Plenty·Legal
Privacy Policy
Plenty is an expense-tracking app operated by an independent software developer based in India (“Plenty”, “we”, “us”). This policy explains what personal data we collect through the Plenty mobile app and our website waitlist, why we collect it, who processes it on our behalf, and the rights you have — including under the EU/UK General Data Protection Regulation (GDPR) and India’s Digital Personal Data Protection Act, 2023 (DPDP Act). Under the DPDP Act, the operator of Plenty is the Data Fiduciary for your data.
We wrote this policy to match what the product actually does. If something is not listed here, we do not do it.
Questions, any time: arsudesandip4@gmail.com.
01What we collect
Account and profile
- Sign-in identity. You sign in with Google (or, on iOS when available, Apple). We receive an identity token from that provider and store your account — including your email address and the identifiers the provider shares — with Supabase, our authentication and database provider.
- Profile details you give us during setup: the display name you type, your base currency, preferred language, and your device’s timezone.
Your expense data
- Expenses: amount, currency, category, merchant/vendor, item name, optional note, and the date and time of the expense.
- The raw input you used to log an expense: the short text you typed (up to 100 characters) or the transcript of what you said (up to 200 characters), stored alongside the expense so you can see what was captured.
- Receipt photos: if you photograph or pick a receipt, the image is resized and compressed on your device, EXIF metadata (including any location data) is stripped before upload, and the file is stored in a private storage bucket scoped to your account.
- Subscriptions you track in the app (e.g. “Netflix, monthly”: vendor, amount, billing interval, next due date).
- Derived figures: daily spending totals, spending-pattern signals (e.g. merchant visit cadence, category streaks), and one short AI-written insight about your own spending.
Voice input
Speech-to-text happens through your device’s operating-system speech recognizer (Apple’s on iOS; on Android, your device’s speech service — typically Google’s). Plenty never receives or stores your audio. Depending on your device and language, the OS speech service may process audio on-device or on that provider’s servers under its own privacy policy. Only the resulting text transcript is sent to Plenty.
AI processing records
Each AI parsing or insight request is logged on our servers: the prompt text we sent, the structured result, token counts, latency, and estimated cost. Receipt image bytes are not stored in this log. Section 3 explains exactly what is sent to the AI provider, and when.
Payments and subscription status
Purchases are made through Google Play (and, if we launch on iOS, the App Store). We never see or store your card or bank details. We receive your subscription status (trial, active, expired, billing issue, and so on), product identifier, and billing-period dates via RevenueCat, our subscription-management provider, keyed to your account ID.
Device and diagnostic data
- Product analytics (PostHog): a fixed set of product events — onboarding steps viewed, notification-permission choice, paywall shown/purchased/restored, sign-up completion steps, and expense-capture success/failure — with limited properties (capture source: text/voice/photo; error reason codes; paywall variant; entitlement status) tied to your account ID. We deliberately do not send expense text, notes, amounts, or merchant names to analytics, and session replay is switched off. PostHog also serves our feature flags.
- Crash and performance reports (Sentry): stack traces and diagnostic breadcrumbs from the app and our servers. Before sending, the app scrubs emails, IP addresses, usernames, internal IDs in URLs, and any field whose name suggests expense content (amount, note, merchant, and similar).
- Push token: if you enable notifications, an Expo push token identifying your device.
- Server logs: operational logs of API activity (request IDs, error details), with authorization headers, cookies, passwords, and tokens redacted before storage.
Website waitlist
If you join the waitlist on our landing page, your email address is delivered to us via FormSubmit and used only to contact you about beta access. The landing page also loads fonts from Google Fonts, which sees your IP address as part of serving the font files.
What we do NOT collect: no contacts, no location, no bank or card account connections, no SMS reading, no advertising identifiers, no audio recordings, no session replay.
02Why we process your data
| Purpose | Data used | GDPR legal basis |
|---|---|---|
| Create and secure your account | Sign-in identity, profile | Contract |
| Turn what you type, say, or photograph into structured expenses (AI parsing) | Raw input text, voice transcript, receipt image | Contract |
| Show your history, analytics, and spending insights | Expense data, derived signals | Contract |
| Convert currencies | Base currency + public exchange rates | Contract |
| Operate your paid subscription | Purchase/subscription status | Contract |
| Send renewal reminders and notifications you enabled | Push token, tracked subscriptions | Consent (OS permission) |
| Fix crashes, keep the service reliable | Crash reports, server logs | Legitimate interests |
| Understand how the product is used and improve it | Analytics events | Legitimate interests |
| Prevent abuse and control AI costs | Per-account rate-limit counters, AI-run log | Legitimate interests |
Under the DPDP Act, we process your data for these stated purposes based on the consent you give when you create an account after seeing the notice at sign-in, and as necessary to provide the service you asked for. You can withdraw consent at any time by deleting your account (Section 7).
We do not sell your data, share it for third-party advertising, or use your data to train AI models.
