Privacy Policy

1. Who we are

Kosta Expenses ("the App") is operated by zorxCorp ("we", "us", "our"). This policy explains what data we collect, why we collect it, and how we protect it.

2. Data we collect

We only collect data that is necessary to provide the service:

• Account information — email address, display name, preferred currency, and language. Your password is hashed and never stored in plain text.
• Expense data — amounts, categories, notes, payment methods, and dates that you enter.
• Categories — names, emojis, colors, and optional budget limits you set.
• Attachments — receipt photos, documents, or voice notes you choose to upload.
• Organization data — if you create or join a team: organization name, member roles, and activity logs.
• Subscription info — your plan type and billing cycle. We do not store your payment card details; payments are processed entirely by Google Play or the App Store.

3. Data we do NOT collect

• We do not collect analytics, crash reports, or telemetry.
• We do not track your location, contacts, or browsing activity.
• We do not use cookies (this is a mobile app).
• We do not serve ads or use your data for advertising purposes.

4. Device permissions

• Camera — used only to scan QR codes when joining an organization. No images are captured or stored through this feature.
• Photo library — used to select photos as receipt attachments for your expenses.
• Document access — used to select files (PDF, etc.) as expense attachments.
• Microphone — used to record voice notes as expense attachments. Recordings are not processed, transcribed, or analyzed — they are stored as-is alongside your other attachments.
• Clipboard — used to paste organization invite codes.

Each permission is requested only when needed and can be revoked at any time in your device settings.

5. How we use your data

• To provide and maintain the App's features: expense tracking, budgets, dashboard, exports, and team collaboration.
• To manage your subscription and apply the correct plan limits.
• To send you transactional emails: welcome email, password reset codes, and export download links. We do not send marketing emails.
• To deliver in-app notifications: budget alerts, expense approvals, and team activity. These are not push notifications; they are only visible when you open the App.

6. Third-party services

We do not sell, rent, or trade your personal data. The following third-party services are used strictly to operate the App:

• RevenueCat — manages in-app subscriptions. Receives your anonymous user ID and subscription status.
• Google Play / Apple App Store — processes payments. Subject to their respective privacy policies.
• Mailjet — delivers transactional emails (password resets, export links). Receives your email address and display name.
• Pusher — provides real-time updates within the App (new expenses, approvals). Data is transmitted through private, authenticated channels.

7. Data shared with organization members

If you join an organization, your expenses submitted to that organization are visible to its admins and managers. Your personal expenses (outside the organization) are never shared with anyone.

8. Data storage and security

• Your data is stored on secured servers with encrypted connections (TLS/HTTPS).
• Passwords are hashed using bcrypt; we never have access to your plain-text password.
• Attachments are stored in cloud storage with restricted access.
• Authentication tokens are stored locally on your device and expire automatically.

9. Data retention

• We retain your data as long as your account is active.
• If you request account deletion, we will delete your personal data and associated content within 30 days.
• Payment records may be retained as required by applicable tax and accounting regulations.

10. Your rights

• Access and export — you can export all your data from the App at any time in CSV format.
• Rectification — you can update your profile and expense data directly in the App.
• Deletion — you can request account deletion by contacting us at the address below.
• Notifications — you can manage your notification preferences within the App.

11. International transfers

Your data may be processed on servers located outside your country of residence. We ensure that appropriate safeguards are in place to protect your data.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via in-app notification or email. Continued use of the App after changes constitutes acceptance.

13. Contact

For any questions, data requests, or concerns:
contact@kosta.fi