GDPR Compliance & Data Protection

Your rights under European data protection law

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that gives you control over your personal data. As an EU resident, you have specific rights regarding how your data is collected, processed, and stored by ExpenzAI.

Legal Basis for Processing

Legitimate Interest

Processing receipt images and expense data to provide AI-powered categorization services

Contract Performance

Processing necessary to provide the expense tracking services you requested

Consent

Marketing communications and optional analytics (you can withdraw consent anytime)

Your GDPR Rights

1Right of Access (Article 15)

You can request a copy of all personal data we hold about you, including:

  • Your account information and preferences
  • All uploaded receipts and extracted data
  • Spending analytics and categorizations
  • Processing logs and system interactions

2Right to Rectification (Article 16)

Correct any inaccurate or incomplete data, including:

  • Profile information and account details
  • Incorrect expense categorizations
  • Receipt processing errors

3Right to Erasure (Article 17)

Request deletion of your data when:

  • Data is no longer necessary for original purpose
  • You withdraw consent and no other legal basis exists
  • Data has been unlawfully processed
  • You close your account permanently

4Right to Data Portability (Article 20)

Export your data in machine-readable format:

  • JSON export of all expenses and categories
  • CSV format for easy import to other tools
  • Original receipt images in ZIP archive

5Right to Restrict Processing (Article 18)

Limit how we process your data while disputes are resolved

6Right to Object (Article 21)

Object to processing based on legitimate interests, including:

  • Analytics and usage tracking
  • Marketing communications
  • Automated decision-making processes

International Data Transfers

Third Country Processing

Your data may be processed outside the EU/EEA by our service providers. All transfers are protected by appropriate safeguards:

OpenAI (AI Processing)

Receipt analysis and categorization

Adequate Protection
Vercel (Frontend Hosting)

Website hosting and CDN

Standard Contractual Clauses
Railway (Backend Hosting)

API and database hosting

Standard Contractual Clauses
Cloudflare (CDN & Security)

Content delivery and DDoS protection

Standard Contractual Clauses
AWS S3 (File Storage)

Receipt image storage

Standard Contractual Clauses

Data Protection: All service providers are bound by contractual agreements to protect your data and comply with GDPR requirements.

How to Exercise Your Rights

Contact Information

To exercise any of your GDPR rights, contact me directly:

Email: [email protected]

Response Time: Within 30 days

Verification: Account authentication required

Complaint Rights

If you're not satisfied with how your request is handled, you have the right to lodge a complaint with your local data protection authority or the German Federal Commissioner for Data Protection and Freedom of Information (BfDI).

Data Retention Periods

Data TypeRetention PeriodReason
Account DataUntil account deletionService provision
Receipt ImagesUntil user deletionCore functionality
Processing Logs90 daysDebugging & security
Analytics Data12 monthsService improvement

Policy Updates

This GDPR compliance page will be updated as regulations evolve or as the service changes. Material changes affecting your rights will be communicated via email with at least 30 days notice. Last updated: 8/28/2025