ExpensumExpensum← Back to the site

Privacy Policy

Notice on the processing of personal data under EU Regulation 2016/679 (GDPR) and Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018. Last updated: July 1, 2026.

1. Data controller

Michele Pinotti
Italy
Email: expensum.finance@gmail.com

The Controller responds to data subject requests within 30 days of receipt (operational target: 24 hours), pursuant to Art. 12(3) GDPR.

Data Protection Officer (DPO): No DPO has been appointed, as the processing carried out by Expensum does not fall within the cases of mandatory designation under Art. 37 GDPR (it is not a public authority, nor large-scale processing of special categories of data, nor large-scale systematic monitoring).

2. Data processed and purposes

The service is reserved for users aged 16 or older. We do not knowingly collect data from minors under 16 (Art. 8 GDPR; Art. 2-quinquies Italian Legislative Decree 196/2003).

2.1 Data provided directly by the user

  • Telegram identifier (user_id, username): necessary to operate the bot and associate data with the account. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Text messages and receipt photos sent to the bot: processed to extract and categorize expenses. Raw text is not permanently stored after processing; only structured data (amount, category, date) is retained. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Voice messages (Pro plan only): transmitted to Google Vertex AI (Gemini 2.0) for text transcription only. No voice biometric feature is extracted or stored; the audio is not stored after transcription. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Email and password (web app users only): for authentication. The password is stored as an irreversible hash (bcrypt). Legal basis: performance of a contract (Art. 6(1)(b)).
  • Financial data(amounts, categories, accounts, subscriptions): entered voluntarily for managing personal expenses. Legal basis: performance of a contract (Art. 6(1)(b)). Providing this data is optional in substance (no obligation to log every expense), but necessary to use the service's features.

2.2 Data collected automatically

  • Technical logs (timestamp, operation type, IP address, user agent): for diagnostics, security and abuse prevention. Legal basis: legitimate interest (Art. 6(1)(f)) — specific interest: ensuring system integrity and security and preventing unauthorized access. Processing is necessary and proportionate; logs contain no financial data and are deleted within 90 days. Retention: 90 days from the event.
  • Aggregated usage data (number of messages by input type, features used): to improve the product and detect malfunctions. Legal basis: legitimate interest (Art. 6(1)(f)) — specific interest: continuous improvement of the service. Data is aggregated and does not allow identification of the individual user.
  • Cookies and analytics identifiers: only with the user's explicit prior consent (see Cookie Policy). Legal basis: consent (Art. 6(1)(a)).
  • Early access waitlist email (via Tally.so form): collected on the basis of the consent of the user who fills in the form, in order to inform them of the service launch. Legal basis: consent (Art. 6(1)(a)). Consent can be withdrawn at any time by writing to expensum.finance@gmail.com.

3. Recipients and data processors

Data is shared exclusively with the following parties, to the extent strictly necessary to provide the service, acting as Data Processors (Art. 28 GDPR) or independent Controllers, as indicated:

ProviderPurposeCountryLegal basisTransfer safeguards
Telegram Messenger Inc.Main communication channel — independent controller for data on the Telegram platformUAE / DubaiContract (Art. 6(1)(b))SCC (Art. 46(2)(c) GDPR)
Mistral AINLP analysisFrance 🇫🇷 (EU)Contract (Art. 6(1)(b))No extra-EU transfer
Mistral AIAI conversational agentFrance 🇫🇷 (EU)Contract (Art. 6(1)(b))No extra-EU transfer
Google Vertex AI (Gemini 2.0)NLP analysis (Pro plan only), processing restricted to the EU region via the location parameter set in our codeFrankfurt 🇩🇪 (EU)Contract (Art. 6(1)(b))No extra-EU transfer
Tesseract OCRText recognition from receipt photos — local processing on the Netcup server, no data transmitted to third partiesItaly 🇮🇹 (Netcup DE server)Contract (Art. 6(1)(b))Internal EU processing
Notion Labs Inc.Storage of financial data in the user's Notion workspace; the connection is optional and chosen by the user (alternative available: DBMS on EU servers)USA 🇺🇸Contract (Art. 6(1)(b))SCC (Art. 46(2)(c))
Netcup GmbHVPS hosting, PostgreSQL database, application data storageGermany 🇩🇪 (EU)Legitimate interest (Art. 6(1)(f)) — provision of infrastructure necessary for the serviceInternal EU processing
Google Analytics 4Aggregated website usage statistics (with consent only)USA 🇺🇸Consent (Art. 6(1)(a))SCC (Art. 46(2)(c))
Meta Platforms Inc. (Meta Pixel)Conversion measurement and campaign optimization (with consent only)USA 🇺🇸Consent (Art. 6(1)(a))SCC (Art. 46(2)(c))
PostHog Inc.Pseudonymized product analytics — funnels, UX events (with consent only)EU 🇪🇺 (EU server region)Consent (Art. 6(1)(a))Internal EU processing
Tally.soForm developmentBelgium 🇧🇪 (EU)Consent (Art. 6(1)(a))Internal EU processing
Stripe Inc. (future)Payment management for plans available on the platform — not yet activeUSA/IE 🇺🇸🇮🇪Contract (Art. 6(1)(b))SCC (Art. 46(2)(c))

Providers based outside the EU operate on the basis of Standard Contractual Clauses (SCC) approved by the European Commission pursuant to Art. 46(2)(c) GDPR. Users may request a copy of the safeguards in place by writing to expensum.finance@gmail.com.

