Privacy Policy

Last Updated: December 27, 2025

We at Aryabhatta Labs are committed to maintaining the accuracy, confidentiality, and security of your personally identifiable information ("Personal Information"). As part of this commitment, our privacy policy governs our actions as they relate to the collection, use and disclosure of Personal Information. Our privacy policy is based upon the values set by the Canadian Standards Association's Model Code for the Protection of Personal Information and Canada's Personal Information Protection and Electronic Documents Act.

Location Data & Trip Tracking

ExpenseFlow's primary purpose is to automatically track your business trips and calculate mileage for expense reporting. To do this, we collect and use location data.

What We Collect

  • GPS coordinates (latitude, longitude, and altitude)
  • Timestamp of each location point
  • Movement type (walking, driving, or stationary)
  • Data is collected every few seconds while Trip Tracking is active

When We Collect

  • Trip Tracking begins when you enable the "Track Drive" feature in the app
  • Location collection continues even when the app is closed (background tracking)
  • Trip Tracking stops when you disable it or manually end the trip
  • You have complete control over when tracking is active

Why We Collect

  • Automatic trip detection: Identify when you are traveling for business
  • Mileage calculation: Calculate distances for expense reporting and tax purposes
  • Route history: Allow you to review and verify past trips
  • Expense matching: Connect trips to related business expenses

How Long We Keep It

  • Location data: Retained for 366 days from collection, or until account deletion, whichever occurs sooner. This enables you to review past trips and generate annual mileage reports for tax purposes.
  • Trip data: Retained for 367 days from collection, or until account deletion, whichever occurs sooner. This supports expense reporting and tax compliance documentation.
  • After these periods, data is automatically and permanently deleted.
  • You can request immediate deletion by deleting your account via Settings > Delete Account.

Who Can Access It

  • Your location data is encrypted in transit and at rest
  • Only you and your organization's authorized administrators can view trip data
  • We do not sell your location data to any third party
  • We have an offline mechanism to only allow access to user data to specific allowed individuals and that access is logged

Background Location Tracking

ExpenseFlow requests permission to access your location in the background to capture complete trip data without requiring the app to remain open.

  • Location data is collected even when the app is closed or your device is locked
  • This ensures accurate mileage tracking for your entire business trip
  • Battery impact is minimized through efficient location collection algorithms
  • You can disable background location access in your device Settings > Apps > ExpenseFlow > Permissions > Location
  • You can also disable Trip Tracking within the app anytime by tapping the Track Drive button

Third-Party Services & Data Sharing

We use the following third-party services to deliver ExpenseFlow functionality:

Google Maps API

  • Purpose: Convert GPS coordinates to street addresses (geocoding)
  • Data Shared: GPS coordinates from your trips
  • Privacy Policy: Google Privacy Policy

Sentry

  • Purpose: Error tracking and application performance monitoring
  • Data Shared: Error logs, crash reports, anonymized usage patterns
  • Note: We remove sensitive information before sending data to Sentry
  • Privacy Policy: Sentry Privacy Policy

Stripe

  • Purpose: Payment processing for subscriptions
  • Data Shared: Email address, payment information, customer ID
  • Privacy Policy: Stripe Privacy Policy

RevenueCat

  • Purpose: Subscription and in-app purchase management
  • Data Shared: User ID, subscription status, entitlement data
  • Privacy Policy: RevenueCat Privacy Policy

Postmark

  • Purpose: Sending transactional emails (receipts, notifications)
  • Data Shared: Email address, name, transaction details
  • Privacy Policy: Postmark Privacy Policy

We do not share your data with any other third parties without your explicit consent.

1. Introduction

We are responsible for maintaining and protecting the Personal Information under our control. We have designated an individual or individuals who is/are responsible for compliance with our privacy policy.

2. Identifying Purposes

We collect, use and disclose Personal Information to provide you with the product or service you have requested and to offer you additional products and services we believe you might be interested in. The purposes for which we collect Personal Information will be identified before or at the time we collect the information. In certain circumstances, the purposes for which information is collected may be clear, and consent may be implied, such as where your name, address and payment information is provided as part of the order process.

3. Consent

Knowledge and consent are required for the collection, use or disclosure of Personal Information except where required or permitted by law. Providing us with your Personal Information is always your choice. However, your decision not to provide certain information may limit our ability to provide you with our products or services. We will not require you to consent to the collection, use, or disclosure of information as a condition to the supply of a product or service, except as required to be able to supply the product or service.

4. Limiting Collection

The Personal Information collected will be limited to those details necessary for the purposes identified by us. With your consent, we may collect Personal Information from you in person, over the telephone or by corresponding with you via mail, facsimile, or the Internet.

