails such as email verification and password resets.
  • Analyse usage patterns to improve the platform.
  • Respond to support requests or enquiries you send us.

4. Your Financial Data

The financial data you enter into Expensio — including transactions, budgets, and categories — belongs to you. We do not analyse, sell, or share this data with third parties for advertising or any commercial purpose.

Expensio does not connect to your bank accounts directly. All financial data is provided by you, either through manual entry or CSV file imports.

If you import a file by mistake and the data has already been processed, you can easily undo it by deleting the import. Deleting an import will permanently remove all transactions that were brought in by that file, unlinking them entirely from your account.

Expensio is a data management and tracking tool only. We are not a bank, financial institution, or payment processor. We do not have access to your real bank accounts, payment methods, or subscriptions. We cannot process refunds, cancel subscriptions, reverse transactions, or take any action on your behalf with any financial provider. All data within Expensio is a reflection of records you have chosen to import or enter — it does not affect your real-world finances in any way.

5. Data Storage and Security

Your data is stored securely on our servers. We use industry-standard measures including encryption in transit (HTTPS) and at rest to protect your information.

  • Personal data — including your email address, phone number, postal address, and postcode — is encrypted at the field level before being stored in our database. This means your sensitive details are protected even in the unlikely event of unauthorised database access.
  • Any files you upload (such as CSV bank statements) are stored securely and immediately renamed using a cryptographic hash to prevent identification. Once the file has been processed and is no longer required, it is permanently deleted from our servers.
  • Passwords are never stored in plain text. We use strong one-way hashing with a unique salt per user, meaning your password cannot be reversed or recovered — not even by us.
  • While we take reasonable steps to protect your data, no method of transmission over the internet is 100% secure. We encourage you to use a strong, unique password and to keep your account credentials private.

6. Hosting Infrastructure

Expensio uses a combination of trusted, industry-leading cloud infrastructure providers to host and operate the platform:

  • Hetzner — used for primary server infrastructure. Hetzner operates data centres in Germany and Finland, both within the EU, and adheres to strict data protection standards.
  • DigitalOcean — used for additional compute and storage services. DigitalOcean maintains SOC 2 Type II certification and complies with GDPR requirements.
  • Amazon Web Services (AWS) — used for cloud storage, delivery, and transactional email (via Amazon SES). AWS is certified under ISO 27001, SOC 1/2/3, and GDPR-compliant frameworks. As AWS operates globally, some data may be processed outside the UK/EU; this is covered by Standard Contractual Clauses (SCCs).
  • Stripe — used as our payment processor for any paid plans. Stripe is PCI DSS Level 1 certified, the highest level of payment security certification. We do not store your card details on our servers — all payment information is handled directly and securely by Stripe.

Each provider is contractually bound to process your data only on our behalf. They have no right to use your data for their own purposes.

6a. International Data Transfers

Most of your data is hosted within the EU (Hetzner). However, AWS operates globally, so some data may be processed outside the UK or EU. When this occurs:

  • We only use providers that meet an equivalent level of data protection to the UK/EU.
  • We ensure Standard Contractual Clauses (SCCs) are in place to legally protect your data.
  • If we ever need to move your data to a new hosting provider, we will notify you by email in advance. You can always delete your account before any transfer if you prefer.

7. Data Breach Notification

In the unlikely event of a data breach, here is what we will do:

  • Notify the relevant supervisory authority within 72 hours of becoming aware — as required by law.
  • Contact you directly if your personal data is at risk, without undue delay.
  • Tell you what happened, what data was affected, the likely consequences, and the steps we are taking to fix it.

8. Cookies

We use two types of cookies:

  • Essential cookies — used for session management and authentication. These are required for the platform to work. Without them, you will not be able to log in.
  • Analytics cookies — we use Google Analytics to understand how people use Expensio (e.g. which pages are visited, how long sessions last). This helps us improve the platform. Google Analytics may process data outside the UK/EU; Google is certified under standard data protection frameworks.

We will ask for your consent before placing any analytics cookies. You can withdraw your consent or opt out of Google Analytics at any time by adjusting your cookie preferences or by using the Google Analytics opt-out browser add-on available at tools.google.com/dlpage/gaoptout.

