Legal

Privacy Policy

Last Updated: May 10, 2026

1. Introduction and Scope

This Privacy Policy (the “Policy”) describes how ExpenseGhost Labs, Inc., a Delaware corporation, together with its subsidiaries and affiliates (collectively, “ExpenseGhost,” “we,” “our,” or “us”), collects, uses, discloses, transfers, retains, and otherwise processes personal data and other information in connection with the ExpenseGhost website at expenseghost.app, our mobile applications, our web dashboard, our application programming interfaces (“APIs”), and any related products, services, content, integrations, or features that link to or reference this Policy (collectively, the “Service”).

This Policy is incorporated by reference into, and forms a binding part of, our Terms of Service. Your access to or use of the Service constitutes your acknowledgement of, and where required by applicable law, your consent to, the practices described in this Policy. If you do not agree with this Policy, you must not access or use the Service.

Effective date. This Policy is effective as of May 10, 2026, and supersedes all prior versions with respect to information processed on or after that date. Information processed before the effective date remains subject to the version of this Policy in force at the time of collection, except where applicable law requires otherwise.

Roles.When we collect and process personal data for our own purposes (for example, to administer your account, market our Service, or comply with law), we act as a “controller” (or “business” under California law). When we process personal data of a customer’s end users on that customer’s behalf and under that customer’s documented instructions (for example, employee or contractor expense data uploaded by an organization account), we act as a “processor” (or “service provider” under California law) and our processing of that data is governed primarily by the relevant Data Processing Addendum executed with that customer.

2. Definitions

For purposes of this Policy, capitalized terms have the meanings set forth in our Terms of Service. Additionally:

“Personal Data”(or “Personal Information”) means any information relating to an identified or identifiable natural person, or information that is linked or reasonably linkable to a particular consumer or household, as those concepts are defined under applicable privacy laws including Regulation (EU) 2016/679 (“GDPR”), the United Kingdom General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), and analogous state and national privacy statutes.
“Sensitive Personal Information” means personal data given heightened protection under applicable law, including financial account numbers in combination with security or access codes, government-issued identifiers, precise geolocation, and account credentials.
“Process”(or “Processing”) means any operation or set of operations performed on Personal Data, whether or not by automated means.
“Subprocessor” means any third party engaged by ExpenseGhost to Process Personal Data on our behalf in connection with the Service. The current list of Subprocessors is published at our Subprocessors page.

3. Categories of Personal Data We Collect

The categories of Personal Data we collect depend on how you interact with the Service. We collect the following categories, in each case as further described below:

3.1 Information You Provide Directly

Identifiers and account information. Full name, email address, telephone number (if provided), password (stored only in salted, one-way hashed form), profile photograph, time zone, language preference, organization name and role, and any other information you submit when creating, updating, or recovering an account.
Organization and team information. When you invite, accept an invitation from, or are otherwise associated with an organization, we collect the identifiers and role assignments necessary to administer the organization, attribute expenses, and enforce permissions.
Financial and transactional data. Expense entries, receipt images and extracted text, merchant identifiers, transaction amounts, dates, currencies, tax classifications, mileage records, journal entries, and any notes or attachments you add. Where you connect a financial institution through Plaid, we receive institution and account identifiers, masked account and routing numbers, balances, and transaction history; we do not receive or store your bank login credentials.
Billing and payment data. When you purchase a paid subscription, Stripe collects your payment card information and billing address on our behalf. Stripe transmits to us a tokenized reference, the last four digits and brand of your card, the expiration month and year, and limited address information. We do not store full payment card numbers or card verification values on our systems.
Tax-related information. Filing entity type, tax year selections, state of operation, dependents (if voluntarily entered for estimate purposes), and similar inputs needed to compute estimates and generate exports.
Communications. The contents of any messages, support inquiries, survey responses, feedback, or other communications you direct to us, including attachments and the metadata associated with them.

3.2 Information Collected Automatically

Device and connection data. Internet Protocol (IP) address, approximate (city- or region-level) geolocation derived from IP, device model, operating system and version, browser type and version, screen resolution, language settings, time zone, mobile carrier (where applicable), and unique device identifiers.
Usage and diagnostic data. Pages and screens viewed, features used, buttons and links interacted with, referring and exit URLs, timestamps, session duration, error logs, crash reports, latency metrics, and similar telemetry generated as you interact with the Service.
Cookies and similar technologies. First-party and limited third-party cookies, web beacons, pixel tags, software development kits, and local storage entries used for authentication, session continuity, security, preference persistence, fraud prevention, and product analytics. See Section 9 below.

