Legal
Privacy Policy
Last updated: July 12, 2026
1. Who We Are
Nexo ("the App", "we", "us") is an expense-tracking application operated by Khaw Jyh Boon, an individual. This Privacy Policy explains what personal data we collect, why, how we protect it, and the rights you have over it.
If you have any questions, contact us at support@nexoexpenses.com.
2. Data We Collect
a. Account data
- Email address and authentication credentials (passwords are stored in hashed form by our authentication provider — we never see your plain-text password)
- Display name / profile info you choose to provide
- Profile photo (avatar), if you choose to upload one
b. Financial records you enter
- Transaction amounts, categories, dates, notes, and currencies
- Wallet/account names and balances you create
- Shared expense group memberships
c. Subscription & purchase data
- Subscription status (free, trial, or premium), plan type, purchase dates, renewal and expiry dates
- An anonymized purchase/app-user identifier used to link your subscription to your account
- We do not collect or store your payment card details — payments are processed entirely by the Apple App Store or Google Play
d. Technical data
- Device type, operating system, app version
- Crash logs and diagnostic data
What we do NOT collect
- We do not connect to your bank accounts or collect banking credentials
- We do not collect government ID numbers, precise location, or contacts
- We do not sell your personal data to anyone
3. How We Use Your Data
| Purpose | Data used | Legal basis |
|---|---|---|
| Provide the core service (storing and displaying your records) | Account data, financial records | Contract performance |
| Sync data across your devices and with shared users | Account data, financial records | Contract performance |
| Managing your subscription (activating Premium features, verifying entitlements, preventing trial abuse) | Subscription & purchase data, account data | Contract performance |
| Account security and fraud prevention | Account data, technical data | Legitimate interest |
| Fixing bugs and improving the App | Technical data | Legitimate interest |
| Service emails (e.g., password resets, important notices) | Email address | Contract performance |
| Promotional emails and messages (optional) | Email address | Consent — you can opt out anytime |
4. Emails & Messages Settings
You can turn off all promotional and marketing communications at any time in Settings → Personal Data & Privacy (or by using the unsubscribe link in any email). Turning this off does not affect essential service messages such as password-change alerts or security notices.
5. Where Your Data Is Stored
Your data is stored on secure cloud infrastructure provided by Supabase, Inc., with servers located in Mumbai, India (AWS ap-south-1). Data is encrypted in transit (TLS) and at rest.
6. Data Sharing
We share data only with:
- Users you choose to share with — when you join or create a shared expense group, members of that group can see the records within it.
- Service providers — providers that process data on our behalf under contractual safeguards:
- Supabase, Inc. — database, authentication, and file storage
- RevenueCat, Inc. — subscription management. RevenueCat receives an anonymized app-user ID, purchase history, subscription status, and basic device information in order to validate purchases and manage your entitlements. See RevenueCat's privacy policy at www.revenuecat.com/privacy for details.
- Apple App Store / Google Play — payment processing for subscriptions. They handle your payment details under their own privacy policies; we never see your card information.
- Legal requirements — if required by law, court order, or to protect the rights and safety of users.
We never sell or rent your personal data to third parties for marketing.
7. Data Retention
- Your data is retained for as long as your account is active.
- If you delete your account, your personal data is deleted within 30 days, except where we are legally required to retain certain records.
- Shared spaces: if you shared expenses with other users, those shared records remain visible to the remaining members so their financial history stays accurate. They are re-attributed to a placeholder member that retains only the display name you used in that space — your account, email, and all other personal data are removed.
- Subscription and transaction records may be retained for up to 5 years after account deletion where needed for tax, accounting, and dispute-resolution obligations. These records are kept in a minimized form and are not used for any other purpose.
- Backup copies are purged on a rolling basis within 90 days.
8. Your Rights
Depending on your location, you have rights under the Philippine Data Privacy Act of 2012 (RA 10173), the GDPR (if you are in the EU), and similar laws, including the right to:
- Access — request a copy of the data we hold about you
- Rectification — correct your data (you can edit most data directly in the App by editing your profile or transactions)
- Erasure ("right to be forgotten") — delete specific data or your entire account and all associated data
- Data portability — receive your data in a portable format (e.g., CSV export)
- Object / withdraw consent — opt out of promotional messages or other consent-based processing
- Lodge a complaint — with the National Privacy Commission (Philippines) or your local data protection authority
To exercise any of these rights, email us at support@nexoexpenses.com. We will respond within 30 days.
In-app controls
- Edit personal data: edit your profile information directly in the App
- Edit transactions: edit or delete transactions at any time
- Delete all user data: available in Settings → Personal Data & Privacy, or by emailing us
- Delete profile and all data: permanently removes your account and everything associated with it
9. Security
We use industry-standard measures to protect your data, including encrypted connections, hashed credentials, role-based access controls, and row-level security so users can only access their own or shared records. No system is 100% secure, so please use a strong, unique password.
10. Children
Nexo is not intended for anyone under 18, and we do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete it.
11. International Transfers
Because our infrastructure may be located outside your country, your data may be transferred and stored internationally. We take reasonable steps to ensure equivalent protection wherever data is processed.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced in the App or by email, and the "Last updated" date will be revised. Continued use after changes take effect constitutes acceptance.
13. Contact & Data Protection
- General support / privacy requests: support@nexoexpenses.com
- Data Protection Officer: not separately designated at this stage — privacy requests are handled through the support email above
- Operator: Khaw Jyh Boon