Back to Home

Security & Trust

Last Updated: 15 July, 2026

1. Encryption & Data Protection

All your financial data is encrypted at rest and in transit using AES-256 encryption — the same standard used by banks and governments worldwide. Passwords are hashed using bcrypt and are never readable by anyone, including our team.

We maintain HTTP Strict Transport Security (HSTS) and use TLS 1.3 for all connections to ensure your data remains private during transmission between your device and our servers.

2. SMS Privacy & Permissions

ExpensePal reads only transaction SMS from known bank sender IDs (e.g., "SBIBNK", "HDFCBK", "ICICIB"). We extract the transaction amount, date, and merchant name. Raw SMS content is never stored on our servers.

The app requests only essential permissions: SMS read (for transaction import) and notifications (for budget alerts). We never access personal chats, contacts, location, or your camera roll unless you actively use the receipt scanner.

3. Secure Cloud Infrastructure

Your data is hosted on secure cloud servers with ISO 27001 certified data centers. Our infrastructure undergoes regular security reviews and penetration testing to identify and patch vulnerabilities before they can be exploited.

We follow a zero-knowledge approach to your data. Your financial information belongs to you. We never sell, share, or monetize your transaction data with third parties.

4. Data Handling & Portability

We collect only what's necessary to provide the service: transaction data from SMS, your email address for account management, and basic anonymous usage analytics to improve the app. This data cannot be linked back to your identity or financial information.

You can export or delete your data at any time. We believe you should have full control over your financial information, with no vendor lock-in. Account deletion permanently removes all your data from our systems.

5. Security at a Glance

Here's a summary of the security measures we employ to protect your data:

  • 256-Bit Encryption — AES-256 encryption for data at rest and in transit.
  • TLS 1.3 — All data in transit secured with the latest transport layer security protocol.
  • ISO 27001 Certified — Data centers meeting international security standards.
  • Zero Data Sharing — We never sell or share your financial information.
  • Regular Audits — Code and infrastructure reviewed through penetration testing.
  • Data Portability — Export or delete your data at any time.

6. Your Rights & Contact

You have the right to access, correct, or delete your personal data at any time. If you have questions about how we protect your information, or if you'd like to exercise any of your data rights, please reach out to our security team.