3.3 Information Received from Third Parties

Identity providers. If you sign in using a third-party identity provider (such as Google or Apple), that provider transmits to us the identifiers, profile fields, and verification tokens you authorize to be shared.
Plaid. Plaid Inc. transmits institution metadata, account information, balance and transaction records, and connection-status signals on the basis of your authorization granted within the Plaid Link flow. Your relationship with Plaid is governed by the Plaid End User Privacy Policy at plaid.com/legal.
Stripe. Stripe Payments Company transmits payment confirmations, invoice metadata, dispute notifications, and limited cardholder data as described above.
Service providers and partners. Vendors that we engage to provide hosting, analytics, fraud detection, customer support, and similar functions transmit Personal Data back to us as part of delivering those services.

3.4 Sensitive Personal Information

In the course of providing the Service we Process limited categories of Sensitive Personal Information, including financial account numbers and access credentials in tokenized form (held by Plaid and Stripe rather than ExpenseGhost), account login credentials, and the contents of communications. We Process Sensitive Personal Information only for the limited purposes permitted by applicable law (including Cal. Civ. Code § 1798.121), namely to perform the Service requested, authenticate users, prevent and detect security incidents and fraud, ensure the integrity of the Service, and comply with law. We do not Process Sensitive Personal Information for purposes of inferring characteristics about you, and we do not sell or share Sensitive Personal Information for cross-context behavioral advertising.

4. Purposes for Which We Process Personal Data

We Process Personal Data for the following business and commercial purposes:

Service provision. To create and maintain accounts; authenticate users; provision and bill subscriptions; ingest, classify, and store receipts and transactions; generate exports, reports, and tax estimates; synchronize bank accounts; and otherwise deliver the features you request.
Communications. To respond to inquiries; deliver transactional messages including service announcements, security notices, billing notifications, receipt-processing confirmations, and account-recovery messages; and, where permitted, to send product updates, newsletters, and marketing communications you may unsubscribe from at any time.
Personalization and product improvement. To remember your preferences, infer feature priorities, conduct A/B and reliability experiments, measure adoption of new features, and improve the usability and accuracy of the Service. Where we improve our machine-learning models, we do so using aggregated, pseudonymized, or otherwise de-identified data, and we do not use customer financial transactions or receipt content to train general-purpose foundation models.
Security, fraud prevention, and abuse mitigation. To detect, investigate, and prevent unauthorized access, credential stuffing, account takeover, payment fraud, abuse of rate limits, and violations of our Terms of Service; to maintain audit logs; and to enforce our policies.
Legal and regulatory compliance. To comply with our obligations under applicable law (including financial, anti-money-laundering, sanctions, tax, consumer protection, and privacy law), respond to lawful requests from public authorities, enforce our agreements, and establish, exercise, or defend legal claims.
Corporate transactions. To evaluate, negotiate, and consummate mergers, acquisitions, financings, reorganizations, divestitures, bankruptcies, and similar transactions, subject to the safeguards described in Section 6.4.

5. Legal Bases for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, our Processing of your Personal Data is justified by one or more of the following legal bases under Article 6 GDPR (and, where applicable, Article 9 GDPR for special categories of data):

Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service in accordance with our Terms of Service or to take steps at your request before entering into a contract.
Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests or those of a third party, such as securing the Service, preventing fraud, conducting product analytics, communicating with users, and pursuing direct marketing within permitted limits, except where such interests are overridden by your interests, rights, or freedoms.
Compliance with legal obligations (Art. 6(1)(c)): Processing necessary for compliance with a legal obligation to which we are subject (e.g., tax, accounting, anti-money-laundering, and lawful access requests).
Consent (Art. 6(1)(a)): Processing carried out on the basis of your consent, which you may withdraw at any time without affecting the lawfulness of Processing carried out before withdrawal.
Vital interests and public interest (Art. 6(1)(d) and (e)): Processing necessary, in narrowly defined circumstances, to protect vital interests or to perform tasks carried out in the public interest.

6. How We Disclose Personal Data

We disclose Personal Data only as described in this Policy and only as necessary to accomplish the purposes for which it was collected.

