Privacy Policy

Last Updated: 17/06/2026

1. Introduction

Welcome to EXPNext.

EXPNext is a personal finance management application operated by INVOVANE COMPANY ("we," "us," or "our"). EXPNext helps you track personal financial records including expenses, incomes, loans, savings goals, purchases, financial payments, and documents.

Registered Address: 489 Shaw Boulevard, Mandaluyong City, Metro Manila, Philippines

Website: www.expnext.com

Support: support@expnext.com

Data Protection Officer: privacy@expnext.com

This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the EXPNext mobile application. By using EXPNext, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Defined Terms

  • "Service" refers to the EXPNext mobile application.
  • "Personal Data" refers to any information relating to an identified or identifiable natural person.
  • "Usage Data" refers to data collected automatically as a result of your use of the Service.
  • "Data Controller" means INVOVANE COMPANY, which determines the purposes and means of processing your Personal Data.
  • "Data Processor" means any third party that processes data on our behalf under our instructions.
  • "User" means the individual using the Service.

3. Information Collection

We collect information to provide, maintain, and improve the Service. We collect only what is necessary for these purposes.

4. Data Types Collected

A. Account Data (collected when you register)

  • First name and last name
  • Email address
  • Phone number (optional)
  • Profile photo (optional)
  • Country and preferred currency
  • Account creation and last updated timestamps

B. Financial Data (entered by you)

  • Expenses: category (18 types including bills, food, healthcare, education, transportation, entertainment, taxes, etc.), title, description, amount, date, recurrence type, status
  • Incomes: type (11 types including salary, business, freelance, rental, investment, etc.), title, description, amount, date, recurrence
  • Loans: lender name, principal amount, interest rate, loan term, monthly payment, outstanding balance, start and due dates, status
  • Loan payments: amount, principal and interest portions, payment date, notes
  • Savings goals: goal name, description, achievement status, deposit and withdrawal history
  • Purchases: item name, description, amount, purchase date, store name, warranty start and end dates
  • Financial payment records: payment method (cash, bank transfer, GCash, PayMaya, credit card, debit card, check), amount, status, payment date

C. Document Data (Premium users, via Google Drive)

  • File name, file type, file size in bytes
  • Google Drive file ID and folder ID (references only — actual document files are stored in your personal Google Drive, not our servers)
  • Document category (receipt, invoice, bank statement, tax document, contract, proof of payment, quote, other)
  • Upload timestamp, last access timestamp
  • Document audit log entries (actions: upload, view, download, delete) retained for security compliance

D. Usage and Analytics Data (when analytics are enabled)

  • App usage events (e.g., feature used, screen viewed, subscription purchase initiated)
  • Email domain (e.g., "@gmail.com" — not your full email address) for cohort analysis
  • Subscription plan type
  • Analytics are currently disabled by default; if enabled in a future update, you will be notified

E. Device and Technical Data

  • FCM (Firebase Cloud Messaging) device token — stored in your account profile and cleared on logout; used to deliver push notifications to your device
  • IP address — used transiently for country detection; not stored persistently in the EXPNext application database. Your IP address may appear in server infrastructure access logs maintained by Supabase as part of standard cloud hosting operations (see Supabase Privacy Policy).

F. Location Data

  • Country detected from your device's IP address via ipapi.co and ipinfo.io. Your IP address is used transiently for this lookup and is not stored persistently by EXPNext.
  • As a fallback, country may also be inferred from your device's system timezone or locale setting. No GPS or precise location data is collected.
  • EXPNext does not request or use device GPS location. No location permissions are requested from your device.

G. Subscription and Billing Data

  • Subscription plan (free or premium), billing cycle (monthly or yearly)
  • Google Play subscription ID and purchase token (used for subscription verification with Google Play)
  • Subscription status, start date, next billing date, expiry date
  • Payment records: amount, currency, payment method (Google Play), billing period dates
  • No credit or debit card numbers, bank account details, or payment credentials are ever collected or stored by EXPNext; all payment processing is handled entirely by Google Play

H. Guest / Anonymous User Data

  • Anonymous session ID (stored locally on your device and in our database)
  • Approximate country (detected from IP address for currency default selection)
  • Any financial data you enter during a guest session

Guest data is stored on our servers linked to your anonymous session. If you sign in with Google or register with an email, all guest data is permanently migrated to your new account. If you clear app data or change devices without signing in, guest data cannot be recovered.