9. Sharing of Information

We do not sell, trade, or rent your personal information to third parties. We may share information only in the following limited circumstances:

  • With the infrastructure and service providers named in Section 6, who are contractually bound to process your data only on our behalf.
  • With users you invite to your account — if you invite someone, they will have access to the financial data within your account (including transactions, budgets, and reports) based on the role you assign them. You are responsible for managing who has access and can remove invited users at any time.
  • If required by law, court order, or to protect the rights and safety of Expensio or its users.
  • In connection with a merger, acquisition, or sale of assets — you will be notified in advance.

10. Data Retention

We only keep your data for as long as we need it:

  • Account data is retained for as long as your account is active. When you delete your account, it enters a 30-day grace period before being permanently erased — see Section 10a for full details.
  • New accounts have a 7-day activation window. If email verification is not completed within 7 days, the account and all associated data is automatically and permanently deleted.
  • Server logs — including IP addresses and request data — are retained for up to 90 days for security and debugging, then automatically deleted.

10a. User Deletion

A quick note on terminology: in Expensio, your user is your personal login profile — the identity you use to sign in. An account is a financial workspace you create or belong to; one user can own or be a member of multiple accounts. This section covers what happens when you delete your user — that is, yourself as a person on the platform.

When you delete your user, it is not immediately and permanently erased. Your user enters a 30-day grace period — we call this a soft deletion.

During this 30-day window:

  • Your user becomes inaccessible — you will not be able to log in or use the service.
  • Your data is retained internally and is not yet permanently deleted.
  • You can restore your user at any time within those 30 days by contacting us at [email protected]. We will reactivate your login with all your data intact.

After 30 days, your user and all associated data — including any accounts you own, transactions, budgets, categories, recurring payments, and personal information — is permanently and irreversibly deleted from our systems. We cannot recover your data after this point under any circumstances, even if you contact us.

We will send you an email confirmation when a deletion is requested. We strongly recommend exporting your data before deleting your user.

11. Your Rights

You have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to fix any inaccurate data.
  • Deletion — permanently delete your account and all associated data at any time, with no questions asked. You can do this from your account settings or by contacting us directly.
  • Portability — the account owner can request a full data export directly from their account settings. Invited members and other users on the account cannot make this request.
  • What's included — the export is a CSV file containing your payments, recurring payments, and account information. Data belonging to other users on your account is not included.
  • How it's delivered — once generated, you'll receive an email with a secure download link. The CSV is not attached directly for security. The link is valid for 24 hours, after that, the file is permanently deleted from our servers, regardless of whether it was downloaded.
  • Restriction — object to or request that we limit how we process your data.
  • Withdraw consent — if we rely on your consent to process data, you can withdraw it at any time. This does not affect anything that was processed before the withdrawal.

If you have any concerns about how we handle your data, please contact us first at [email protected] — we take all privacy concerns seriously and will do our best to resolve them quickly and fairly.

If your concern remains unresolved, you have the right to lodge a complaint with your national data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. EU users may contact the supervisory authority in their country of residence.

12. Automated Decision-Making

We do not use any automated decision-making or profiling that produces legal or similarly significant effects on you. No decisions about you are made solely by automated means.

13. Marketing Communications

We send two types of email:

  • Transactional emails — email verification, password resets, and important account or security notifications. These are required and cannot be opted out of.
  • Newsletter — occasional emails covering platform updates, new features, and offers. This is entirely optional.

You can opt in or out of the newsletter at any time — either from your account settings or by clicking the unsubscribe link at the bottom of any newsletter email. We will never send you marketing emails without your consent.

14. Children's Privacy

Expensio is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

15. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of England and Wales. Any disputes relating to this policy will be subject to the exclusive jurisdiction of the courts of England and Wales.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For significant changes, we will notify you directly. Continued use of Expensio after changes are posted constitutes your acceptance of the updated policy.

17. Contact Us

If you have any questions or concerns about this Privacy Policy or how your data is handled, please contact us at [email protected].

© 2026 Expensio. All rights reserved.

TermsPrivacyCookiesSecurityBack to Home