Privacy Policy.

1. Introduction and Scope

This Privacy Policy (the “Policy”) describes how ExpenseGhost Labs, Inc., a Delaware corporation, together with its subsidiaries and affiliates (collectively, “ExpenseGhost,” “we,” “our,” or “us”), collects, uses, discloses, transfers, retains, and otherwise processes personal data and other information in connection with the ExpenseGhost website at expenseghost.app, our mobile applications, our web dashboard, our application programming interfaces (“APIs”), and any related products, services, content, integrations, or features that link to or reference this Policy (collectively, the “Service”).

This Policy is incorporated by reference into, and forms a binding part of, our Terms of Service. Your access to or use of the Service constitutes your acknowledgement of, and where required by applicable law, your consent to, the practices described in this Policy. If you do not agree with this Policy, you must not access or use the Service.

Effective date. This Policy is effective as of May 27, 2026, and supersedes all prior versions with respect to information processed on or after that date. Information processed before the effective date remains subject to the version of this Policy in force at the time of collection, except where applicable law requires otherwise.

Roles.When we collect and process personal data for our own purposes (for example, to administer your account, market our Service, or comply with law), we act as a “controller” (or “business” under California law). When we process personal data of a customer’s end users on that customer’s behalf and under that customer’s documented instructions (for example, employee or contractor expense data uploaded by an organization account), we act as a “processor” (or “service provider” under California law) and our processing of that data is governed primarily by the relevant Data Processing Addendum executed with that customer.

2. Definitions

For purposes of this Policy, capitalized terms have the meanings set forth in our Terms of Service. Additionally:

• “Personal Data”(or “Personal Information”) means any information relating to an identified or identifiable natural person, or information that is linked or reasonably linkable to a particular consumer or household, as those concepts are defined under applicable U.S. privacy laws including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”) and analogous state privacy statutes.
• “Sensitive Personal Information” means personal data given heightened protection under applicable law, including financial account numbers in combination with security or access codes, government-issued identifiers, precise geolocation, and account credentials.
• “Process”(or “Processing”) means any operation or set of operations performed on Personal Data, whether or not by automated means.
• “Subprocessor” means any third party engaged by ExpenseGhost to Process Personal Data on our behalf in connection with the Service. The current list of Subprocessors is published at our Subprocessors page.

3. Categories of Personal Data We Collect

The categories of Personal Data we collect depend on how you interact with the Service. We collect the following categories, in each case as further described below:

3.1 Information You Provide Directly

• Identifiers and account information. Full name, email address, telephone number (if provided), password (stored only in salted, one-way hashed form), profile photograph, time zone, language preference, organization name and role, and any other information you submit when creating, updating, or recovering an account.
• Organization and team information. When you invite, accept an invitation from, or are otherwise associated with an organization, we collect the identifiers and role assignments necessary to administer the organization, attribute expenses, and enforce permissions.
• Financial and transactional data. Expense entries, receipt images and extracted text, merchant identifiers, transaction amounts, dates, currencies, tax classifications, mileage records, journal entries, and any notes or attachments you add. Where you connect a financial institution through Plaid, we receive institution and account identifiers, masked account and routing numbers, balances, and transaction history; we do not receive or store your bank login credentials.
• Billing and payment data. When you purchase a paid subscription, Stripe collects your payment card information and billing address on our behalf. Stripe transmits to us a tokenized reference, the last four digits and brand of your card, the expiration month and year, and limited address information. We do not store full payment card numbers or card verification values on our systems.
• Tax-related information. Filing entity type, tax year selections, state of operation, dependents (if voluntarily entered for estimate purposes), and similar inputs needed to compute estimates and generate exports.
• Communications. The contents of any messages, support inquiries, survey responses, feedback, or other communications you direct to us, including attachments and the metadata associated with them.
• Consent records. When you create an account, you affirm agreement to this Privacy Policy and our Terms of Service by checking the agreement box before submitting. We record that affirmation as two separate append-only audit-log entries — one for the Terms of Service and one for the Privacy Policy — each stamped with the version string of the document you saw, the timestamp, and the originating IP address and User-Agent of the device that submitted it. Recording them as separate entries keeps each surface independently revocable in the future. We record additional grants and revocations the same way when you connect or disconnect a financial institution through Plaid (see Section 3.3).

