Back to homeExpentro

Privacy Policy

Effective Date: May 13, 2026

This Privacy Policy explains how SystemForge Enterprise LLC(“Company,” “we,” or “us”), operator of Expentro (the “Service”), collects, uses, and protects information about you. By using the Service you agree to this Policy.

1. Information We Collect

1.1 Information you provide

  • Account information: name, email address, password (stored hashed by Firebase Authentication), and — if you sign in with Google — your Google profile name and email.
  • Payment information: handled entirely by Stripe. Card numbers never touch our servers. We store only a Stripe customer ID and subscription status.
  • Receipt and expense data: the images, PDFs, vendor names, dates, amounts, descriptions, attendees, and any other fields you enter or upload.
  • Report data: the trip, business purpose, and other metadata you provide when finalizing a report.
  • Settings: company logo, default mileage rate, meal per-diem, currency preference.
  • Communications: messages you send through our contact form or by email.

1.2 Information collected automatically

  • Session cookie: a signed, HTTP-only cookie used to keep you logged in. No tracking cookies.
  • Operational logs: request method, route, response code, and timestamp — used to detect errors and abuse. These logs intentionally exclude receipt contents.
  • Aggregate analytics: Vercel Web Analytics collects privacy-friendly, cookie-less aggregate traffic data (page views, country, referrer). It does not identify individuals.

2. How We Use Your Information

  • To operate and provide the Service (authentication, storage, AI extraction, report generation, billing).
  • To send transactional emails (welcome, lifecycle, billing, password resets, contact-form replies).
  • To enforce subscription limits and detect abuse (e.g., rate limiting).
  • To respond to your support requests.
  • To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We do not use your data to train third-party AI models — receipts are sent to Google Gemini only to extract data for that one request, and Google Gemini’s terms apply for that transient processing.

3. Third-Party Service Providers

We share data with the following processors strictly to operate the Service. Each is bound by their own privacy commitments.

  • Google Firebase (Authentication, Firestore, Cloud Storage) — user accounts, expense records, receipt files.
  • Google Gemini API — receipt images for AI extraction.
  • Stripe — payment processing, subscription management.
  • Resend — transactional email delivery.
  • Upstash — rate-limit counters (anonymous user ID hash; no content).
  • Vercel — web hosting and privacy-friendly analytics.
  • Sentry — error monitoring (when enabled). Configured to scrub email addresses and IPs.

4. Data Retention

We retain your account and expense data for as long as your account is active. If you cancel your subscription, your data remains accessible for download for at least 90 days. If you delete your account, we delete your expenses, reports, and uploaded receipts within 30 days, except where retention is required for tax, accounting, or legal reasons (typically up to seven years for billing records).

5. Security

We use industry-standard practices to protect your information, including encryption in transit (TLS 1.2+), encryption at rest for Firebase Storage, HTTP-only signed session cookies, server-side authentication on every API request, and per-user database security rules. No system is perfectly secure; if we discover a breach affecting your data, we will notify you in accordance with applicable law.

6. Your Rights

You have the following rights regarding your personal information:

  • Access — request a copy of the personal information we hold about you.
  • Correction — update inaccurate information (most fields are editable in your account dashboard).
  • Deletion — request deletion of your account and associated data.
  • Export — download your reports in PDF/Excel at any time from the Reports page.
  • Opt out of email — transactional emails are required to operate the Service; lifecycle and marketing emails will include an unsubscribe link.

To exercise any of these rights, email support@expentro.com.

7. California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what categories of personal information we collect and the right to request deletion. We do not sell personal information. To exercise CCPA rights, email support@expentro.com.

8. International Users

The Service is operated from the United States. If you access the Service from outside the U.S., you understand that your information will be transferred to, stored in, and processed in the United States and other countries where our service providers operate.

9. Children

The Service is not intended for individuals under 18. We do not knowingly collect information from anyone under 18. If we learn we have collected information from a minor, we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version and revise the “Effective Date” at the top. Material changes will be communicated by email or through the Service.

11. Contact Us

Questions or requests about your privacy? Contact us at:

Email: support@expentro.com
SystemForge Enterprise LLC
[YOUR BUSINESS ADDRESS — TBD]
South Carolina, United States