Privacy Policy

We value your privacy and are committed to handling personal information responsibly, transparently, and in accordance with applicable data protection laws. This Privacy Policy describes the types of information we collect when you use Expento and our related products, how we use that information, and the rights and choices available to you.

By accessing or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of the services.

Expento is a product operated by Aladdin Technologies Ltd., a company that builds software applications, including management, productivity, analytics, collaboration, and AI-enabled tools. Throughout this policy, references to “Expento,” “we,” “us,” or “our” refer to Aladdin Technologies Ltd. acting as the controller of personal information collected through Expento, unless stated otherwise.

Where Aladdin Technologies Ltd. provides other branded products, similar privacy principles will apply, and product-specific notices may supplement this policy where appropriate.

This policy applies to personal information we process when you:

• visit our websites and marketing pages;
• create an account, sign in, or otherwise interact with our web or mobile applications;
• use features offered through our products, including dashboards, collaboration tools, automation, and AI-assisted functionality;
• contact our support, sales, or administrative teams;
• participate in surveys, communications, or promotional activities that we operate.

This policy does not apply to third-party websites, products, or services that are not operated by us, even when they are linked from within our services. We encourage you to review the privacy notices of any third party you interact with.

We collect information in several ways, depending on how you interact with our services.

Information you provide directly

• Account information such as name, email address, password, profile picture, time zone, language, and similar registration details.
• Profile and organizational details such as job title, company name, team, or role, where relevant to the services you use.
• Contact information when you reach out to support, sales, or legal, including the content of your communications.
• User content such as documents, receipts, images, files, notes, records, comments, settings, and other material you upload, create, or transmit through the services.
• Transaction and subscription information where applicable, such as billing contact, plan details, purchase history, and limited payment metadata (we do not store full payment card numbers; payments are handled by our payment processors).

Information collected automatically

• Usage information such as pages and screens viewed, actions taken, features used, search queries, clicks, referring URLs, and timestamps.
• Device and technical information such as device type, operating system, browser type and version, IP address, approximate location derived from IP, crash reports, and diagnostic data.
• Cookies and similar technologies as described in the Cookies section below.

Information from third parties and integrations

If you sign in using a third-party identity provider (for example, Google) or connect a third-party service (such as storage, calendar, or productivity integrations), we receive limited information from that service as permitted by you and by that service’s policies. We only request the minimum scopes necessary to provide the feature you are activating.

Expento offers two ways to store the structured expense data and receipt files you create through the app. You choose one of these options when you first sign up. The choice is recorded on your account and remains in effect for that account thereafter; we do not silently switch a user from one option to the other.

Option A — Google Drive (bring-your-own storage)

If you choose this option, your receipt and invoice files are uploaded directly to your own Google Drive account, into a folder the app creates for you. The structured expense rows (date, vendor, amount, currency, category, notes, claim status) are written to your own Google Sheet in the same folder. We hold a separate metadata index in our database that lets the app list, filter, and total your expenses quickly, but the underlying files and rows are owned by you in your own Google account.

We request only the minimum Google OAuth scope needed for this (the per-file scope, which authorises the app to read and write the specific files it creates and nothing else in your Drive). We never request a broader Drive scope.

Option B — Expento-hosted storage (we host on your behalf)

If you choose this option, your receipt and invoice files are stored on infrastructure we operate (Supabase, hosted on AWS, in the project’s home region). The structured expense rows are stored in our database. You do not need a Google account for this option.

Per-user isolation under this option is enforced at the database and storage layer through row-level security and path-prefix policies. Each user can only read or write objects under their own user identifier prefix; one customer cannot access another customer’s data through normal application paths.

Users on this option have an in-app desktop Export module that allows you to download your data at any time, either as a CSV spreadsheet or as a ZIP archive containing the CSV plus every receipt image. Exports are generated in your browser and do not leave your device until you click download.

What is true for both options

• Encryption in transit: all communication between the app, our infrastructure, and any third-party storage provider is encrypted using industry-standard transport protocols.
• Receipt extraction (AI):when you scan a receipt, the image bytes are sent to the configured AI vision provider for one-time text extraction, then cached by image hash so the same image is never sent twice. The provider’s own retention policy governs whatever it may retain on its side.
• Deletion: deleting an expense in the app hard-deletes both the structured row and the associated receipt file (from your Drive for Option A, or from our storage for Option B). There is no grace period or recoverable bin.
• Account deletion: closing your account removes the data we hold about you (for Option A, the metadata index; for Option B, the rows and files). For Option A this does not delete the files in your own Google Drive — those remain yours to keep or delete.
• Switching options: the choice you made at signup is fixed by default. If you genuinely need to switch, an administrator at Aladdin Technologies Ltd. can move your account to the other option on your request. There is no automatic migration of data between the two options — switching means starting fresh on the new option. If you want to keep the data from the previous option, export it (Option B) or copy it out of your Google account (Option A) before requesting the switch.

Existing users (before May 30, 2026)

Customers who created an Expento account on or before the date this section was added are on Option A (Google Drive) by default and remain on Option A unless they specifically request a switch. This grandfathering preserves the storage arrangement that was in place at the time those accounts were created.

We use personal information to:

• provide, operate, maintain, and improve our products and services;
• create and manage your account, authenticate you, and keep the services secure;
• personalize your experience, remember your preferences, and deliver features you request;
• process transactions, manage subscriptions, and send related confirmations where applicable;
• communicate with you about product updates, technical notices, security alerts, and support;
• understand usage patterns, troubleshoot issues, and improve performance, stability, and usability;
• detect, investigate, and prevent fraud, abuse, security incidents, and violations of our terms or policies;
• comply with applicable legal obligations, regulatory requests, and enforceable governmental requirements;
• where you have opted in or where otherwise permitted, send marketing communications about related Aladdin Technologies products and offerings.

