Legal

Acceptable Use PolicyAccessibilityCookie PolicyData Processing AddendumLegal NoticePrivacy PolicySecuritySub-processorsTerms and Conditions

Privacy Policy

Last updated: May 25, 2026

1. Controller and Definitions

The data controller for the Service is QuickBits OÜ, a company registered in Estonia (registry code: 16725805, registered address: Sääse 14-40, 12918, Tallinn, Estonia).

In this Privacy Policy:

  • Controller, we, us, or our means QuickBits OÜ.
  • Service refers to the website expensicat.com, the web and mobile applications, the API, the command-line interface, and related software and tools.
  • Personal Data means any information relating to an identified or identifiable natural person.

2. Information We Collect

We collect the following categories of Personal Data:

  1. Account & Profile Data: Name, email, company name, billing address, hashed password, locale and currency preferences.
  2. Financial & Transaction Data: Connected bank account details, transaction history, invoices, quotes, receipts and uploaded documents.
  3. Content You Submit: Messages to our AI assistant ("Cat"), notes, tasks, and files you upload.
  4. Technical & Usage Data: IP address, device identifiers, browser type, server logs, and error reports.
  5. Cookies & Analytics Data: Limited analytics data collected with your consent (see our Cookie Policy).
  6. Third-Party Data: Data from integrations you authorize, such as banks and payment providers.

3. How We Collect Your Data

  • Directly from You: When you register, upload documents, connect financial accounts, use the AI assistant, or contact support.
  • Automatically: Through server logs and, with consent, analytics.
  • From Third Parties: Open-banking aggregators and other integrations you enable (see Section 8).

4. Purposes and Legal Bases for Processing

For users in the EEA, we rely on the following legal bases under Article 6 GDPR:

PurposeLegal Basis
Providing, maintaining and securing your account and the ServicePerformance of a contract
Processing your financial data, invoices and documentsPerformance of a contract
AI features (receipt transcription, assistant responses, search)Performance of a contract
Billing and paymentPerformance of a contract
Security alerts and essential service communicationsLegitimate interests (securing the Service and preventing abuse) / legal obligation
Product analytics and improvementConsent
Retaining financial recordsLegal obligation (tax and accounting law)

Providing your account and financial data is necessary to use the Service; without it, we may be unable to provide some or all features.

For California residents, we process Personal Data for the business purposes described above. We do not sell your Personal Data.

5. Sharing and Disclosure

We may share Personal Data with:

  • Sub-processors: Hosting, AI, email, analytics, and support providers acting on our instructions under data processing agreements. Our current list is published at Sub-processors.
  • Open-banking providers: When you connect a bank account, a licensed account information service provider acts as an independent data controller for the account data it retrieves (see Section 8).
  • Affiliates: QuickBits OÜ affiliates for internal business purposes under the same standards.
  • Legal Authorities: To comply with applicable law, subpoenas, or enforceable governmental requests.
  • Business Transfers: In a merger, acquisition, or sale of assets, subject to confidentiality safeguards.

We do not sell your Personal Data.

6. Sub-processors

We use vetted third-party providers to operate the Service, including hosting, AI processing, email, and analytics. We maintain a current list, with each provider's purpose and location, at expensicat.com/legal/subprocessors. We require each sub-processor to provide protection consistent with this Policy and applicable law. If you use the Service as a business customer, our processing of Personal Data on your behalf is governed by our Data Processing Addendum.

7. AI and Automated Processing

Core features of the Service use third-party large language models to transcribe receipts, power the AI assistant ("Cat"), and enable semantic search. When you interact with Cat, you are interacting with an automated AI system, not a human. When you use these features, the relevant content (such as a receipt image or your message) is sent to our AI sub-processors solely to generate the result you requested. These providers are contractually prohibited from using your data to train their models.

We do not make decisions producing legal or similarly significant effects about you based solely on automated processing without human involvement.

8. Bank Connections

When you connect a bank account, you authorize a licensed account information service provider (AISP) — GoCardless (privacy notice) or Plaid (privacy notice) — to retrieve account and transaction information. As regulated providers, these companies act as independent data controllers for that data under PSD2 and their own privacy notices; we encourage you to review them. Access is read-only — we cannot move funds — and is granted only with your explicit authorization. You can revoke it at any time from your account settings or with your bank.

9. Data Retention

We keep Personal Data only as long as necessary for the purposes described, then delete or anonymize it:

  • Account data: For the life of your account and up to 30 days after deletion, except where longer retention is required by law.
  • Financial records: At least seven (7) years to meet tax and accounting obligations.
  • Backups: Residual copies in encrypted backups are purged on a rolling schedule.
  • Analytics data: For up to 14 months.

10. International Data Transfers

QuickBits OÜ is established in the EEA. Where Personal Data is transferred outside the EEA (for example, to AI or hosting providers in the United States), we rely on the European Commission's Standard Contractual Clauses or an applicable adequacy decision.

11. Data Security

We implement technical and organizational measures including:

  • Encryption: HTTPS/TLS in transit and AES-256 at rest.
  • Tenant Isolation: Database row-level security to keep each organization's data separate.
  • Access Controls: Least-privilege access and authenticated sessions.
  • Monitoring: Error tracking and regular vulnerability scanning.

More detail is available on our Security page.

12. Your Rights

EEA and UK residents (GDPR / UK GDPR): You have the right to access, rectify, erase, restrict, port, and object to the processing of your Personal Data, and to withdraw consent at any time. To exercise these rights, contact us at [email protected].

You also have the right to lodge a complaint with your local supervisory authority. Our lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee); UK residents may contact the Information Commissioner's Office (ICO).

United States residents: Depending on your state (for example, California, Virginia, Colorado, Connecticut, and Texas), you may have the right to know, access, correct, delete, and opt out of the "sale" or "sharing" of Personal Data. We do not sell your Personal Data, and we honor Global Privacy Control (GPC) browser signals as an opt-out of sharing. To make a request, email [email protected].

13. Children's Privacy

The Service is intended for business use by individuals who are at least 18 years old. It is not directed to children, and we do not knowingly collect Personal Data from minors. If we learn that we have collected such data, we will delete it.

14. Changes to This Policy

We may update this Policy for legal or operational reasons. Material changes will be posted with a new effective date and notified via email or in-app alert before they take effect.

15. Contact Us

Email: [email protected]