Privacy Policy

Last updated: April 8, 2026

1. Overview

This Expense Tracker application is a private internal tool operated by Wildstone Capital Enterprises and its subsidiaries. It is not available to the general public. Access is restricted to authorised employees and contractors authenticated via Microsoft Entra ID.

This policy describes what personal data we collect, why we collect it, how long we keep it, and your rights regarding that data.

2. Data We Collect

Identity data:Your name, work email address, and Microsoft Entra ID object ID, obtained from your organisation's identity provider when you sign in.

Expense data: Transaction amounts, dates, merchant names, and card identifiers imported from corporate card statements.

Coding annotations: Job numbers, cost codes, expense descriptions, and accounting notes you enter when coding transactions.

Receipt files: Images (JPEG, PNG, HEIC) and PDF documents you upload as proof of purchase, stored in encrypted cloud storage.

Audit records: A log of actions performed in the app (approvals, exports, admin changes) for compliance and accountability. Audit records are retained indefinitely and are not subject to deletion requests.

We do not collect location data, contacts, microphone audio, advertising identifiers, or any data beyond what is listed above.

3. How We Use Your Data

  • To authenticate you and control access to the application
  • To process, route, and approve corporate expense transactions
  • To generate financial reports for internal accounting purposes
  • To maintain an audit trail of financial actions for compliance
  • To send you notifications about transactions requiring your attention

Your data is never sold, rented, or shared with third parties for marketing or advertising.

4. Data Retention

  • Transaction and expense records: retained for the period required by applicable accounting and tax regulations (minimum 7 years).
  • Receipt files in the gallery: automatically deleted after 15 days, or immediately when applied to a transaction.
  • Audit logs: retained indefinitely for compliance purposes.
  • Personal identity data: retained for the duration of your employment or authorised access. Removed upon account deletion (see below).

5. Data Security

All data is transmitted over HTTPS. Receipt files are stored in an encrypted S3 bucket with no public access; files are only accessible via short-lived signed URLs. Authentication tokens are stored in the device's secure storage (iOS Keychain / Android Keystore) on mobile. The application enforces role-based access control — users can only access data within their assigned company scope.

6. Your Rights

As an internal user, you have the right to:

  • Access the personal data held about you — contact your company administrator
  • Request correction of inaccurate personal data
  • Delete your account and associated personal data via Account → Delete Account in the app

Note: Financial transaction records and audit logs are retained after account deletion for regulatory compliance. Your identity will be anonymised in these records.

7. Applicable Law

This application is operated in Canada. Personal data is handled in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

8. Contact

Questions about this policy or your personal data should be directed to your company administrator or to the IT department responsible for this application.

← Back to app