I. In-App Activity Log

  • Recent activity entries displayed on your Home screen dashboard: action type (created or updated), entity type (expense / income / financial payment), entity name, and timestamp
  • Stored in Supabase; retained while your account is active and removed within 90 days of account deletion
  • Used solely to display the Recent Activities feed on your Home screen; not shared with third parties or used for profiling

5. How We Collect Information

  • Directly from you: Information you enter into the App (financial records, profile details, documents).
  • Automatically: Your device's IP address (for country detection), your FCM token (generated by Firebase on app launch and login).
  • From third parties: When you choose to sign in with Google, Google Sign-In provides your name, email address, and profile photo URL to EXPNext for account creation and identification purposes only.

6. How We Use Your Information

We use the information we collect to:

  1. Provide, operate, and maintain the EXPNext Service.
  2. Authenticate your identity and maintain your session.
  3. Send push notifications for scheduled payment reminders and service alerts.
  4. Process subscription purchases and manage billing through Google Play.
  5. Detect your country to set a default currency for your account.
  6. Generate PDF summaries of your financial payment records.
  7. Monitor and improve App performance and features via analytics (when enabled).
  8. Comply with applicable laws and enforce our Terms and Conditions.
  9. Communicate service updates, security alerts, billing notifications, password reset OTP codes, and subscription upgrade confirmation emails.
  10. Respond to your customer support requests.
  11. Run user acquisition advertising campaigns through Google Ads (ad interaction data only; no App financial data is shared).

7. Data Retention

We retain your data for as long as necessary to provide the Service or as required by applicable law.

  • Active account: All data retained while your account is active.
  • After account deletion — personal profile data: removed within 30 days.
  • After account deletion — financial records (expenses, incomes, loans, savings, purchases, payments): removed within 90 days.
  • Document audit logs: retained for 1 year for security and compliance.
  • Google Drive documents: remain in your personal Google Drive indefinitely after account deletion; EXPNext does not delete your Drive files — you must delete them manually from Google Drive.
  • Abandoned guest sessions (where no account is created and no activity for 90 days): anonymous session data and any financial records entered are automatically deleted after 90 days of inactivity.
  • Anonymized or aggregated usage analytics: may be retained indefinitely for service improvement.
  • Billing records: may be retained longer where required by applicable tax or legal compliance obligations.

8. Data Transfer

Your data may be transferred to and processed on servers outside your country of residence, including in the United States (Supabase, Google). We ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/EEA.
  • UK International Data Transfer Agreements (IDTAs) for transfers from the United Kingdom.
  • Supabase and Google comply with applicable international data protection frameworks (GDPR, SOC 2, ISO 27001).

By using EXPNext, you consent to the international transfer of your data as described in this Privacy Policy.

9. Data Disclosure

We do not sell, rent, or trade your Personal Data. We may disclose your information only in the following limited circumstances:

  1. Legal Requirements: When required by applicable law, regulation, valid legal process, or governmental authority request.
  2. Business Transactions: In connection with a merger, acquisition, or asset sale; we will notify you before your data is subject to a different privacy policy.
  3. Service Providers: To contracted third-party providers who assist us in operating the Service (see Section 14); all providers are contractually bound to protect your data and use it only for specified purposes.
  4. Protection of Rights: When necessary to protect the rights, property, or safety of EXPNext, our users, or the public.

WE DO NOT SELL, RENT, OR SHARE YOUR PERSONAL OR FINANCIAL DATA WITH THIRD PARTIES FOR ADVERTISING, MARKETING, OR ANY COMMERCIAL PURPOSE.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • AES-256 encryption for sensitive locally cached credentials (via Flutter Secure Storage, hardware-backed on supported devices).
  • CSRF token protection for all API requests.
  • OTP verification codes encrypted in local storage with a 10-minute expiry.
  • Automatic EXIF metadata removal from all uploaded images (removes GPS coordinates, camera information, and personal metadata before storage).
  • HTTPS/TLS encryption for all data in transit.
  • Supabase database encrypted at rest and in transit (AES-256).
  • No plaintext passwords stored anywhere in the system.

Data Breach Notification:

In the event of a personal data breach that is likely to create a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR, UK GDPR, the Australian Notifiable Data Breaches scheme, and other applicable laws).
  • Notify affected users without undue delay when the breach poses a high risk to their rights.
  • Maintain an internal breach register documenting all security incidents.

While we take all reasonable precautions, no electronic transmission or storage method is 100% secure. We cannot guarantee absolute security of your data.

