Privacy Policy

When you sign in with Google, we receive your Google account email, name, profile picture, and Google subject ID. We use these to identify you across sessions.

When you forward an email to your @fwdexpenses.com alias, we store: the sender address, subject, message body, any attachments, and the structured fields our AI extracts (vendor, amount, date, currency).

When you upload a bank statement, we extract transactions and store them. The original PDF is deleted from disk immediately after parsing — we never retain account numbers, addresses, or other PII present in the statement.

When you classify entries (personal/business, tags), we store those labels and use them to teach our categoriser for future emails from the same vendor.

Your data is used only to provide the service: showing you your ledger, reconciling bank statements, answering your Q&A questions about your spending, and improving classification accuracy per vendor.

We do not sell, rent, or share your data with third parties for advertising or marketing.

OpenAI: email bodies, attachment images (where present), and bank-statement text are sent to OpenAI's gpt-4o-mini for structured extraction and Q&A. Per OpenAI's API data usage policy, data sent via the API is not used to train their models.

Cloudflare: provides DNS, HTTPS, and email routing for fwdexpenses.com. Cloudflare sees the envelope of inbound emails (sender, recipient, subject) and forwards the message body to our backend.

Google: only for sign-in via OAuth. We do not access your Gmail inbox or any other Google data.

All user data (ledger entries, account records, classifications) is stored in a Postgres database on a server in Germany (Hetzner GmbH, Falkenstein). Backups, if any, are retained on the same server.

Data is kept for as long as your account is active. Bank-statement PDFs are deleted within seconds of upload. If you delete your account (see below), all your data is permanently removed from our Postgres within 7 days.

You can, at any time:

• See everything we have about you — it's all visible in your dashboard
• Delete individual entries, attachments, or accounts from the UI
• Delete your entire account by emailing the address below
• Export your data (contact us — we'll provide a JSON dump)

We use one cookie: an HTTP-only session cookie set by NextAuth.js to keep you signed in. No tracking, advertising, or analytics cookies. No third-party cookies. The session cookie is removed when you sign out.

If we materially change how we collect or use your data, we'll update the “Last updated” date above and notify active users by email.

Questions, deletion requests, or data exports: [email protected].

Operator: Madhavi Solanki, Cyphertree Technologies, Pune, India.