3.2 Information Collected Automatically

• Device and connection data. Internet Protocol (IP) address, approximate (city- or region-level) geolocation derived from IP, device model, operating system and version, browser type and version, screen resolution, language settings, time zone, mobile carrier (where applicable), and unique device identifiers.
• Usage and diagnostic data. Pages and screens viewed, features used, buttons and links interacted with, referring and exit URLs, timestamps, session duration, error logs, crash reports, latency metrics, and similar telemetry generated as you interact with the Service.
• Cookies and similar technologies. First-party and limited third-party cookies, web beacons, pixel tags, software development kits, and local storage entries used for authentication, session continuity, security, preference persistence, fraud prevention, and product analytics. See Section 8 below.

3.3 Information Received from Third Parties

• Identity providers. If you sign in using a third-party identity provider (such as Google or Apple), that provider transmits to us the identifiers, profile fields, and verification tokens you authorize to be shared.
• Plaid. Plaid Inc. transmits institution metadata, account information, balance and transaction records, and connection-status signals on the basis of your authorization granted within the Plaid Link flow. Your relationship with Plaid is governed by the Plaid End User Privacy Policy at plaid.com/legal. Before the Plaid Link flow opens, we present an in-app consent screen describing what we will access through Plaid, why we will access it, who processes it, and how you can disconnect. Your click of “Connect with Plaid” is recorded by ExpenseGhost as an explicit grant, together with the timestamp, originating IP address, and User-Agent of the device that gave it, in an append-only audit log stored in our database. The version string of the consent surface you saw is recorded alongside the grant so that we can later reconstruct the exact text you agreed to. If you subsequently disconnect a linked institution from your accounts page, we record a corresponding revocation in the same audit log, revoke our access token at Plaid via Plaid’s /item/remove endpoint, and delete the encrypted access token from our database. The raw transaction records we cached from that institution are deleted within 90 days of disconnect; the bookkeeping entries derived from them (your journal entries and the financial statements they feed) are retained to preserve your accounting records, and you may request their earlier deletion through the rights process in Section 10.
• Stripe. Stripe Payments Company transmits payment confirmations, invoice metadata, dispute notifications, and limited cardholder data as described above.
• Service providers and partners. Vendors that we engage to provide hosting, analytics, fraud detection, customer support, and similar functions transmit Personal Data back to us as part of delivering those services.

3.4 Sensitive Personal Information

In the course of providing the Service we Process limited categories of Sensitive Personal Information, including financial account numbers and access credentials in tokenized form (held by Plaid and Stripe rather than ExpenseGhost), account login credentials, and the contents of communications. We Process Sensitive Personal Information only for the limited purposes permitted by applicable law (including Cal. Civ. Code § 1798.121), namely to perform the Service requested, authenticate users, prevent and detect security incidents and fraud, ensure the integrity of the Service, and comply with law. We do not Process Sensitive Personal Information for purposes of inferring characteristics about you, and we do not sell or share Sensitive Personal Information for cross-context behavioral advertising.