11. Your Rights Regarding Data Protection (GDPR — EU/EEA Users)

If you reside in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

  1. Right of Access: Request a copy of the Personal Data we hold about you.
  2. Right to Rectification: Request correction of inaccurate or incomplete data.
  3. Right to Erasure ("Right to be Forgotten"): Request deletion of your Personal Data, subject to legal retention requirements.
  4. Right to Restriction: Request that we limit processing of your data in certain circumstances.
  5. Right to Data Portability: Receive your Personal Data in a structured, commonly used, machine-readable format.
  6. Right to Object: Object to processing based on legitimate interests.
  7. Right to Withdraw Consent: Withdraw consent at any time for consent-based processing (such as analytics).

Legal Basis for Processing (GDPR):

  • Contractual necessity: All core data processing - financial records, account data, FCM tokens, subscription data - necessary to deliver the Service you signed up for.
  • Consent: Analytics tracking (when enabled). You may withdraw consent at any time by contacting support@expnext.com.
  • Legitimate interests: Security monitoring, fraud prevention, service improvement.
  • Legal obligation: Data retention for tax, audit, or compliance requirements.

To exercise your GDPR rights, contact us at privacy@expnext.com. We will respond within one calendar month and may require verification of your identity before processing requests. You have the right to lodge a complaint with your local Data Protection Authority (DPA).

11A. CalOPPA and Do Not Track

In compliance with CalOPPA:

  • Users may use the App anonymously via Guest Mode.
  • Privacy Policy changes are communicated via this page and in-app notifications.
  • You may update personal information by contacting support@expnext.com.

EXPNext does not track users across third-party apps or websites for advertising or behavioral profiling purposes. Our analytics (PostHog) are currently disabled by default.

12. California Consumer Privacy Act (CCPA)

If you are a California resident, you have the following rights:

  1. Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it.
  2. Right to Delete: Request deletion of your personal information, subject to certain legal exceptions.
  3. Right to Opt-Out of Sale: We do NOT sell your personal information and will not do so without providing prior notice and an opt-out mechanism.
  4. Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email support@expnext.com. You may make up to two requests per 12-month period.

12A. United Kingdom Data Protection Rights

If you reside in the United Kingdom, your rights under the UK GDPR and Data Protection Act 2018 mirror those described in Section 11. Additionally:

  • You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
  • International transfers from the UK are protected by UK International Data Transfer Agreements (IDTAs).
  • You have a 14-day cooling-off period for subscription purchases under the Consumer Contracts Regulations 2013, during which you may cancel for a full refund if the service has not been fully performed.

12B. Australian Privacy Rights

If you reside in Australia, the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) apply. You have the right to:

  • Access and request correction of your personal information (APP 12 and APP 13).
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
  • Be notified of data breaches likely to result in serious harm (Notifiable Data Breaches scheme).
  • Under the Australian Consumer Law, you are entitled to remedies if the Service fails to meet statutory guarantees.

12C. Canadian Privacy Rights

If you reside in Canada, PIPEDA and, for Quebec residents, Quebec Law 25 apply. You have the right to:

  • Access and request correction of your personal information.
  • Withdraw consent to collection, use, or disclosure of personal information.
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
  • Quebec residents may also contact the Commission d'acces a l'information du Quebec (CAI).

12D. Singapore Privacy Rights (PDPA)

If you reside in Singapore, the Personal Data Protection Act 2012 (PDPA) applies. You have the right to:

  • Access and correct your personal data.
  • Withdraw consent (subject to legal or contractual restrictions and reasonable notice).
  • Exercise data portability rights under the Data Portability Obligation.
  • Lodge a complaint with the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.

12E. United Arab Emirates Privacy Rights (PDPL)

If you reside in the UAE, the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) applies. You have the right to access, correct, and delete your personal data, and may lodge a complaint with the UAE Data Office. Cross-border transfers comply with applicable UAE PDPL requirements.

12F. South African Privacy Rights (POPIA)

If you reside in South Africa, the Protection of Personal Information Act (POPIA) applies. You have the right to access, correct, and delete personal information, object to processing, and lodge a complaint with the Information Regulator at inforegulator.org.za. We process your data in accordance with the 8 conditions for lawful processing under POPIA.

12G. Nigerian Privacy Rights (NDPA)

If you reside in Nigeria, the Nigeria Data Protection Act 2023 (NDPA) applies. You have the right to access, correct, delete, and port your personal data, withdraw consent, and lodge a complaint with the Nigeria Data Protection Commission (NDPC). We comply with the data protection principles set out in the NDPA.