6.1 To Other Members of Your Organization

Where you are a member of an organization account, the administrator(s) of that organization may have access to your account profile, role, expenses, receipts, comments, audit-log entries, and similar information necessary to administer the account. You should consult your organization’s internal policies for further information.

6.2 To Subprocessors

We engage a limited set of vendors to Process Personal Data on our behalf solely for the documented purposes set out in our agreements with them. Each Subprocessor is bound by written terms imposing confidentiality, security, and use-limitation obligations at least as protective as those set forth in this Policy. The current list of Subprocessors is maintained at our Subprocessors page.

6.3 For Legal Reasons

We may disclose Personal Data when we have a good-faith belief that disclosure is necessary to: (i) comply with applicable law, regulation, legal process, or enforceable governmental request (including subpoenas, search warrants, court orders, and similar process); (ii) enforce or apply our Terms of Service or other agreements; (iii) detect, prevent, or otherwise address fraud, security, or technical issues; or (iv) protect against harm to the rights, property, or safety of ExpenseGhost, our users, or the public. Where permitted by law, we will notify the affected user prior to disclosure unless doing so would violate law or court order, jeopardize an investigation, or risk imminent harm.

6.4 In Connection with Corporate Transactions

In the event of a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, insolvency, or similar transaction or proceeding, Personal Data may be transferred to or shared with prospective or actual counterparties, advisors, and successors. Any successor entity will be bound to honor the commitments made in this Policy unless and until it provides reasonable notice of any changes.

6.5 With Your Direction or Consent

We disclose Personal Data to additional third parties when you direct us to do so or otherwise consent to the disclosure (for example, when you connect a third-party integration or download an export and provide it to your accountant).

6.6 De-identified or Aggregated Data

We may create and use de-identified, aggregated, anonymized, or otherwise non-identifiable data derived from Personal Data, and we may share such data without restriction, provided that we do not attempt to re-identify the data and we contractually prohibit recipients from doing so.

7. We Do Not Sell or “Share” Personal Information

ExpenseGhost does not sell Personal Information for monetary or other valuable consideration, and does not “share” Personal Information for purposes of cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, or any analogous law. We have not done so in the preceding twelve (12) months and have no present intention of doing so.

8. Financial Information — Gramm-Leach-Bliley Act Notice

Although ExpenseGhost is not a financial institution, we Process information originating from your financial institution(s) on your behalf and consistent with the principles of the Gramm-Leach-Bliley Act of 1999 and its implementing regulations (16 C.F.R. Part 314, the FTC Safeguards Rule), to the extent applicable. We restrict access to nonpublic personal financial information to authorized personnel and Subprocessors who require it to perform the Service; we maintain physical, electronic, and procedural safeguards reasonably designed to protect such information; and we contractually prohibit Subprocessors from using such information for any purpose other than performing the Service.

We do not disclose nonpublic personal financial information about current or former users to nonaffiliated third parties except as permitted by law, including for the purposes of providing the Service you have requested, processing transactions you have authorized, complying with legal process, preventing fraud, or as otherwise described in this Policy.

9. Cookies, Tracking Technologies, and Choices

We and our Subprocessors use cookies and similar technologies for the limited purposes of: (i) enabling authenticated sessions and remembering preferences; (ii) maintaining security, preventing fraud, and detecting anomalies; (iii) measuring product usage to improve the Service; and (iv) where you opt in, additional analytics functions. We categorize these technologies as follows:

Strictly necessary. Required to operate the Service (e.g., authentication tokens, CSRF protection, load balancing). These cannot be disabled without rendering the Service inoperable.
Functional. Used to remember preferences such as theme, locale, and dashboard layout.
Analytics. First-party telemetry used to measure adoption, latency, and reliability. Where required by law, we obtain consent before deploying these.

Do Not Track.Because there is no industry consensus on how to interpret the “Do Not Track” HTTP header, we do not currently respond to DNT signals. We do, however, honor the Global Privacy Control (“GPC”) signal where required by applicable law as a request to opt out of the “sale” or “sharing” of Personal Information; because we do not engage in either, the GPC signal does not change our Processing.

You may control cookies through your browser settings. Disabling strictly necessary cookies will prevent the Service from functioning correctly.

10. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, audit, or reporting requirements, or to resolve disputes and enforce our agreements. Specific retention periods include:

Account profile data: for the life of your account, plus up to ninety (90) days after closure to facilitate restoration, dispute resolution, and regulatory inquiries.
Receipts, expenses, and journal entries: for the life of your account, plus a tax-records retention period of up to seven (7) years to support your post-cancellation access to records of audited periods, unless you request earlier deletion.
Billing records and invoices: for a period of up to seven (7) years following the close of the relevant tax year, in accordance with applicable tax and accounting law.
Authentication and security logs: typically thirteen (13) months, which may be extended as necessary to investigate suspected fraud or unlawful activity.
Support communications: typically twenty-four (24) months from the close of the relevant ticket.
De-identified or aggregated data: indefinitely, provided we do not attempt to re-identify it.

Where you have requested deletion, we will delete or anonymize the relevant Personal Data within thirty (30) days of confirmed receipt of your request, subject to exceptions for legal hold, ongoing transactions, audit, security investigations, or other circumstances permitted by applicable law. Backups containing Personal Data that has been deleted from production systems will be overwritten in the ordinary course of our backup rotation and will not be restored except as required by law.

11. Your Privacy Rights

11.1 Rights Available to All Users

Subject to applicable law and to the verification procedures described below, you may:

access the Personal Data we hold about you;
correct or update inaccurate or incomplete Personal Data;
request deletion of your Personal Data;
receive a copy of your Personal Data in a structured, commonly used, machine-readable format and, where technically feasible, request that we transmit it directly to another controller (data portability);
object to or restrict certain Processing, including direct marketing;
withdraw consent where Processing is based on your consent, without affecting the lawfulness of Processing carried out before withdrawal;
lodge a complaint with the data protection authority of your habitual residence, place of work, or place of the alleged infringement.

11.2 Additional Rights for U.S. State Residents

Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Rhode Island, Kentucky, and other states with comprehensive privacy laws may have additional rights, including the rights to:

confirm whether we Process your Personal Information;
access the categories of Personal Information we have collected, the categories of sources, the categories of third parties to whom we have disclosed it, and the business or commercial purpose for collection;
opt out of any “sale” or “sharing” of Personal Information, and of profiling in furtherance of decisions producing legal or similarly significant effects (although, as noted above, we do not engage in such activities);
limit our use and disclosure of Sensitive Personal Information;
appeal our refusal to act on a request, where required by applicable law (e.g., Va. Code § 59.1-577(C); C.R.S. § 6-1-1306(3));
exercise the rights described above without retaliation, denial of service, differential pricing, or other discriminatory treatment.

11.3 California “Shine the Light”

California Civil Code § 1798.83 entitles California residents to request, once per calendar year, information regarding our disclosure of Personal Information to third parties for those parties’ direct-marketing purposes. We do not engage in such disclosures, but you may direct any such request to privacy@expenseghost.app.

11.4 How to Exercise Your Rights

You may exercise your rights by submitting a request in writing to privacy@expenseghost.appor through the in-app data-rights tool available in your account settings. You may also designate an authorized agent to submit a request on your behalf, in which case we will request reasonable proof of authorization (such as a signed permission, a power of attorney, or, for organizations, evidence of incorporation and the agent’s authority to act).

Verification. To protect the security of your Personal Data, we must verify your identity before fulfilling your request. We will request information sufficient to match the identifying information we already maintain (typically your registered email address, account identifier, and confirmation of recent account activity). We will not use information collected for verification for any other purpose. If we cannot verify your identity to a degree of certainty proportionate to the sensitivity of the request, we may decline the request and advise you of the reason.

Response timing. We will respond within the timeframes required by applicable law (typically forty-five (45) days under U.S. state laws, with a single forty-five (45) day extension where reasonably necessary, and one (1) month under GDPR/UK GDPR, with a two (2) month extension where reasonably necessary).

12. Automated Decision-Making and Profiling

We use automated processes (including machine-learning models and rule-based classifiers) to extract data from receipts, classify transactions, suggest categories and tax treatments, detect anomalies, and prevent fraud. These automated processes do not produce legal or similarly significant effects concerning you within the meaning of Article 22 GDPR, and they are subject to human review and override by you and by your tax professional. You retain the right to correct categorizations, override suggestions, and delete or modify outputs at any time. Where required by applicable law, we will provide additional disclosures and opt-out rights with respect to profiling activities that produce legal or similarly significant effects, and we will conduct data-protection impact assessments before undertaking such activities.