4. Purposes for Which We Process Personal Data

We Process Personal Data for the following business and commercial purposes:

• Service provision. To create and maintain accounts; authenticate users; provision and bill subscriptions; ingest, classify, and store receipts and transactions; generate exports, reports, and tax estimates; synchronize bank accounts; and otherwise deliver the features you request.
• Communications. To respond to inquiries; deliver transactional messages including service announcements, security notices, billing notifications, receipt-processing confirmations, and account-recovery messages; and, where permitted, to send product updates, newsletters, and marketing communications you may unsubscribe from at any time.
• Personalization and product improvement. To remember your preferences, infer feature priorities, conduct A/B and reliability experiments, measure adoption of new features, and improve the usability and accuracy of the Service. Where we improve our machine-learning models, we do so using aggregated, pseudonymized, or otherwise de-identified data, and we do not use customer financial transactions or receipt content to train general-purpose foundation models.
• Security, fraud prevention, and abuse mitigation. To detect, investigate, and prevent unauthorized access, credential stuffing, account takeover, payment fraud, abuse of rate limits, and violations of our Terms of Service; to maintain audit logs; and to enforce our policies.
• Legal and regulatory compliance. To comply with our obligations under applicable law (including financial, anti-money-laundering, sanctions, tax, consumer protection, and privacy law), respond to lawful requests from public authorities, enforce our agreements, and establish, exercise, or defend legal claims.
• Corporate transactions. To evaluate, negotiate, and consummate mergers, acquisitions, financings, reorganizations, divestitures, bankruptcies, and similar transactions, subject to the safeguards described in Section 5.4.

5. How We Disclose Personal Data

We disclose Personal Data only as described in this Policy and only as necessary to accomplish the purposes for which it was collected.

5.1 To Other Members of Your Organization

Where you are a member of an organization account, the administrator(s) of that organization may have access to your account profile, role, expenses, receipts, comments, audit-log entries, and similar information necessary to administer the account. You should consult your organization’s internal policies for further information.

5.2 To Subprocessors

We engage a limited set of vendors to Process Personal Data on our behalf solely for the documented purposes set out in our agreements with them. Each Subprocessor is bound by written terms imposing confidentiality, security, and use-limitation obligations at least as protective as those set forth in this Policy. The current list of Subprocessors is maintained at our Subprocessors page.

5.3 For Legal Reasons

We may disclose Personal Data when we have a good-faith belief that disclosure is necessary to: (i) comply with applicable law, regulation, legal process, or enforceable governmental request (including subpoenas, search warrants, court orders, and similar process); (ii) enforce or apply our Terms of Service or other agreements; (iii) detect, prevent, or otherwise address fraud, security, or technical issues; or (iv) protect against harm to the rights, property, or safety of ExpenseGhost, our users, or the public. Where permitted by law, we will notify the affected user prior to disclosure unless doing so would violate law or court order, jeopardize an investigation, or risk imminent harm.

5.4 In Connection with Corporate Transactions

In the event of a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, insolvency, or similar transaction or proceeding, Personal Data may be transferred to or shared with prospective or actual counterparties, advisors, and successors. Any successor entity will be bound to honor the commitments made in this Policy unless and until it provides reasonable notice of any changes.

5.5 With Your Direction or Consent

We disclose Personal Data to additional third parties when you direct us to do so or otherwise consent to the disclosure (for example, when you connect a third-party integration or download an export and provide it to your accountant).

5.6 De-identified or Aggregated Data

We may create and use de-identified, aggregated, anonymized, or otherwise non-identifiable data derived from Personal Data, and we may share such data without restriction, provided that we do not attempt to re-identify the data and we contractually prohibit recipients from doing so.

6. We Do Not Sell or “Share” Personal Information

ExpenseGhost does not sell Personal Information for monetary or other valuable consideration, and does not “share” Personal Information for purposes of cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, or any analogous law. We have not done so in the preceding twelve (12) months and have no present intention of doing so.

7. Financial Information — Gramm-Leach-Bliley Act Notice

Although ExpenseGhost is not a financial institution, we Process information originating from your financial institution(s) on your behalf and consistent with the principles of the Gramm-Leach-Bliley Act of 1999 and its implementing regulations (16 C.F.R. Part 314, the FTC Safeguards Rule), to the extent applicable. We restrict access to nonpublic personal financial information to authorized personnel and Subprocessors who require it to perform the Service; we maintain physical, electronic, and procedural safeguards reasonably designed to protect such information; and we contractually prohibit Subprocessors from using such information for any purpose other than performing the Service.