Where our services include AI-assisted or automated features, we may process the content you submit to generate outputs, suggest categorizations, or provide similar functionality. We take reasonable steps to avoid using your content to train general-purpose models without your consent.

Where required by applicable law (for example, in the European Economic Area, the United Kingdom, and other jurisdictions with similar frameworks), we rely on one or more of the following lawful grounds to process personal information:

• Performance of a contract — to provide the services you have requested and to comply with our contractual obligations to you.
• Legitimate interests — to operate, secure, and improve our services; to communicate with users; and to protect our business, provided these interests are not overridden by your rights.
• Consent — where we ask for your consent, including for certain cookies, marketing communications, or optional integrations. You can withdraw consent at any time.
• Legal obligation — to comply with applicable laws, regulations, court orders, and lawful requests from public authorities.

We and selected partners use cookies, local storage, and similar technologies to deliver and maintain our services, remember your preferences, understand how our services are used, and improve your experience. These technologies include:

• Essential cookies required for authentication, security, and core functionality;
• Preference cookies that remember settings such as language, theme, or layout;
• Analytics cookies that help us understand aggregate usage and improve performance;
• Marketing cookies, where applicable and with appropriate consent, to measure the effectiveness of communications and campaigns.

You can control cookies through your browser settings and, where available, through in-product cookie controls. Blocking certain cookies may affect the functionality of the services.

We work with trusted third-party providers that support the delivery and improvement of our services. These may include providers of:

• cloud hosting and infrastructure;
• authentication and identity;
• analytics and product usage insights;
• communications, email delivery, and customer support;
• payment processing and subscription billing;
• error monitoring, performance, and security tooling.

These providers process personal information on our behalf under appropriate agreements. They are only permitted to use the information to provide their services to us and are required to protect it in accordance with applicable law.

We may share personal information in the following circumstances:

• With service providers who perform services on our behalf (as described above), under contractual obligations of confidentiality and data protection;
• With authorized users within your organization if you use the services as part of a team or workspace (for example, administrators may see account and usage information relevant to their oversight);
• With integrations you enable, where you explicitly choose to connect a third-party product or service;
• In connection with a corporate transaction, such as a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate protections;
• To comply with law, legal process, or enforceable governmental requests, and to protect the rights, safety, or property of Aladdin Technologies Ltd., our users, or others.

We do not sell personal information in the traditional sense of the term. Where any activity may be considered a “sale” or “sharing” under specific regional laws, we provide the corresponding choices required by those laws.

Our services are operated using infrastructure that may be located in various countries, and we and our service providers may process personal information in jurisdictions other than the one in which you reside. When personal information is transferred internationally, we take reasonable steps to ensure it is protected to a standard consistent with this policy and with applicable law, including, where relevant, through the use of standard contractual clauses or other recognized transfer mechanisms.

We retain personal information for as long as reasonably necessary to provide the services, operate our business, comply with our legal obligations, resolve disputes, and enforce our agreements. Retention periods vary depending on the type of information, its sensitivity, the purposes for which it is processed, and applicable legal requirements.

When personal information is no longer required, we take reasonable steps to delete, anonymize, or otherwise render it unusable in accordance with our internal procedures.

We apply administrative, technical, and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures may include access controls, encrypted connections, secure authentication, infrastructure hardening, monitoring, and regular review of our security practices.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your credentials confidential and for notifying us promptly if you believe your account has been compromised.

Depending on your location and applicable law, you may have some or all of the following rights in relation to personal information we hold about you:

• the right to access the personal information we hold;
• the right to request correction of inaccurate or incomplete information;
• the right to request deletion of personal information;
• the right to object to or restrict certain processing activities;
• the right to data portability, where applicable;
• the right to withdraw consent where we rely on consent as the legal basis for processing;
• the right to lodge a complaint with a competent data protection authority.

You can exercise many of these rights directly through your account settings. For all other requests, contact us using the details in the final section of this policy. We may need to verify your identity before acting on your request.

You can update, correct, or delete certain profile and account information at any time through your account settings. You may also close your account from within the service or by contacting us. After you close your account, some information may be retained for legal, security, fraud prevention, or record-keeping purposes, as permitted by applicable law.

You can typically manage notification and marketing communication preferences from within the service, or by using the unsubscribe links included in marketing emails we send you.

Our services are not directed to children under the age of 16 (or a higher age where required by applicable law). We do not knowingly collect personal information from children. If you believe that a child has provided us with personal information without appropriate consent, please contact us and we will take reasonable steps to delete the information.

Our services may contain links to, or integrate with, third-party websites, products, or services that are not operated or controlled by us. This Privacy Policy does not apply to those third parties, and we are not responsible for their content, privacy practices, or data handling. We encourage you to review the privacy notices of any third party you interact with.

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or business practices. When we make material changes, we will take appropriate steps to notify you, such as by posting a notice within the services, updating the “Last updated” date above, or where appropriate, sending a direct communication. Your continued use of the services after the effective date of the updated policy constitutes acceptance of the changes.

If you have questions about this Privacy Policy or would like to exercise your rights, please contact us:

• By email: admin@aladdin-technologies.com
• Company: Aladdin Technologies Ltd.

We aim to respond to privacy inquiries within a reasonable timeframe and, where required by law, within any specific statutory deadlines.