12H. Indian Privacy Rights (DPDP Act)

If you reside in India, the Digital Personal Data Protection Act 2023 (DPDP Act) applies. You have the right to access, correct, and erase your personal data, and to nominate a person to exercise your rights in case of death or incapacity. You may lodge a grievance with our Data Protection Officer at privacy@expnext.com or approach the Data Protection Board of India for unresolved complaints. We obtain your consent before processing personal data and provide clear notice of the purpose.

12I. New Zealand Privacy Rights

If you reside in New Zealand, the Privacy Act 2020 applies. You have the right to access and correct your personal information (Information Privacy Principles 6 and 7). You may lodge a complaint with the Office of the Privacy Commissioner at privacy.org.nz. We will notify the Privacy Commissioner and affected individuals of notifiable privacy breaches.

12J. Philippine Data Privacy Rights (Republic Act No. 10173)

EXPNext is operated by INVOVANE COMPANY, a company registered in the Philippines. The Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations (IRR) apply to all personal data we process, regardless of where you are located.

INVOVANE COMPANY is the Personal Information Controller (PIC) for all personal data collected through EXPNext.

Sensitive Personal Information (SPI):

Under RA 10173 Section 3(l), financial information is classified as Sensitive Personal Information. This means your financial records in EXPNext — including expenses, incomes, loans, savings, purchases, and financial payments — are treated with the highest level of protection under Philippine law. We process this data as necessary to fulfill our contractual obligations to you (providing the personal finance tracking service you registered for), and in compliance with our legal obligations under RA 10173.

Your Rights as a Data Subject under RA 10173:

  1. Right to be Informed: You have the right to know how your personal data is collected, used, and processed. This Privacy Policy fulfills that obligation.
  2. Right to Access: Request a copy of your personal data we hold, how it has been processed, the sources it was obtained from, and the recipients to whom it has been disclosed.
  3. Right to Object: Object to the processing of your personal data, including processing for direct marketing, automated processing, or profiling.
  4. Right to Erasure or Blocking: Request deletion or blocking of your personal data if it is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary for the purpose it was collected.
  5. Right to Damages: Seek compensation for any damages sustained due to inaccurate, incomplete, outdated, false, or unlawfully obtained personal data.
  6. Right to Data Portability: Request your personal data in a structured, commonly used, machine-readable format, and transmit it to another system where technically feasible.
  7. Right to Complain: Lodge a complaint with the National Privacy Commission (NPC) if you believe your data privacy rights have been violated.

To exercise any of these rights, contact:

Email: privacy@expnext.com (Data Protection Officer)

Support: support@expnext.com

National Privacy Commission (Supervisory Authority):

  • Website: privacy.gov.ph
  • NPC Complaints: complaints@privacy.gov.ph
  • Address: 5th Floor, Delegation Building, PICC Complex, Pasay City, Metro Manila

Data Breach Notification:

In the event of a personal data breach involving your information, INVOVANE COMPANY will:

  • Notify the National Privacy Commission within 72 hours of discovering the breach.
  • Notify affected data subjects within 5 business days if the breach poses a real risk to your rights and freedoms.
  • Provide details of the nature of the breach, the personal data involved, the measures taken or proposed, and contact details for further information.

Cross-Border Data Transfer:

Your personal data is transferred to and processed in the United States (Supabase, Google). Under RA 10173 and NPC Circular 16-01, we ensure these transfers comply with Philippine data privacy standards. Our service providers (Supabase, Google) maintain adequate data protection measures including Standard Contractual Clauses and international certifications (SOC 2, ISO 27001) that satisfy the requirements of RA 10173 for cross-border data transfers.

NPC Registration:

INVOVANE COMPANY complies with NPC registration requirements for personal information controllers processing personal data of covered individuals under RA 10173 and applicable NPC issuances.

13. Data Storage and File Handling

A. Supabase Database and File Storage

All financial records, user profile data, subscription data, notification data, and document metadata are stored in Supabase (a third-party cloud infrastructure provider operating on AWS global infrastructure).

  • Encryption: AES-256 at rest; TLS 1.3 in transit.
  • Compliance: GDPR, SOC 2 Type II.
  • Privacy Policy: supabase.com/privacy

Profile photos and images uploaded to EXPNext are stored in Supabase Storage with EXIF metadata automatically stripped for privacy protection before upload.