We do not disclose nonpublic personal financial information about current or former users to nonaffiliated third parties except as permitted by law, including for the purposes of providing the Service you have requested, processing transactions you have authorized, complying with legal process, preventing fraud, or as otherwise described in this Policy.

8. Cookies, Tracking Technologies, and Choices

We and our Subprocessors use cookies and similar technologies for the limited purposes of: (i) enabling authenticated sessions and remembering preferences; (ii) maintaining security, preventing fraud, and detecting anomalies; (iii) measuring product usage to improve the Service; and (iv) where you opt in, additional analytics functions. We categorize these technologies as follows:

• Strictly necessary. Required to operate the Service (e.g., authentication tokens, CSRF protection, load balancing). These cannot be disabled without rendering the Service inoperable.
• Functional. Used to remember preferences such as theme, locale, and dashboard layout.
• Analytics. First-party telemetry used to measure adoption, latency, and reliability. Where required by law, we obtain consent before deploying these.

Do Not Track.Because there is no industry consensus on how to interpret the “Do Not Track” HTTP header, we do not currently respond to DNT signals. We do, however, honor the Global Privacy Control (“GPC”) signal where required by applicable law as a request to opt out of the “sale” or “sharing” of Personal Information; because we do not engage in either, the GPC signal does not change our Processing.

You may control cookies through your browser settings. Disabling strictly necessary cookies will prevent the Service from functioning correctly.

9. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, audit, or reporting requirements, or to resolve disputes and enforce our agreements. Specific retention periods include:

• Account profile data: for the life of your account, plus up to ninety (90) days after closure to facilitate restoration, dispute resolution, and regulatory inquiries.
• Receipts, expenses, and journal entries: for the life of your account, plus a tax-records retention period of up to seven (7) years to support your post-cancellation access to records of audited periods, unless you request earlier deletion.
• Billing records and invoices: for a period of up to seven (7) years following the close of the relevant tax year, in accordance with applicable tax and accounting law.
• Authentication and security logs: typically thirteen (13) months, which may be extended as necessary to investigate suspected fraud or unlawful activity.
• Consent and revocation audit records: for the life of the related processing relationship plus a period of up to seven (7) years following the latest consent event, to preserve a verifiable record of what you agreed to, when, and from what device, and of any subsequent revocation. These records cover, at minimum, grants and revocations of Plaid data-access authorization.
• Support communications: typically twenty-four (24) months from the close of the relevant ticket.
• De-identified or aggregated data: indefinitely, provided we do not attempt to re-identify it.

Where you have requested deletion — whether by closing your account in-product (see Section 10.5) or by submitting a deletion request to our privacy team (see Section 10.4) — we will delete or anonymize the relevant Personal Data within the applicable timeframe described in those sections, subject to exceptions for legal hold, ongoing transactions, audit, security investigations, mandatory tax and accounting retention, or other circumstances permitted by applicable law. Backups containing Personal Data that has been deleted from production systems age out within thirty-five (35) days in the ordinary course of our backup rotation and are not restored except as required by law.

10. Your Privacy Rights

10.1 Rights Available to All Users

Subject to applicable law and to the verification procedures described below, you may:

• access the Personal Data we hold about you;
• correct or update inaccurate or incomplete Personal Data;
• request deletion of your Personal Data;
• receive a copy of your Personal Data in a structured, commonly used, machine-readable format and, where technically feasible, request that we transmit it directly to another business (data portability);
• object to or restrict certain Processing, including direct marketing;
• withdraw consent where Processing is based on your consent, without affecting the lawfulness of Processing carried out before withdrawal — including, for any linked financial institution, by disconnecting that institution from your accounts page at any time, which revokes our access token at Plaid and records the revocation as an audit-log entry;
• lodge a complaint with the U.S. Federal Trade Commission or with the attorney general or privacy regulator of your state of residence.