5. Limiting Use, Disclosure and Retention

Personal Information may only be used or disclosed for the purpose for which it was collected unless you have otherwise consented, or when it is required or permitted by law. Personal Information will only be retained for the period of time required to fulfill the purpose for which we collected it or as may be required by law.

Data Retention Policy

We collect and retain the following types of user data:

  • User Account Details (name, contact information, login credentials) — Retained until the user account is deleted.
  • User's Approvers (designated supervisors or managers) — Retained until the user account is deleted.
  • Location History (GPS coordinates, timestamps, activity recognition) — Retained for 366 days from collection, or until account deletion, whichever occurs sooner.
  • Trip Details (detailed trip logs, routes, timestamps, distances) — Retained for 367 days from collection, or until account deletion, whichever occurs sooner.
  • Trip Summary (aggregated trip statistics) — Retained for 733 days from collection, or until account deletion, whichever occurs sooner.
  • Expense Reports — Retained for 733 days from creation, or until account deletion, whichever occurs sooner.
  • Billing Records (including email address, account ID, and payment history) — Retained for 5 years after the account is deleted, for tax, accounting, and compliance purposes.

We may retain specific data beyond the stated retention periods if required by applicable law, regulation, or for the establishment, exercise, or defense of legal claims.

6. Accuracy

Personal Information will be maintained in as accurate, complete and up-to-date form as is necessary to fulfill the purposes for which it is to be used.

7. Safeguarding Customer Information

Personal Information will be protected by security safeguards that are appropriate to the sensitivity level of the information. We take all reasonable precautions to protect your Personal Information from any loss or unauthorized use, access or disclosure. We have implemented an offline mechanism to restrict access to user data. Only specifically authorized individuals can access user data, and all such access is logged and auditable. This ensures accountability and limits exposure of sensitive information.

8. Openness

We will make information available to you about our policies and practices with respect to the management of your Personal Information.

9. Customer Access

Upon request, you will be informed of the existence, use and disclosure of your Personal Information, and will be given access to it. You may verify the accuracy and completeness of your Personal Information, and may request that it be amended, if appropriate. However, in certain circumstances permitted by law, we will not disclose certain information to you. For example, we may not disclose information relating to you if other individuals are referenced or if there are legal, security or commercial proprietary restrictions.

Your Privacy Rights

You have rights regarding your personal data:

Data Access & Control

  • View Your Data: Access Settings > Export My Data to download all your information in JSON format
  • Delete Your Data: Access Settings > Delete Account to permanently delete your account and all data. This includes trips, expenses, GPS logs, and personal information. Data deletion completes within 30 days.
  • Stop Location Tracking: Disable Trip Tracking anytime by turning off the "Track Drive" feature. You can re-enable it whenever needed.
  • Disable Error Reporting: Access Settings > Privacy to disable Sentry error reporting. The app functions normally without error reporting enabled.

GDPR Rights (European Union Residents)

Under the General Data Protection Regulation, you have the right to:

  • Access: Request a copy of your personal data (Settings > Export My Data)
  • Rectification: Update inaccurate or incomplete data within the app
  • Erasure: Delete your account and all data (Settings > Delete Account)
  • Object: Disable Trip Tracking to stop location collection
  • Data Portability: Export your data in machine-readable format
  • Withdraw Consent: Revoke permissions at any time

To exercise these rights, use the in-app settings or contact us at privacy@aryabhatta.ca

CCPA Rights (California Residents)

Under the California Consumer Privacy Act, you have the right to:

  • Know: We collect name, email, location data, expense information
  • Delete: Request deletion via Settings > Delete Account
  • Opt-Out: We do NOT sell your personal information
  • Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact us at privacy@aryabhatta.ca or use in-app settings.

10. Cookies

A cookie is a small computer file or piece of information that may be stored in your computer's hard drive when you visit our websites. We may use cookies to improve our website's functionality and in some cases, to provide visitors with a customized online experience.

Cookies are widely used and most web browsers are configured initially to accept cookies automatically. You may change your Internet browser settings to prevent your computer from accepting cookies or to notify you when you receive a cookie so that you may decline its acceptance. Please note, however, if you disable cookies, you may not experience optimal performance of our website.

11. Other Websites

Our website may contain links to other third party sites that are not governed by this privacy policy. Although we endeavour to only link to sites with high privacy standards, our privacy policy will no longer apply once you leave our website. Additionally, we are not responsible for the privacy practices employed by third party websites. Therefore, we suggest that you examine the privacy statements of those sites to learn how your information may be collected, used, shared and disclosed.

12. Handling Customer Complaints and Suggestions

You may direct any questions or enquiries with respect to our privacy policy or our practices by contacting us via the contact form on the Aryabhatta Labs website