B. Google Drive Document Storage (Premium Users)

For Premium subscribers, financial documents are stored in your personal Google Drive account — NOT on EXPNext servers. We store only document metadata (file references, names, types, upload dates, audit logs) in our database. Actual document files reside exclusively in your Google Drive.

EXPNext creates a dedicated "EXPNext_Documents" folder in your Drive and has access only to files it creates (using the restricted "drive.file" OAuth scope). We cannot access, view, or modify any other files in your Google Drive.

C. Local Device Storage

Sensitive credentials and session tokens are stored using Flutter Secure Storage (hardware-backed encrypted storage on supported Android devices). Non-sensitive preferences (currency settings, display preferences) are stored in SharedPreferences. Encryption keys are generated on first launch and persisted securely per device.

D. PDF Download to Device Storage

Premium users can download financial payment summaries as PDF files. These PDFs are generated entirely on-device and saved to your device's Downloads folder. No financial data is transmitted to any server during PDF generation or saving. The file is created locally and remains fully under your control.

14. Service Providers

We use the following contracted third-party service providers to operate the Service. Each is bound by data processing agreements to protect your data and use it only for the purposes specified.

Google LLC — Authentication (Google Sign-In)

Data shared: Name, email address, profile photo URL (basic profile only)

Purpose: User account authentication and identification

Google LLC — Google Drive (Premium document storage)

Data shared: Document files you upload (stored in your own Google Drive)

Purpose: Document management for Premium subscribers

Google LLC — Google Play Billing

Data shared: Subscription purchase tokens and billing confirmation

Purpose: Subscription payment processing

Firebase (Google LLC) — Cloud Messaging (FCM)

Data shared: FCM device token

Purpose: Delivery of push notifications for payment reminders

Google LLC — Google Ads (advertising)

Data shared: Ad interaction data (clicks, impressions) collected by Google on ad platforms. No financial data from the App is shared.

Purpose: User acquisition advertising campaigns

Supabase Inc. — Database, Storage, and Backend

Data shared: All app data (financial records, user profile, document metadata, subscription data)

Purpose: Database storage, file storage, authentication, edge functions

Mailtrap (Railsware Products, Inc.) — Transactional Email

Data shared: Email address and first name; OTP codes; subscription plan name

Purpose: OTP verification emails, password reset emails, and subscription upgrade confirmation emails

PostHog Inc. — App Analytics (when enabled)

Data shared: User ID, email domain, subscription plan, anonymized app events

Purpose: App usage analytics for product improvement

ipapi.co and ipinfo.io — IP Geolocation

Data shared: IP address (used for a single lookup; not stored persistently by EXPNext)

Purpose: Detect user country for default currency selection

15. Analytics

We may use PostHog analytics (currently disabled by default) to monitor App usage. When analytics are enabled:

  • We collect anonymized usage events and your email domain only (not your full email address or any financial data).
  • No financial records, account balances, or sensitive personal data are transmitted to analytics providers.
  • You may opt out of analytics tracking at any time by contacting support@expnext.com.

16. Payments

All paid transactions are processed through Google Play Billing. When you subscribe to the Premium Plan:

  • Payment data is processed directly by Google Play and is NOT stored on EXPNext servers.
  • We receive only a transaction confirmation, subscription status, and a purchase token from Google Play.
  • All payment disputes and refund requests are handled through Google Play Store policies.
  • Google Play Billing is PCI DSS compliant.

17. Third-Party Links

The App may contain links to third-party websites or services. We have no control over and assume no responsibility for the content, privacy practices, or availability of those external sites. We encourage you to review the privacy policy of any third-party site you visit.

18. Children's Privacy

EXPNext is not intended for use by persons under the age of 18. We do not knowingly collect Personal Data from individuals under 18. If we become aware that we have collected personal data from a person under 18 without verified parental consent, we will take immediate steps to delete that information.

If you believe a child under 18 has provided us with personal data, please contact us at support@expnext.com.

19. Modifications to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via in-app notification and email before the changes take effect. The updated policy will also be accessible within the App with a revised "Last Updated" date.

Continued use of EXPNext after changes take effect constitutes your acceptance of the updated Privacy Policy. If you do not agree, please stop using the App and contact us to request account deletion.

20. Contact Us

For privacy questions, data access requests, or concerns:

Email: support@expnext.com

Data Protection Officer: privacy@expnext.com

Website: www.expnext.com

Address: 489 Shaw Boulevard, Mandaluyong City, Metro Manila, Philippines