10.2 Additional Rights for U.S. State Residents

Residents of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Rhode Island, Kentucky, and other states with comprehensive privacy laws may have additional rights, including the rights to:

• confirm whether we Process your Personal Information;
• access the categories of Personal Information we have collected, the categories of sources, the categories of third parties to whom we have disclosed it, and the business or commercial purpose for collection;
• opt out of any “sale” or “sharing” of Personal Information, and of profiling in furtherance of decisions producing legal or similarly significant effects (although, as noted above, we do not engage in such activities);
• limit our use and disclosure of Sensitive Personal Information;
• appeal our refusal to act on a request, where required by applicable law (e.g., Va. Code § 59.1-577(C); C.R.S. § 6-1-1306(3));
• exercise the rights described above without retaliation, denial of service, differential pricing, or other discriminatory treatment.

10.3 California “Shine the Light”

California Civil Code § 1798.83 entitles California residents to request, once per calendar year, information regarding our disclosure of Personal Information to third parties for those parties’ direct-marketing purposes. We do not engage in such disclosures, but you may direct any such request to privacy@expenseghost.app.

10.4 How to Exercise Your Rights

You may exercise your rights by submitting a request in writing to privacy@expenseghost.appor through the in-app data-rights tool available in your account settings. You may also designate an authorized agent to submit a request on your behalf, in which case we will request reasonable proof of authorization (such as a signed permission, a power of attorney, or, for organizations, evidence of incorporation and the agent’s authority to act).

Verification. To protect the security of your Personal Data, we must verify your identity before fulfilling your request. We will request information sufficient to match the identifying information we already maintain (typically your registered email address, account identifier, and confirmation of recent account activity). We will not use information collected for verification for any other purpose. If we cannot verify your identity to a degree of certainty proportionate to the sensitivity of the request, we may decline the request and advise you of the reason.

Response timing. We will respond within the timeframes required by applicable law (typically forty-five (45) days under U.S. state privacy laws, with a single forty-five (45) day extension where reasonably necessary and permitted).

10.5 Closing and Deleting Your Account

You may close your account at any time from Settings → Danger zone. Depending on your role, two options are available: closing your individual account (which removes you as a member while leaving your organization’s books intact), and, if you are the owner of an organization, closing the entire organization (which tears down the organization’s workspace and all of the data within it). To prevent accidental or unauthorized closure, we require you to type a confirmation string — your email address for an account closure, or the organization name for an organization closure — and, where you have enrolled a multi-factor authentication factor, to complete a re-authentication (an MFA step-up) before the request is accepted. When you submit a closure request, we send a confirmation email to your registered address containing a secure, single-purpose cancellation link, and we pause Stripe billing collection.

Ninety-day reversible window. Closure does not delete your data immediately. For ninety (90) days following your request, the closure is fully reversible: you may cancel it using the link in the confirmation email, the in-product closure screen, or by contacting privacy@expenseghost.app. During this window you can still sign in, but only to the closure screen; the remainder of the Service is inaccessible.

Permanent deletion at day 90.If you do not cancel within the ninety-day window, the closure becomes permanent and is processed automatically. At that point we: (i) revoke any financial-institution connections at Plaid via Plaid’s /item/remove endpoint and delete the associated encrypted access tokens; (ii) delete your receipt image files from storage; (iii) run a database cascade that deletes your operational and tax-document data (expenses, receipts, journal entries, and related records); (iv) cancel any associated Stripe subscription; and (v) anonymize your identity in place — replacing your name and email address with non-identifying placeholders, erasing the stored password hash, and permanently disabling sign-in. Once this purge has run, the deletion is irreversible.

Records retained after purge. As described in Section 9, a limited set of records that we are independently required by law to retain — including Stripe billing records and invoices, consent and export-consent audit records, and security audit logs — are kept for the applicable mandatory retention period even after your account is purged, and in de-identified or minimized form where feasible. Backups containing purged data age out within thirty-five (35) days.

