Privacy Policy
This policy explains what personal data we collect, why we collect it, and what you can do about it. Plain English, no filler.
Last updated: 28 April 2026
1. Who we are
Expnsr.io is a service operated by Expnsr Ltd, a company registered in England and Wales (Companies House number 17180340).
We are the data controller for the personal data we process about you when you use our website and service.
Contact: hello@expnsr.io
ICO registration number: ZC133576
2. What data we collect
When you sign up and use Expnsr.io
- Account details: name, email address, password (hashed), role within your company, employee ID if supplied, department.
- Company details: company name, chosen plan.
- Expense data: receipt images you upload, vendor names, dates, amounts, VAT amounts, categories, descriptions, reasons you type, mileage data, approval history.
- Usage data: when you log in, what pages you visit, what actions you take, for the purpose of running and improving the service.
- Payment data: if you upgrade to a paid plan, Stripe processes your payment — we receive confirmation and basic billing details but never see your full card number.
Automatically collected
- IP address, browser type, device type, approximate location (city-level) — used for security, fraud prevention, and product analytics.
- Cookies and local storage — used to keep you signed in and remember your preferences.
3. Why we collect it (lawful bases)
We process personal data under the following lawful bases under UK GDPR:
- Performance of a contract — to provide the Expnsr.io service you signed up for.
- Legitimate interests — to run and improve our service, prevent fraud, and keep the platform secure.
- Legal obligation — to keep records for tax, accounting, and to respond to lawful requests from authorities.
- Consent — for any marketing emails or optional features that specifically ask for your consent.
4. Who we share it with (sub-processors)
We use a small number of trusted third parties to run Expnsr.io. Each of them has its own privacy policy and we only share what is necessary for them to do their job.
| Provider | What they do | Where |
|---|---|---|
| Supabase Privacy |
Database, authentication, and receipt file storage | EU (Frankfurt) |
| Anthropic Privacy |
AI receipt scanning and mismatch detection | US (with EU data protections) |
| Resend Privacy |
Transactional emails (invites, approvals, password resets) | US/EU |
| Stripe Privacy |
Payment processing for paid plans | US/EU |
| Render Privacy |
Backend API hosting | EU (Frankfurt) |
| Netlify Privacy |
Website hosting | Global CDN |
We never sell your personal data. We never share it with advertisers or data brokers.
5. International data transfers
Where providers are based outside the UK or EU (such as Anthropic and Stripe's US operations), we rely on Standard Contractual Clauses and the UK International Data Transfer Addendum to ensure your data is protected to UK GDPR standards.
6. How long we keep it
- Account data: for as long as your account is active.
- Expense data and receipts: retained for 7 years from the date of the expense, to meet HMRC record-keeping requirements.
- Data after account closure: deleted within 30 days, except where we are legally required to retain it (e.g. tax records).
- Logs and analytics: retained for up to 12 months.
7. Your rights
Under UK GDPR you have the following rights:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to fix inaccurate data.
- Deletion — ask us to delete your data (subject to legal retention requirements).
- Portability — request your data in a machine-readable format.
- Restriction — limit how we process your data.
- Objection — object to specific processing based on legitimate interests.
- Withdraw consent — where we rely on consent, you can withdraw it at any time.
To exercise any of these rights, email hello@expnsr.io. We'll respond within one month.
You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
8. Security
We take security seriously. Measures include:
- All data encrypted in transit (HTTPS/TLS) and at rest.
- Passwords hashed using industry-standard algorithms — we never store them in plain text.
- Access controls limiting who can see what within your company.
- Regular security reviews and updates.
- EU-based data hosting with strong physical and network security.
No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the ICO within 72 hours as required by law.
9. Data about your employees (if you're an admin)
If you're using Expnsr.io as a company admin, you may be uploading or inviting employees whose personal data we then process. In that relationship:
- Your company is the data controller for your employees' personal data.
- We act as a data processor on your behalf.
- You are responsible for making sure your employees are informed about how their data is used, and for having a lawful basis to share it with us.
10. Cookies
We use a small number of essential cookies and local storage items:
- Authentication token — keeps you signed in across pages.
- User preferences — remembers your settings.
We don't use tracking cookies, advertising cookies, or third-party analytics that profile you.
11. Children
Expnsr.io is a business service and not intended for use by children under 16. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be notified to you by email. The "last updated" date at the top reflects the most recent version.
13. Contact
Questions about this policy or your data:
Email: hello@expnsr.io
Expnsr Ltd · Companies House 17180340