Privacy Policy
Last Updated: May 18, 2026
This Privacy Policy explains how Spendsible ("we", "us", or "our") collects, uses, and shares your personal information when you use our mobile and web applications. By using Spendsible, you agree to the collection and use of information as described in this policy.
1. Information We Collect
1.1 Information You Provide
- Account Information: When you sign in using Google or Apple, we receive your email address and basic profile information (name, profile picture).
- Financial Data: We collect transaction details you enter into the app, including amounts, categories, accounts, dates, notes, and tags.
- Support Communication: If you contact us for support, we may collect your "Support Code" and any information you provide in your email.
1.2 Information Collected Automatically
- Device Information: We collect information about your device, such as model, OS version, and unique device identifiers.
- Usage Data: We collect analytics events related to how you interact with the app (e.g., screens visited, features used, session duration).
- Log Data: Our servers (via Google Cloud) may log information sent by your browser or app, including IP address, timestamps, and request details.
- Crash Reports: We collect unhandled exception reports and stack traces via our in-app error reporting system to diagnose and fix issues. These are stored in our Firestore database.
2. How We Use Your Information
- To provide and maintain the application's core functionality.
- To synchronise your data across devices (via Firebase, for signed-in Premium users).
- To analyse app performance and usage to improve the user experience (via Google Analytics and BigQuery).
- To diagnose and fix technical issues (via Firebase Crashlytics).
- To provide customer support.
- To manage premium subscriptions and process payments.
- To send you important service updates or legal notices (we do not send marketing emails without your consent).
3. Data Sharing and Third-Party Processors
We do not sell your personal data to third parties. We share data only with the following service providers who process data on our behalf to operate the app:
- Google Firebase: Authentication, real-time database (Firestore), and cloud functions.
- Google BigQuery: Aggregated analytics and usage data.
- Google Analytics: App usage analytics and event tracking.
- Stripe: Payment processing for Web version subscriptions. Stripe does not receive your financial transaction data from within the app.
- Apple / Google: Subscription billing and receipt validation for iOS and Android versions.
Each of these processors operates under their own privacy policies and applicable data processing agreements. We have no control over their independent data practices.
4. Data Location and Cross-Border Transfers
Your data is stored and processed on Google Cloud Platform (GCP) infrastructure. Our primary database region is asia-southeast1 (Singapore).
- If you are located in Hong Kong, your data is transferred to and stored in Singapore, which is outside of Hong Kong.
- Singapore has data protection legislation (the Personal Data Protection Act, PDPA) that provides a level of protection broadly comparable to Hong Kong's PDPO.
- In addition to Singapore, Google's global infrastructure means that operational data (such as logs and analytics) may be processed in other GCP regions, including the United States. Such transfers occur under Google's standard contractual clauses and applicable data transfer mechanisms.
- Google Cloud Platform is certified under ISO 27001, SOC 2 Type II, and other international security standards.
- By using Spendsible, you consent to your data being transferred to and processed in Singapore and, where applicable, other countries where Google operates cloud infrastructure.
For more information about Google's data centres and security practices, see Google Cloud Security.
5. Data Retention and Deletion
We retain your personal data for as long as your account is active or as needed to provide the Service.
- User-Initiated Data Deletion: You can delete all your transaction data at any time using the "Erase All Data" feature in Settings. This action is irreversible.
- Account Deletion: You can request full account deletion through the app Settings. This will remove your authentication record, all associated transaction data from our database, and associated analytics identifiers. Deletion is processed within 30 days.
- Backup copies: Deleted data may persist in backup copies for up to 90 days, after which it is permanently purged.
- Aggregated analytics: Anonymised, aggregated analytics data (which cannot be linked back to you) may be retained indefinitely for product improvement purposes.
6. Your Rights (Hong Kong PDPO)
In accordance with the Personal Data (Privacy) Ordinance (Cap. 486) of Hong Kong, you have the right to:
- Request access to the personal data we hold about you (Data Access Request).
- Request correction of any inaccurate personal data (Data Correction Request).
- Withdraw consent for the use of your personal data for direct marketing (if applicable).
- Request deletion of your personal data, subject to any legal retention obligations.
To exercise any of these rights, please contact us at support@spendsible.app. We will respond to verified requests within 40 days as required under the PDPO.
If you believe we have handled your personal data in breach of the PDPO, you may lodge a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) at www.pcpd.org.hk.
7. Security
We use industry-standard security measures to protect your data:
- In transit: All data is encrypted using TLS/SSL during transmission.
- At rest: Data stored in Google Firestore and Google Cloud is encrypted at rest by default using AES-256.
- Access controls: Access to your data is restricted to authorised personnel and automated systems needed to operate the Service. Firestore security rules enforce user-level data isolation.
No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.
8. Children's Privacy
The Service is not directed at children under 18 years of age. We do not knowingly collect personal data from children under 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you at least 30 days in advance by email or via an in-app notification, and will update the "Last Updated" date at the top of this page. Your continued use of the Service after the effective date of the updated policy constitutes your acceptance of the changes.
10. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a privacy concern, please contact us at:
Email: support@spendsible.app
We aim to respond to all privacy enquiries within 5 business days.