ExpenseFlow
Sign in

Privacy Policy

Effective date: April 2, 2026

1. Overview

ExpenseFlow (“we,” “our,” or “the application”) is an internal expense-management and financial-reporting platform operated by Sound Investments. This Privacy Policy explains what personal and financial information we collect, and how we use and protect it.

By accepting an invitation to join ExpenseFlow or by continuing to use the application after this policy takes effect, you acknowledge that you have read and agree to the practices described herein.

2. Information We Collect

2.1 Account information

  • Name, username, and email address (provided at account creation or invitation)
  • Hashed password (if you use password-based sign-in)
  • Passkey / WebAuthn credential metadata (public key, device type, counter — never the private key)
  • TOTP authenticator enrollment status (encrypted secret, never the raw seed after setup)

2.2 Financial and transaction data

  • Expense receipts, including images and extracted metadata (merchant, date, amount, category)
  • Bank account information connected via Plaid Link: institution name, account name, last four digits of account number, account type, and current/available balances
  • Bank transactions retrieved through connected accounts (description, amount, date, category)
  • Journal entries, chart-of-accounts postings, and accounting-period records you create in the application
  • Vendor records and categorization rules you configure

2.3 Usage and technical data

  • IP address at sign-in and for rate-limiting purposes
  • User-agent string for trusted-device identification
  • Audit log events (who performed which action, when) for compliance and security review
  • Build version identifiers (no analytics or tracking pixels are used)

3. How We Use Your Information

  • Providing the service — authenticating you, displaying your company’s financial data, processing receipts, and generating reports.
  • AI-assisted processing — receipt images and extracted text are sent to the Groq API for merchant extraction and expense categorization. No personally identifiable information beyond receipt content is sent.
  • Bank connectivity — if you connect a bank account, transaction data is retrieved from Plaid and stored in the application database scoped to your company.
  • Security — detecting and preventing unauthorized access, enforcing rate limits, and maintaining audit logs.
  • Compliance — retaining financial records as required by applicable law (see Section 7).

We do not use your data for advertising, sell it to data brokers, or share it with any party not described in Section 4.

4. Information We Share

We share data only with the following categories of recipients, strictly to deliver the service:

  • Plaid — bank-connectivity provider. When you connect a bank account, you authenticate directly with Plaid. They return account metadata and transactions to ExpenseFlow under their own privacy policy. Access tokens are encrypted at rest using AES-256-GCM before storage.
  • Groq— AI inference provider. Receipt content (image and OCR text) is sent to Groq’s API for structured-data extraction. Groq’s data-processing terms govern that transmission.
  • Infrastructure providers — the application runs on a dedicated server operated by Oracle.

We do not share your data with any other third parties without your explicit consent, except as required by law or court order.

5. Security

We implement the following technical controls:

  • Encryption in transit — all traffic to ExpenseFlow is served over HTTPS with TLS 1.2 or higher, enforced by our Caddy reverse proxy with HSTS preload headers.
  • Encryption at rest — bank-provider access tokens are encrypted with AES-256-GCM before database storage. TOTP authenticator secrets are separately encrypted with AES-256-GCM using a dedicated key.
  • Authentication — we support phishing-resistant WebAuthn passkeys (FIDO2) and TOTP two-factor authentication. Passwords, where used, are hashed with bcrypt.
  • Access control — role-based access control (RBAC) at the global and per-company level ensures users can only access data within their authorized companies.
  • Audit logging — administrative and sensitive actions are recorded in a tamper-evident audit log.
  • Rate limiting — authentication endpoints and sensitive operations are rate-limited to prevent brute-force attacks.

6. Cookies and Local Storage

ExpenseFlow uses the following browser storage:

  • Session cookie (next-auth.session-token) — HttpOnly, Secure, SameSite=Lax. Required for authentication. Expires when you sign out or after the session lifetime.
  • Trusted-device cookie (ef_trusted_device) — HttpOnly, Secure, 30-day expiry. Set only if you choose “Trust this device” on the MFA challenge page. Allows skipping the TOTP prompt on recognized devices.

We do not use advertising cookies, tracking pixels, or third-party analytics.

7. Data Retention

  • Financial records (transactions, receipts, journal entries, bank statements) — retained for a minimum of 7 years from the date of entry, in accordance with IRS recordkeeping guidelines for business expenses.
  • Receipt image files — retained for 3 years, then eligible for deletion per the applicable company’s storage policy.
  • Audit logs — retained for 3 years.
  • Account data — retained while your account is active. Upon deletion (see Section 8), personal identifiers are anonymized promptly; financial records are retained in anonymized form per the schedule above.
  • Bank-connectivity tokens — deleted within 30 days of disconnecting a bank account.

8. Your Rights and Choices

8.1 Access and correction

You can view and update your profile information (name, email) by contacting alex@sound.investments. Company-scoped data (transactions, receipts) can be viewed and corrected within the application.

8.2 Account deletion

You may request deletion of your account at any time via Account Settings → Danger Zone → Delete account. Deletion anonymizes your personal identifiers (name, email, username, password, authentication credentials) and removes your access to all companies. Financial records associated with your account are retained in anonymized form for the periods described in Section 7, as required by law.

8.3 Bank disconnection

You may disconnect a linked bank account at any time through the Banking section of your company’s admin settings. Disconnection revokes ExpenseFlow’s access token; previously imported transaction data is retained per Section 7.

8.4 Consent withdrawal

If you withdraw consent, you must delete your account (see 8.2) as the service cannot be provided without processing your data. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

9. Children

ExpenseFlow is an internal business tool not directed at individuals under 18. We do not knowingly collect personal information from minors.

10. Changes to This Policy

We may update this policy periodically. The effective date at the top of this page reflects the most recent revision. Material changes will be communicated to active users by email or in-application notice. Continued use after the effective date constitutes acceptance of the revised policy.

11. Contact

Questions or requests regarding this policy should be directed to:

Alex Scardigno — VP Operations, Sound Investments Management Company

alex@sound.investments