Effective Date: 01 October 2025

Expense6 (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal information with transparency, integrity, and accountability. This Privacy Policy explains how we collect, use, disclose, store, and protect your information, and outlines your rights under the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

1. Information We Collect

We collect and process the following types of information to provide and improve our services:

Personal Identification

  • Email Address: Mandatory for account creation and used for authentication and communication.
  • Name: Collected for Workzone creation and profile display. Users may enter any preferred name.
  • Business Address and Contact Details: Optional. Used only when generating invoices within the app.
  • Business Registration Number: For business users, when applicable.

Financial & Transactional Data

  • Expense and income records, categories, invoices, receipts, Workzone data, and currency details.
  • Bank or account information (only if you manually add these for tracking).

Subscription & Payment Data

  • Subscription plan, renewal status, and transaction receipts (collected through RevenueCat, App Store, or Google Play).
  • Expense6 does not store or process card or payment information directly.

Device & Usage Data

  • Device identifiers, IP address, browser type, operating system, crash logs, and usage analytics (collected via AWS/Firebase analytics tools).

Uploads & Attachments

  • Images, scanned receipts, or PDFs uploaded for transaction records or document storage. These are encrypted and stored securely in AWS S3 or Firebase Storage.

Sensitive Data

  • Collected only with explicit consent and used strictly for features such as income categorization or optional integrations.

2. How We Collect Information

We collect data:

  • Directly from you: When you register, create Workzones, upload receipts, create invoices, or contact support.
  • Automatically: When you use our app or website, through cookies, analytics tools, and log files.
  • From third parties: When you integrate services like cloud backups or payment providers (e.g., RevenueCat or Google Drive), with your consent.

3. How We Use Your Information

We process your data for purposes including:

  • To provide and improve the Expense6 app and its features.
  • To maintain your Workzones, invoices, receipts, and reports.
  • To enable secure collaboration and Workzone sharing with team members or accountants.
  • To process and verify subscription payments.
  • To send service updates, billing notifications, or marketing communications (you may opt out at any time).
  • To comply with legal, accounting, or tax obligations.

Legal Bases (GDPR):

  • Consent (which you can withdraw at any time).
  • Performance of our contract with you.
  • Legal obligations.
  • Legitimate interest (e.g., security, fraud prevention, and service improvement).

4. Data Sharing and Disclosure

We may share your information only under the following conditions:

  • Service Providers: With trusted providers who assist in hosting, analytics, backups, payments, or notifications (AWS, Firebase, RevenueCat).
  • Authorized Users: With accountants or collaborators you invite via User ID protected sharing. Expense6 never accesses shared data without your consent.
  • Legal Compliance: When required by law, regulation, or court order.
  • Business Transfers: In case of a merger, acquisition, or restructuring, you will be notified before data transfer occurs.

We never sell your personal information.

5. Data Security and Storage

We use enterprise-grade security to protect your information:

  • Encryption in Transit: TLS 1.3 is used for all data transfers between your device and our servers.
  • Encryption at Rest: Our VPS provider enforces storage-level encryption (AES-256), firewall protection, and secure authentication mechanisms to safeguard stored data.
  • Authentication: OAuth 2.0 and JWT for user sessions.
  • Access Control: Role-based permissions for Workzones and shared data.
  • Infrastructure: Multi-region AWS servers with automated failover and daily encrypted backups.
  • Monitoring: AWS CloudWatch and Datadog track anomalies and prevent unauthorized access.

Your data may be stored in Australia, Singapore, the EU, or the United States, depending on your region. All international transfers follow Standard Contractual Clauses (SCCs) to ensure GDPR-level protection.

6. Data Retention

We retain data only as long as necessary to:

  • Fulfil the purposes described in this policy, or
  • Comply with applicable tax, legal, and accounting requirements.

When no longer required, data is securely deleted or anonymized.

7. Your Privacy Rights

Depending on your jurisdiction, you have the right to:

  • Access: Request a copy of your data.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your account or data (subject to legal retention).
  • Restriction: Request restriction or object to processing.
  • Data Portability: Request transfer of your data (GDPR).
  • Opt-Out: Opt out of data sharing or marketing (CCPA).
  • Withdraw Consent: Withdraw consent at any time.

To exercise your rights, contact privacy@expense6.com with “Privacy Request” in the subject line. We may verify your identity before fulfilling requests and will respond within 30 days.

8. Children’s Privacy

Expense6 is not intended for users under 13 years of age (or 16 where applicable). We do not knowingly collect data from minors. If you believe a child has provided information, contact us immediately for removal.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Remember user preferences,
  • Analyze performance, and
  • Improve functionality.

You can disable cookies through your browser or device settings, though some features may not work properly if disabled.

10. International Users

Expense6 operates globally with multi-region deployment. If you are located outside Australia, your data may be processed in another jurisdiction that offers adequate data protection safeguards.

11. Sri Lanka PDPA Compliance

For users located in Sri Lanka, Expense6 complies with the Personal Data Protection Act No. 9 of 2022. We process personal data only for lawful purposes permitted under the PDPA, including:

  • User consent
  • Performance of a contract
  • Compliance with legal obligations

Sri Lankan users have the right to:

  • Access their personal data
  • Correct inaccuracies
  • Request deletion
  • Withdraw consent
  • Restrict or object to processing
  • Prevent automated decision-making

To exercise PDPA rights, email privacy@expense6.com with the subject “PDPA Request.”

Sri Lanka Data Protection Contact
Email: privacy@expense6.com
Handled by our Privacy Officer for Sri Lankan jurisdiction.

Cross-border transfers of Sri Lankan user data follow PDPA-compliant safeguards.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect app updates, infrastructure changes, or legal requirements. The latest version will always be available in-app and on our website, with the Effective Date updated accordingly.

13. Contact Us

If you have questions, concerns, or wish to exercise your privacy rights, please contact:

Privacy Officer – Expense6

If you’re not satisfied with our response, you can contact your local data authority, such as:

  • Office of the Australian Information Commissioner (OAIC)
  • European Data Protection Supervisor (EDPS)
  • California Attorney General

© 2025 Expense6. This Privacy Policy is designed for compliance with the APPs, GDPR, CCPA, and global privacy standards.