03AI processing
Plenty’s core feature is AI-powered expense capture. Here is exactly what is sent to Google Gemini (Google’s AI API), and when:
- When you log an expense by typing or speaking, the text or transcript is sent to Gemini to be converted into a structured expense record.
- When you scan a receipt, the compressed, EXIF-stripped image is sent to Gemini to extract the expense details.
- To write your spending insight, aggregated statistics about your own spending (totals, categories, patterns) are sent — not your raw expense history.
These requests include no name, email address, or account identifier. We do not use your data to train AI models. AI output can be wrong — you can review, edit, or delete every captured expense, and our Terms explain why AI output is not financial advice.
04Who processes your data for us
We share personal data only with the processors below, only to run Plenty:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Authentication, database, receipt storage | Account identity, profile, all expense data, receipt images, push tokens |
| Railway | Hosts our API and background workers | All data passing through our API |
| Google (Gemini API) | AI expense parsing and insight generation | Input text/transcripts, receipt images, aggregated spending statistics — no account identifiers |
| Google (Sign-In, Play Billing, device speech service) | Sign-in, payments, speech-to-text | Identity token; purchases (handled by Google); voice audio per your device settings |
| RevenueCat | Subscription management | Account ID, purchase and subscription status |
| PostHog | Product analytics, feature flags | Account ID, product events (no expense content) |
| Sentry | Crash/error reporting (app + server) | Redacted diagnostic data |
| Better Stack (Logtail) | Server log storage | Redacted server logs |
| Expo | Push notification delivery; app update delivery | Push token; notification content (e.g. “Netflix renews tomorrow — INR 649.00”); update requests from your device |
| Open Exchange Rates | Daily currency rates | None of your personal data |
| Brandfetch | Merchant logo lookup | Merchant names from our shared vendor catalogue (not linked to you); your device fetches logo images from Brandfetch’s CDN, which sees your IP |
| FormSubmit | Website waitlist email delivery | Waitlist email address |
| Apple (iOS, when available) | Sign in with Apple; speech recognition | Identity token; voice audio per your device settings |
05Where your data is processed
Our providers may process data outside your country, including in the United States and other regions where they operate. Where GDPR applies, cross-border transfers rely on adequacy decisions or standard contractual clauses offered by these providers.
06How long we keep data
- Expenses: until you delete them; a deleted expense is retained (hidden) for 90 days, then permanently erased together with its receipt image.
- Receipt photos: as long as the expense they belong to; abandoned uploads are purged automatically.
- Account, profile, tracked subscriptions: life of the account.
- AI-run logs: content scrubbed and unlinked from you when your account is deleted; anonymous usage and cost figures retained.
- Analytics, crash reports, server logs: per each provider’s retention settings.
07Your rights and controls
Built into the app (Profile tab):
- Export your data — download your full expense history as a JSON file (data portability).
- Correct your data — edit any expense; change your display name, language, and other profile fields.
- Clear your data — permanently wipe all expenses, tracked subscriptions, and insights while keeping your account and paid plan.
- Delete your account — permanently deletes your account, profile, expenses, subscriptions, insights, spending signals, entitlement record, and push tokens, and frees your email for future sign-up. Receipt images are removed by a scheduled cleanup within about one week. Deleting your account does not cancel your Google Play subscription — cancel that in Google Play (Play Store → Payments & subscriptions → Subscriptions).
- Notifications — toggle off in Profile; this deletes your device’s push token from our servers. You can also revoke camera, photo, and microphone permissions in your OS settings at any time.
You can also email arsudesandip4@gmail.com to exercise your rights of access, correction, erasure, restriction, portability, and objection (GDPR), or access, correction, erasure, grievance redressal, and nomination (DPDP Act). We respond within the timelines the applicable law requires. If you are unsatisfied, you may complain to your local data protection authority (EU/EEA/UK) or the Data Protection Board of India.
Grievance redressal (DPDP Act): write to arsudesandip4@gmail.com with the subject line “Grievance” — it goes directly to the operator of Plenty.
08Security
- All traffic uses HTTPS/TLS.
- Session tokens are stored in your device’s secure storage (Keychain / Android Keystore).
- Every database row and receipt file is isolated to your account with row-level security; one account cannot read another’s data.
- Receipt storage is a private bucket — there are no public links to your images.
- Access tokens, cookies, and secrets are redacted from our server logs; analytics and crash reports are scrubbed of expense content by design.
No system is perfectly secure. If a breach affects your personal data, we will notify you and the relevant authorities as required by law.
09Children
Plenty is a financial product and is not directed at children. You must be at least 18 years old (or the age of majority where you live) to use Plenty. We do not knowingly process children’s data; if you believe a child has created an account, contact us and we will delete it.
10Changes to this policy
We will post updates here and change the effective date above. For material changes, we will notify you in the app or by email before they take effect.
11Contact
Plenty — operated by an independent software developer, India.
Email: arsudesandip4@gmail.com
See also: Terms & Conditions.