4. Transfer of data outside the EU

Some providers (Meta, Telegram, Notion, Stripe) are established in the USA or in non-EU countries. The transfer takes place exclusively on the basis of Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR, which guarantee a level of protection equivalent to the European one.

Mistral AI, the main provider for expense analysis, is a European company (France) and processing takes place entirely within EU territory, with no extra-EU transfers. This is a deliberate factor in the choice of Expensum's AI stack.

Google Vertex AI (used only for voice transcription, Pro plan) is configured to process data exclusively in the European Frankfurt region (europe-west3), explicitly set in our code via the locationparameter passed with every API call. Since there is no extra-EU transfer for this processing, SCCs do not apply.

Netcup GmbH (hosting and database) is German and operates exclusively in Germany.

⚠️ Notion backend and residency of financial data. If you choose to connect your Notion workspace as the backend for your financial data, that data (expenses, income, categories, accounts, etc.) is written to and read directly from your workspace via the official Notion API, subject to your OAuth authorization. Notion Labs, Inc. is based in the United States and, unless you have activated EU data residency options on your Notion account (available only on Notion Enterprise plans), your financial data may be stored and processed outside the European Economic Area, on the basis of the SCCs entered into by Notion. Expensum has no control over the transfer safeguards applied by Notion and acts as a technical intermediary that transmits data on your behalf, on your explicit instruction. If you prefer to keep your data exclusively on European infrastructure, you can choose the PostgreSQL backend, hosted on our servers in the EU (Germany, Netcup GmbH), with no transfer to third countries.

5. Data retention

  • Account and financial data: retained until the user voluntarily deletes their account.
  • Technical logs (including IPs): 90 days from the event, then automatically deleted.
  • Original voice messages: not retained — deleted immediately after transcription.
  • Cookie consent data: 6 months (duration of the consent cookie).
  • Waitlist email (Tally): until the service launch or withdrawal of consent, whichever comes first.
  • Backups: database backups are deleted within 30 days of account deletion.

At the end of each period, data is deleted or permanently anonymized, in compliance with the storage limitation principle (Art. 5(1)(e) GDPR).

6. Automated processing and artificial intelligence

Expensum uses language models (LLMs) to automatically analyze expenses entered by the user. This constitutes automated processing under Art. 22 GDPR.

This processing does not produce decisions with legal or similarly significant effects on the user: the AI categorizes and structures the financial data provided by the user solely for personal organizational purposes. No automated decisions are made regarding credit, insurance, employment or other areas with legal effects (Art. 22(1) GDPR does not apply).

The user can always correct any result produced by the AI (incorrect amount, wrong category, etc.) and can opt out of using the AI bot at any time.

Pursuant to Art. 50 of the EU Artificial Intelligence Regulation (AI Act, Reg. EU 2024/1689), the user is informed that responses generated by Moneo are produced automatically by an AI system. Details on the models used: How the AI works.

7. Data subject rights

Under Arts. 15–22 GDPR, the user has the right to:

  • Access (Art. 15): obtain a copy of their personal data processed by Expensum.
  • Rectification (Art. 16): correct inaccurate or incomplete data.
  • Erasure (“right to be forgotten”) (Art. 17): request deletion of the account and all associated data.
  • Restriction of processing (Art. 18): restrict processing in certain cases (e.g. contesting the accuracy of the data).
  • Portability (Art. 20): receive their financial data in a structured, machine-readable format (JSON or CSV).
  • Objection (Art. 21): object at any time to processing based on legitimate interest or for direct marketing purposes.
  • Withdrawal of consent (Art. 7(3)): withdraw consent at any time (for analytics/marketing cookies, waitlist email), without affecting the lawfulness of processing carried out before withdrawal.

Rights can be exercised directly from the Settings → Privacy and data section of the web app (access, portability, account deletion), or by writing to expensum.finance@gmail.com. Response time: 30 days (Art. 12(3) GDPR). Operational target: 24 hours.

The user also has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (garanteprivacy.it), pursuant to Art. 77 GDPR.

8. Security and data breaches

Expensum adopts technical and organizational measures appropriate under Art. 32 GDPR, including: encrypted communications (HTTPS/TLS), irreversible password hashing (bcrypt), database access restricted via Unix socket (no port exposed on the public network), rate limiting to prevent abuse, separation of financial data from technical logs.

In the event of a personal data breach that poses a high risk to the rights and freedoms of users, the Controller will notify data subjects without undue delay, pursuant to Art. 34 GDPR, and will notify the Data Protection Authority within 72 hours of discovery (Art. 33 GDPR).

9. Cookies

Expensum uses technical cookies (necessary, always active) and, subject to the user's consent, analytics and marketing cookies. For the full list of cookies, their providers, purposes and how to manage preferences, see theCookie Policy.

10. Changes to this notice

The Controller reserves the right to amend this notice to reflect regulatory, technological or service changes. Changes will be communicated via Telegram notification or email at least 15 days before they take effect.

For processing based on consent, any substantial changes that expand the purposes of processing will require the explicit renewal of consent by the user (Art. 7 GDPR). Simply continuing to use the service does not constitute acceptance of changes that require new consent.

© 2026 Expensum — Michele Pinotti

Privacy PolicyCookie PolicyTerms of Service