Spentio
Get Started Free

Legal

Privacy Policy

Last updated: May 1, 2026 · GDPR & Swiss FADP compliant

Contents

1. Information We Collect2. How We Use Your Information3. Data Storage and Security4. Data Sharing5. Subprocessors6. AI Processing and Magic Import7. Your Rights Under GDPR8. Your Rights Under Swiss DSG9. Data Retention10. International Transfers11. Children's Privacy12. Changes to This Policy13. Contact Us

At Spentio ("we," "our," or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our expense tracking application and related services (the "Service").

1. Information We Collect

We collect only the information needed to operate the Service:

  • Account Information: Email address and authentication identifier (password is handled by our authentication provider, see Subprocessors)
  • Transaction Data: For each transaction we store the merchant or description, amount, date, and the bank or account it belongs to. We do not store IBANs, card numbers, account numbers, beneficiary addresses, or balances
  • Uploaded Statements: When you use Magic Import, your statement file (PDF or CSV) is processed in memory and is never written to persistent storage. Only the parsed transaction fields above are saved
  • Usage Data: Aggregate analytics about how the Service is used, collected via Google Analytics 4 (see Subprocessors)
  • Communication Data: Messages you send us for support or feedback

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Service
  • Process and categorize your financial transactions using AI
  • Generate personalised insights and reports about your spending
  • Send you technical notices, security alerts, and support messages
  • Respond to your comments, questions, and customer service requests
  • Monitor and analyze trends, usage, and activities
  • Detect, investigate, and prevent fraudulent transactions and unauthorized access

Legal basis (GDPR): We process your data based on contractual necessity, legitimate interests, legal obligations, and your consent where applicable.

3. Data Storage and Security

We implement the following technical measures:

  • Encryption at rest: AES-256 (Azure SQL Transparent Data Encryption)
  • Encryption in transit: TLS 1.2 or higher on all connections
  • Primary infrastructure: Azure App Service and Azure SQL Database in the Switzerland North region
  • Tenant isolation: Row-level security enforces that each user can only access their own data
  • Authentication: Delegated to Auth0 with JWT-based session tokens
  • Backups: Azure SQL automated backups retained per Azure default policy in the Switzerland region

4. Data Sharing

We do not sell your personal data and we do not share it with advertising networks. We share data only in these circumstances:

  • Subprocessors: With the third-party providers listed in Section 5, strictly to operate the Service
  • Legal Requirements: When required by Swiss or applicable law, or to respond to a valid legal process
  • Protection: To protect the rights, property, and safety of Spentio, our users, or others
  • Business Transfers: In connection with any merger, acquisition, or sale of assets, with prior notice to users

5. Subprocessors

We use the following third-party providers to deliver the Service. Each acts as a data processor on our behalf.

ProviderPurposeData sharedProcessing region
Microsoft AzureApplication hosting (Azure App Service) and database (Azure SQL)All stored account and transaction dataSwitzerland North
Vercel Inc.Marketing and web application hosting (frontend)Page requests, IP address, basic request metadata. No transaction data is stored on VercelGlobal edge network (primarily United States)
Auth0 (Okta Inc.)User authentication and credential managementEmail address, password hash, session tokensEuropean Union
OpenAIAI parsing and categorization for Magic Import (see Section 6)Extracted statement text submitted by you (after optional review and redaction)United States. OpenAI does not train on API data and retains it for up to 30 days for abuse monitoring
Anthropic (Claude)AI parsing and categorization for Magic Import (see Section 6)Extracted statement text submitted by you (after optional review and redaction)United States. Anthropic does not train on API data and retains it for up to 30 days for abuse monitoring
Google Analytics 4Aggregate website usage analyticsPseudonymous usage events, IP address (truncated), device and browser type. No transaction dataUnited States, with EU–US Data Privacy Framework safeguards

We will update this list when we add or remove a subprocessor and announce material changes via the "Last updated" date at the top of this page.

6. AI Processing and Magic Import

Magic Import lets you turn a bank statement into structured transactions using AI. We designed this flow to minimise the data that ever leaves your control.

  1. You upload a statement file (PDF or CSV). The file is processed in memory on our Azure server in Switzerland North. The original file is never written to disk and is never stored.
  2. Text is extracted from the file locally on our server.
  3. Privacy Review (recommended): before any data leaves our infrastructure, you can enable Privacy Review. When enabled, the extracted text is shown to you and you can delete or redact anything you do not want sent to the AI provider (for example IBANs, account numbers, names, or specific merchants). Nothing is sent to OpenAI or Anthropic until you confirm.
  4. The text you confirm is sent to OpenAI or Anthropic (United States) over a TLS-encrypted connection. The provider returns a structured list of transactions.
  5. We persist only the parsed fields: merchant or description, amount, date, and the associated bank or account. We do not persist the prompt sent to the AI provider, the raw extracted text, or the original file.

Both OpenAI and Anthropic confirm in their API terms that data submitted via the API is not used to train their models, and is retained only for a limited abuse-monitoring window (currently up to 30 days). For users who require all processing to remain in Switzerland, we plan to migrate AI processing to Azure OpenAI in Switzerland North and will update this policy when that option is available in the Service.

7. Your Rights Under GDPR

If you are in the European Economic Area (EEA), you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request restriction of processing
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at privacy@spentioapp.com or use the data export and deletion features in your account settings.

8. Your Rights Under Swiss FADP

If you are in Switzerland, the Swiss Federal Act on Data Protection (DSG) grants you similar rights:

  • Information: Right to know what data we process about you
  • Access: Request access to your personal data
  • Data Portability: Obtain your data in electronic format
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion under certain circumstances
  • Objection: Object to data processing for direct marketing

You may also file a complaint with the Federal Data Protection and Information Commissioner (FDPIC).

9. Data Retention

We retain your personal data only as long as necessary to provide the Service:

  • Uploaded statement files: never stored. Discarded from memory immediately after parsing
  • Extracted text sent to AI providers: not stored by us. Retained by OpenAI / Anthropic for up to 30 days for abuse monitoring, then deleted
  • Parsed transactions and account data: retained for as long as your account is active
  • On account deletion: personal data is deleted within 30 days, backups are purged within 90 days
  • Aggregate, anonymised analytics: may be retained indefinitely for service improvement
  • Legal retention: certain records (for example billing) may be retained longer where required by Swiss law

10. International Transfers

Your stored transaction and account data resides in Switzerland (Azure Switzerland North). Some processing necessarily happens outside Switzerland through the subprocessors listed in Section 5:

  • United States: OpenAI, Anthropic, Vercel, Google Analytics 4
  • European Union: Auth0

For these transfers we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The Swiss FDPIC-recognised addendum to the SCCs
  • The EU–US Data Privacy Framework where the provider is certified
  • Supplementary technical measures, including TLS encryption in transit and minimisation of the data sent

11. Children's Privacy

Spentio is not intended for children under 16. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will provide prominent notice or send you a direct notification.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Data Protection Officer

Email: privacy@spentioapp.com

Address: Spentio GmbH, Zurich, Switzerland

Related policies:Terms of ServiceCookie Policy