11. Automated Decision-Making and Profiling

We use automated processes (including machine-learning models and rule-based classifiers) to extract data from receipts, classify transactions, suggest categories and tax treatments, detect anomalies, and prevent fraud. These automated processes do not produce legal or similarly significant effects concerning you, and they are subject to human review and override by you and by your tax professional. You retain the right to correct categorizations, override suggestions, and delete or modify outputs at any time. Where required by applicable law, we will provide additional disclosures and opt-out rights with respect to profiling activities that produce legal or similarly significant effects, and we will conduct data protection assessments before undertaking such activities.

We do not use your financial transactions, receipt content, or other account data to train artificial-intelligence or machine-learning models, including any general-purpose or third-party foundation models. We do not sell or share this data, and we disclose it only to the Subprocessors that Process it on our behalf to provide the Service, under written terms that limit their use of it to that purpose (see Sections 5.2 and 6).

12. Data Security

We maintain a written information security program designed to protect Personal Data against unauthorized access, disclosure, alteration, and destruction. The program incorporates administrative, technical, and physical safeguards proportionate to the volume and sensitivity of the Personal Data we Process, including:

• encryption of Personal Data in transit using Transport Layer Security (TLS) 1.2 or higher and of Personal Data at rest using AES-256 or an equivalent algorithm;
• role-based access controls, principle-of-least-privilege provisioning, and multi-factor authentication for personnel access to production systems;
• row-level security at the database tier, which restricts queries to data the authenticated principal is entitled to access;
• continuous logging and monitoring, automated vulnerability scanning, and third-party penetration testing on a recurring schedule;
• a documented secure-software-development lifecycle, including peer code review, dependency scanning, and supply-chain integrity controls;
• personnel onboarding, training, background screening (where lawful), and confidentiality undertakings; and
• a documented incident-response plan with defined roles, escalation procedures, and post-incident review.

No method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee the absolute security of Personal Data. You are responsible for safeguarding your account credentials and for promptly notifying us of any actual or suspected unauthorized access at security@expenseghost.app.

13. Data Breach Notification

In the event of a Personal Data breach that triggers a statutory notification obligation, we will notify the relevant state attorneys general, other regulators, and affected individuals without unreasonable delay and within the timeframes required by applicable U.S. federal and state data-breach-notification laws. Notifications will describe, to the extent then known, the nature of the breach, the categories and approximate number of individuals and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

14. Children’s Privacy

The Service is not directed to, and we do not knowingly collect Personal Data from, children under the age of eighteen (18). The Service is intended for use by individuals operating in a business or professional capacity. If we become aware that we have inadvertently collected Personal Data from a child under the age of thirteen (13) in violation of the Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501–6506), or from a person under the age of eighteen (18) where prohibited by other applicable law, we will delete that data promptly. To report a concern, contact privacy@expenseghost.app.

15. Marketing Communications

We may send you marketing communications about features, promotions, and content that we believe may be of interest to you. You may opt out of marketing communications at any time by clicking the “unsubscribe” link contained in any such communication or by emailing privacy@expenseghost.app. Opting out of marketing communications will not affect transactional or service-related communications, which are necessary for the Service.

16. Linked Sites and Third-Party Services

The Service may contain links to, and may integrate with, websites and services operated by third parties. This Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services with which you interact.

17. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, Service features, applicable law, or for other operational, legal, or regulatory reasons. When we make material changes, we will notify you by email to the address associated with your account or through prominent in-product notice at least thirty (30) days before the changes take effect, unless a shorter period is required by law. The “Last Updated” date at the top of this Policy indicates when it was last revised. Your continued use of the Service following the effective date of the revised Policy constitutes your acceptance of the changes.

18. Contact Us

For questions, requests, or complaints regarding this Policy or our Processing of your Personal Data, please contact our privacy team:

Email: privacy@expenseghost.app

General inquiries: hello@expenseghost.app

Security incidents: security@expenseghost.app

Company: ExpenseGhost Labs, Inc.