Privacy Policy

Last updated: January 2026

Introduction

Welcome to Expansably. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Data Controller

The data controller responsible for processing personal data is the owner of the Expansably service, individual or legal entity, with headquarters in Portugal, responsible for processing your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable privacy laws.

Country: Portugal

Email: expansably@gmail.com

Information We Collect

We collect several types of information to provide and improve our service:

Personal Information

  • Name and email address
  • Profile information
  • Contact preferences

Financial Data

  • Expenses and income records
  • Categories and subcategories
  • Group expenses and balances
  • Shopping lists and monthly expenses
How We Use Your Information

We use your information for the following purposes:

  • To provide and maintain our service
  • To send you notifications and updates
  • To improve our service and develop new features
  • To ensure security and prevent fraud
  • To comply with legal obligations
Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Performance of a contract: To provide you with our services
  • Legitimate interests: To improve our service and ensure security
  • Consent: When you provide explicit consent for specific processing activities

Legitimate Interests

Legitimate interests include service improvement, abuse detection, fraud prevention, and platform security. We ensure that these interests do not override users' rights and freedoms, and they are always assessed on a case-by-case basis to ensure an adequate balance.

Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

Service Providers

We use the following third-party service providers that process data on our behalf:

  • Supabase (cloud hosting and database) - data stored in the European Union
  • Vercel Analytics (website usage analytics) - data processed in the United States, with adequate safeguards (standard contractual clauses)
  • Supabase Auth (authentication and user management) - data processed in the European Union
  • Email providers (sending notifications and transactional emails) - data processed in the European Union

All third-party service providers are selected based on their GDPR compliance and we maintain adequate contractual clauses to ensure the protection of your data.

International Data Transfers

Most of your personal data is processed and stored within the European Union. However, some analytics services (such as Vercel Analytics) may process data in the United States. In these cases, we ensure that adequate safeguards are in place, including standard contractual clauses approved by the European Commission, to ensure that your data receives an adequate level of protection.

We do not sell, trade, or rent your personal information to third parties for marketing purposes.

Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption of data in transit and at rest
  • Regular security assessments and updates
  • Access controls and authentication mechanisms
  • Secure data storage and backup procedures

The data controller may access personal data stored on the platform only when strictly necessary for technical maintenance, user support, error correction, system security assurance, or service improvement purposes. Such access is limited, logged, and carried out in accordance with the data minimization principle.

Your Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of Access - You can request access to your personal data
  • Right to Rectification - You can correct inaccurate or incomplete data
  • Right to Erasure - You can request deletion of your data (right to be forgotten)
  • Right to Restriction of Processing - You can request limitation of processing in certain circumstances
  • Right to Data Portability - You can receive your data in a structured, commonly used format
  • Right to Object - You can object to processing based on legitimate interests
  • Right to Lodge a Complaint - You have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD - Comissão Nacional de Proteção de Dados) if you consider that the processing of your personal data violates applicable legislation. You can contact CNPD through the website https://www.cnpd.pt or by mail to: Comissão Nacional de Proteção de Dados, Rua de São Bento, 148, 3.º, 1200-821 Lisboa, Portugal.

How to Exercise Your Rights

To exercise any of your rights, you must contact us via the email address provided below. In your request, you must:

  • Clearly identify yourself (full name and account email address)
  • Specify which right you wish to exercise
  • Provide any additional information that may be necessary to process the request

We commit to responding to all requests within 30 days of receipt. If the request is complex or we receive multiple requests, we may inform you that we need more time, up to a maximum of 60 days, and explain the reason for the delay.

We may request additional information to verify your identity before processing the request, as a security measure.

To exercise these rights, please contact us using the information provided below.

Data Retention

Data is retained while the account is active or until deletion is requested by the user. After account deletion or deletion request, personal data will be deleted or anonymized within 30 days, except for legal obligations that require longer retention (for example, accounting or tax obligations). Aggregated and anonymized data may be retained indefinitely for statistical purposes and service improvement.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and analyze service usage. You can control cookies through your browser settings.

You can manage your cookie preferences through your browser settings or our cookie consent banner.

Cookie Consent

Consent for non-essential cookies is given through our cookie consent banner, which appears on the first visit to the website. You can revoke your consent at any time through your browser settings or by contacting us. Consent is recorded and can be revoked at any time. Refusing non-essential cookies does not affect the main functionality of the service.

Minors' Data

Our service is not intended for minors under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor without parental or legal guardian consent, we will take steps to delete that information as soon as possible. If you are a parent or legal guardian and believe your child has provided us with personal data, please contact us immediately.

Automated Decision-Making and Profiling

We do not perform automated decision-making, including profiling, that produces legal effects or significantly affects users. All decisions related to the processing of your personal data involve human intervention.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: expansably@gmail.com

View Terms of Service