Privacy Policy - TalkSpense
Last Updated: January 22, 2026
1. Introduction
TalkSpense ("we", "us", or "our") operates the TalkSpense mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App.
Data Controller:
- Name: Arkadiusz Gil / TalkSpense
- Address: Kaszowo 29, 56-300 Milicz, Poland
- NIP (Tax ID): 9161400152
- Email: support@talkspense.app
This Privacy Policy complies with the General Data Protection Regulation (GDPR) and Polish Personal Data Protection Act (RODO).
2. What Data We Collect
2.1 Account Information
When you create an account, we collect: - Email address - Display name - Profile preferences (language, currency settings) - Authentication credentials (via Google or Apple Sign-In, where available)
2.2 Expense Data
When you track expenses, we collect: - Expense amounts and currencies - Categories and subcategories - Store/merchant names - Purchase dates and times - Payment methods - Notes and descriptions - Family member assignments (if Family mode enabled)
2.3 Receipt & Image Processing
When you scan receipts or screenshots: - Photos/screenshots are sent to our AI service for Optical Character Recognition (OCR) - IMPORTANT: Images are NOT permanently stored on our servers - Only parsed metadata (items, prices, merchant names) is saved to your account - Original images are processed in-memory and deleted within 24 hours
2.4 Voice Input
When you use voice commands: - Audio recordings are transcribed via Groq Whisper AI - IMPORTANT: Audio files are NOT stored permanently - Only text transcriptions are saved to process your expense entry - Audio is processed in-memory and deleted within 24 hours - Language preference is saved for improved accuracy
2.5 Device Data
We collect limited device information: - Firebase Cloud Messaging (FCM) token for push notifications - Device type (Android/iOS) - App version and operating system version - Device language and timezone settings
2.6 Error Tracking
To improve app stability, we collect: - Crash reports and error logs via Sentry - Stack traces and debug information - Session metadata (app state, user actions before crash) - IMPORTANT: All Personally Identifiable Information (PII) is automatically redacted, including emails, phone numbers, credit card numbers, and national IDs
3. How We Use Your Data
We use your information to: - Expense Tracking: Record and categorize your financial transactions - AI-Powered Features: Process receipts via OCR and voice-to-text transcription - Family Budget Sharing: Enable collaboration with family members (if opted in) - Push Notifications: Send budget alerts, receipt processing status, and family activity updates - Product Support: Respond to your inquiries and provide technical assistance - Service Improvement: Analyze usage patterns to enhance app functionality - Security: Detect and prevent fraud, abuse, and security incidents
3A. Legal Basis for Processing (GDPR Article 6)
We process your data based on the following legal grounds:
- Contract Performance (Art. 6.1.b): Processing expenses, receipts, voice transcriptions, and AI features is necessary to provide the core service you signed up for.
- Legitimate Interest (Art. 6.1.f): Error tracking, fraud prevention, and service improvements are based on our legitimate interest to maintain a secure and reliable app.
- Consent (Art. 6.1.a): Marketing emails and optional analytics require your explicit consent, which you can withdraw at any time.
4. Third-Party Services
We share your data with the following third-party services to provide app functionality:
4.1 Supabase (Database & Authentication)
- Purpose: Data storage, user authentication, and real-time synchronization
- Data Shared: All user data, expenses, shopping lists, family data
- Location: Cloud infrastructure (EU region)
- Security: Encryption at rest and in transit, Row Level Security (RLS) policies
- Privacy Policy: https://supabase.com/privacy
4.2 OpenRouter AI (Google Gemini 3 Flash)
- Purpose: Receipt OCR, AI-powered expense reports
- Data Shared: Receipt images (as base64-encoded temporary data)
- Retention: Images are processed and deleted within 24 hours
- Location: United States (Standard Contractual Clauses applied)
- Privacy Policy: https://openrouter.ai/privacy
4.3 Groq (Whisper Large v3 Turbo)
- Purpose: Voice-to-text transcription for expense entry
- Data Shared: Audio recordings (as base64-encoded temporary data)
- Retention: Audio is processed and deleted within 24 hours
- Location: United States (Standard Contractual Clauses applied)
- Privacy Policy: https://groq.com/privacy
4.4 Firebase Cloud Messaging (Google)
- Purpose: Push notifications for budget alerts and activity updates
- Data Shared: Device tokens, notification content (expense amounts, categories)
- Location: United States
- Privacy Policy: https://firebase.google.com/support/privacy
4.5 Sentry
- Purpose: Error tracking and crash reporting
- Data Shared: Crash reports with PII automatically redacted
- Retention: 90 days
- Location: United States
- Privacy Policy: https://sentry.io/privacy
4.6 RevenueCat
- Purpose: In-app purchase management and subscription billing
- Data Shared: User ID, purchase transaction data, subscription status
- Location: United States
- Privacy Policy: https://www.revenuecat.com/privacy
Data Processing Agreements: All third-party service providers maintain GDPR-compliant Data Processing Agreements (DPAs). Standard Contractual Clauses (SCCs) are in place for transfers to non-EU countries.
