Privacy Policy

Last updated: March 29, 2026

Who we are

Spend & Invest is a personal finance tool that helps you understand your spending by analyzing bank statement PDFs and CSVs. We are based at Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.

For privacy questions, email privacy@spendandinvest.com.

What we collect

Account information

When you register, we store your email address, password (hashed, we never see it in plain text), and optionally your first name. We also record when you signed up.

Bank statements

When you upload a PDF or CSV bank statement, we extract your transactions (date, vendor, amount) using AI. The uploaded PDF is stored securely in your account so you can re-download or delete it at any time. CSV uploads are not stored — only the extracted transaction data is kept.

Transaction data

We store the transactions extracted from your statements: dates, vendor names, amounts, and the spending categories assigned to each. We also store your budget targets, category preferences, detected recurring charges, and any questions you ask about your spending.

Usage data

We use PostHog to understand how people use the app — which pages are visited, which features are used, and where things break. PostHog also records browsing sessions (mouse movements and clicks) with all text inputs masked. We do not record what you type into forms.

How we use your data

  • Categorize your transactions and show spending breakdowns
  • Answer questions you ask about your spending
  • Generate spending insights on your dashboard
  • Detect recurring charges and subscriptions
  • Send you emails you opted into (upload reminders, spending tips)
  • Fix bugs and improve the product based on usage patterns
  • Improve parsing accuracy across different bank statement formats

Who processes your data

We use a small number of third-party services to run the app:

ServiceWhat it doesWhat it sees
SupabaseDatabase, file storage, authenticationAll account and transaction data (encrypted at rest)
Anthropic (Claude AI)Reads your PDF to extract transactions, categorizes spending, answers your questionsPDF contents during processing, transaction data for categorization
ResendSends emailsYour email address and email content
PostHogProduct analytics and session recordingPage visits, clicks, anonymized session recordings (text inputs masked)
VercelHosts the websiteWeb requests (standard server logs)

We do not sell your data. We do not share it with advertisers. These services process data on our behalf to run the app — nothing else.

How we protect your data

  • All data is encrypted in transit (HTTPS) and at rest (Supabase AES-256)
  • Uploaded PDFs are stored in a private bucket — only you can access your files
  • Row-level security on every database table restricts access to your own data
  • Storage-level security policies prevent any user from accessing another user's files
  • Passwords are hashed with bcrypt — we never store or see your password
  • Rate limiting on all API endpoints to prevent abuse
  • We never ask for or store your bank login credentials

Cookies

We use a small number of cookies:

  • Authentication cookies — keep you logged in between visits (required for the app to work)
  • Analytics cookies — PostHog uses a session cookie to understand usage patterns (no advertising or third-party tracking)

Emails

We send transactional emails (account deletion confirmations, security alerts) that are required for the service to work. We also send optional emails like upload reminders and spending tips. Every optional email includes an unsubscribe link. You can also manage your email preferences in Settings.

How long we keep your data

  • Account and transaction data — kept until you delete your account
  • Uploaded PDFs — kept until you delete the statement or your account
  • Analytics data — PostHog retains usage data for 90 days
  • Deletion audit logs — kept for 90 days after account deletion for compliance

Deleting your data

You can delete individual statements (and their PDFs) from the statement list at any time. To delete everything, go to Settings and request account deletion. We will email you a confirmation link. After you confirm, there is a 7-day grace period during which you can cancel. After 7 days, all your data is permanently deleted — account, transactions, statements, categories, everything.

Your rights

You can:

  • Access all your data through the app at any time
  • Delete individual statements or your entire account
  • Unsubscribe from optional emails with one click
  • Request a copy of your data by emailing privacy@spendandinvest.com
  • Ask us to correct inaccurate personal data

If you are in the EU, you have additional rights under GDPR including the right to data portability and the right to object to processing. Contact us at the email above.

Children

Spend & Invest is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete it.

Changes to this policy

If we make meaningful changes, we will update this page and the date at the top. For significant changes that affect how we handle your financial data, we will also email you.

Questions? Email privacy@spendandinvest.com or write to us at Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.