Where your data actually lives
- Your reports and spreadsheets: in YOUR Google Drive, under your Google account. We don't keep a copy. Once a report PDF or sheet is created, the file belongs to you — if you disconnect ExpenseBot tomorrow, those files stay in your Drive intact.
- Receipt images and PDFs: also stored in YOUR Google Drive (the ExpenseBot folder we create on your account), not on our servers. During processing we pass them through Google Cloud Storage briefly to run OCR and classification, then upload the final file to your Drive and the temporary copy is removed.
- What we DO keep on our side: your account settings, role configuration, the spreadsheet/folder IDs we created for you, and lightweight learning hints (like which categories you tend to assign to specific merchants, so the AI gets smarter at coding for you over time). All in Firestore (Google Cloud), encrypted at rest. We do NOT keep a copy of your individual transactions — those live in your Google Sheet.
- What we DON'T store: email bodies, your broader inbox contents, or anything unrelated to receipt extraction.
Email scanning specifics — the narrowest scopes that get the job done
gmail.readonly— read messages so we can find receipts that match receipt-like patterns (vendor names, totals, attachments). We don't scan your inbox broadly.gmail.modify— only used to apply our own labels ("Processed", "Receipt") so we don't re-process the same message.drive.file— this one's important: we can ONLY see files our app creates. Your other Drive files are completely opaque to us. We cannot list, read, or modify anything we didn't create.
You can review the granted scopes any time at myaccount.google.com → Security → Third-party apps, and revoke our access there with a single click.
Who can see your data on our side
Currently, access is limited to the founder (Rob) for support purposes — for example, reproducing a bug you've reported by reading the relevant rows in your spreadsheet or your settings in Firestore. That access is manual, ad-hoc, and tied to your specific support request. As the team grows we'll add formal access logging.
Third-party services we use, and what each gets
- Google Cloud (Firestore, Cloud Storage, Cloud Run): your stored data. Subject to Google's data processing terms.
- Google Gemini API (paid tier): receipt OCR and category classification. Per Google's published terms for the paid API tier, prompts and responses are NOT used to train Gemini.
- SendGrid: transactional email only (account confirmations, password resets, support replies). No expense data ever passes through.
- Stripe: billing only. They see your subscription info, never your expense data.
- Plaid (optional, only if you connect a credit card): bank transaction metadata for reconciliation. Connected by you; revocable at any time.
CASA Tier 2 certification
We're Google CASA Tier 2 certified — Google's enterprise-grade security certification for applications that access Gmail and other sensitive scopes. Our certification validates:
- Secure secret management and credential handling
- HTTPS-only connections with TLS 1.2+ encryption
- Secure cookie configurations
- Protection against common attack vectors (XSS, CSRF, injection)
- External penetration testing with verified pass results
- 54 OWASP-based security controls documented and validated
The certification is conducted by ESOF AppSec (TAC Security), Google's official security assessment partner, and requires annual security audits. Our current certification cycle (2026) completed in April 2026.
If you want to share this with a client
The full FAQ — including this entry and the other Privacy & Security items — lives at expensebot.ai/faq#privacy. Forward that link directly to any client who needs the answers.