5. Data Security
We implement industry-standard security measures to protect your data:
- Encryption in Transit: All data is transmitted over HTTPS/TLS connections
- Encryption at Rest: PostgreSQL database encryption for stored data
- Row Level Security (RLS): Database-level access controls ensure users can only access their own data
- JWT Authentication: Secure token-based authentication with auto-refresh
- PII Scrubbing: Automatic redaction of sensitive information in error logs
- Access Controls: Limited employee access to production data (for support only)
6. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Expense Records | Indefinite (until manually deleted by user) | User can delete individual expenses or export and delete all |
| Account Data | Until account deletion requested | Full account deletion upon request |
| Audio Recordings | NOT stored (processed in-memory only) | Automatically discarded after transcription |
| Receipt Images | NOT stored (processed in-memory only) | Automatically discarded after OCR processing |
| Error Logs | 90 days | Automatically deleted by Sentry |
| Session Tokens | 7 days (auto-refresh) | Automatically expired |
7. Your Rights (GDPR/RODO)
Under GDPR and Polish RODO law, you have the following rights:
7.1 Right to Access
You can view and export all your data: - In-App Export: Settings → Export Data → Download CSV file - Included Data: All expenses, budgets, shopping lists, family members
7.2 Right to Rectification
You can edit your data directly in the app: - Edit expenses: Tap any expense → Edit → Save - Update profile: Settings → Profile → Edit display name, email preferences
7.3 Right to Deletion ("Right to be Forgotten")
You can delete your data: - Individual Expenses: Swipe left on any expense → Delete - Full Account Deletion: Contact support@talkspense.app with subject "Account Deletion Request" - We will delete all your data within 30 days - Backup copies deleted within 90 days
7.4 Right to Data Portability
You can export your data in machine-readable format: - Settings → Export Data → CSV file (compatible with Excel, Google Sheets)
7.5 Right to Withdraw Consent
You can disable data processing features: - Voice Input: Settings → Voice Recognition → Disable - Receipt Scanning: Settings → OCR Features → Disable - Push Notifications: Settings → Notifications → Disable specific categories - OAuth Permissions: Revoke access via Google/Apple account settings
7.6 Right to Lodge a Complaint
If you believe we are mishandling your data, you can file a complaint with: - Poland: UODO (Urząd Ochrony Danych Osobowych) - https://uodo.gov.pl/ - EU: Your local data protection authority - UK: ICO (Information Commissioner's Office) - https://ico.org.uk/
8. Children's Privacy
Minimum Age: TalkSpense is intended for users 16 years or older (GDPR minimum age for consent).
We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at support@talkspense.app, and we will delete it within 30 days.
9. International Transfers
Your data may be transferred and processed outside the European Economic Area (EEA):
- Database Hosting: Supabase servers in EU region (GDPR-compliant, no international transfer)
- AI Processing (USA):
- OpenRouter AI (Google Gemini): Protected by EU Standard Contractual Clauses (SCCs)
- Groq (Whisper AI): GDPR-compliant data processing agreements
- Safeguards: All international transfers comply with GDPR Chapter V requirements using Standard Contractual Clauses (SCCs) approved by the European Commission.
- Your Rights: You can object to international transfers by contacting support@talkspense.app (may limit some AI features).
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top of this policy
- We will notify you via:
- In-app notification
- Email (if you have opted in to marketing communications)
- Continued use of the app after changes constitutes acceptance of the updated policy
We recommend reviewing this policy periodically.
11. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data:
Email: support@talkspense.app
For GDPR/RODO-related inquiries, please use subject line: "Data Protection Inquiry"
For the indexed version of this policy, visit: https://www.talkspense.app/privacy