13. International Data Transfers

ExpenseGhost is headquartered in the United States. Personal Data we collect may be transferred to, stored in, and Processed in the United States and any other country in which we or our Subprocessors maintain facilities. The data-protection laws of these countries may differ from those of your jurisdiction.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on one or more of the following safeguards: (i) the European Commission’s Standard Contractual Clauses (Decision 2021/914), incorporating Module Two or Module Three as appropriate, supplemented where necessary by additional technical and contractual safeguards identified through a transfer impact assessment; (ii) the United Kingdom International Data Transfer Addendum issued under section 119A of the Data Protection Act 2018; (iii) the Swiss Federal Data Protection and Information Commissioner’s adapted clauses; and (iv) where applicable, the EU–U.S., UK Extension, and Swiss–U.S. Data Privacy Frameworks. You may request a copy of the relevant transfer mechanism by contacting privacy@expenseghost.app.

14. Data Security

We maintain a written information security program designed to protect Personal Data against unauthorized access, disclosure, alteration, and destruction. The program incorporates administrative, technical, and physical safeguards proportionate to the volume and sensitivity of the Personal Data we Process, including:

encryption of Personal Data in transit using Transport Layer Security (TLS) 1.2 or higher and of Personal Data at rest using AES-256 or an equivalent algorithm;
role-based access controls, principle-of-least-privilege provisioning, and multi-factor authentication for personnel access to production systems;
row-level security at the database tier, which restricts queries to data the authenticated principal is entitled to access;
continuous logging and monitoring, automated vulnerability scanning, and third-party penetration testing on a recurring schedule;
a documented secure-software-development lifecycle, including peer code review, dependency scanning, and supply-chain integrity controls;
personnel onboarding, training, background screening (where lawful), and confidentiality undertakings; and
a documented incident-response plan with defined roles, escalation procedures, and post-incident review.

No method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee the absolute security of Personal Data. You are responsible for safeguarding your account credentials and for promptly notifying us of any actual or suspected unauthorized access at security@expenseghost.app.

15. Data Breach Notification

In the event of a Personal Data breach that is reasonably likely to result in a risk to the rights and freedoms of natural persons, or that otherwise triggers a statutory notification obligation, we will notify the relevant supervisory authorities and affected individuals without undue delay and within the timeframes required by applicable law (including, where applicable, within seventy-two (72) hours under Article 33 GDPR). Notifications will describe, to the extent then known, the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

16. Children’s Privacy

The Service is not directed to, and we do not knowingly collect Personal Data from, children under the age of eighteen (18). The Service is intended for use by individuals operating in a business or professional capacity. If we become aware that we have inadvertently collected Personal Data from a child under the age of thirteen (13) in violation of the Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501–6506), or from a person under the age of eighteen (18) where prohibited by other applicable law, we will delete that data promptly. To report a concern, contact privacy@expenseghost.app.

17. Marketing Communications

We may send you marketing communications about features, promotions, and content that we believe may be of interest to you. You may opt out of marketing communications at any time by clicking the “unsubscribe” link contained in any such communication or by emailing privacy@expenseghost.app. Opting out of marketing communications will not affect transactional or service-related communications, which are necessary for the Service.

18. Linked Sites and Third-Party Services

The Service may contain links to, and may integrate with, websites and services operated by third parties. This Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services with which you interact.

19. EU and UK Representatives

Where required by Article 27 GDPR or Article 27 UK GDPR, we have appointed a representative in the European Union and in the United Kingdom to act as our point of contact for individuals and supervisory authorities on matters relating to the Processing of Personal Data. To request the contact details of our representatives, email privacy@expenseghost.app.

20. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, Service features, applicable law, or for other operational, legal, or regulatory reasons. When we make material changes, we will notify you by email to the address associated with your account or through prominent in-product notice at least thirty (30) days before the changes take effect, unless a shorter period is required by law. The “Last Updated” date at the top of this Policy indicates when it was last revised. Your continued use of the Service following the effective date of the revised Policy constitutes your acceptance of the changes.

21. Contact Us

For questions, requests, or complaints regarding this Policy or our Processing of your Personal Data, please contact our privacy team:

Email: privacy@expenseghost.app

General inquiries: hello@expenseghost.app

Security incidents: security@expenseghost.app

Company: ExpenseGhost Labs, Inc.

By accessing or using ExpenseGhost, you acknowledge that you have read and understood this Privacy Policy.