ExpenseLense

Built around private receipts.

Last updated: July 12, 2026

ExpenseLense is designed for private receipt cleanup: source files stay private, records stay owner-scoped, and AI is used only for the product job.

Fake privacy control proof

The source trail stays useful without becoming public.

This example uses fake data to show the controls around a saved receipt, analytics, export, deletion, and upload safety.

Cafe receipt.jpg

Fake source attached to one saved record

Private source

Opening or downloading the original requires the owner account.

Upload safety

ExpenseLense checks supported type, signature, size, and basic PDF validity. Malware scanning and PDF sanitization are not part of the current upload path.

Owner check

Signed-in account only

Analytics boundary

No merchant, amount, filename, email body, or Insight text

Export

Records and source trail can be exported

Deletion

Product data deletion is available from privacy controls

Upload safety status

Current uploads use local validation. Broader public launch requires scanner, PDF policy, legal, and incident review work first.

Active checks

  • Supported file type allow-list
  • MIME normalization and file signature checks
  • Image and PDF size limits
  • PDF parseability and page-count checks
  • Authenticated source ownership checks after save

Before broader launch

  • Choose and integrate a malware scanning vendor before broad public launch
  • Approve a PDF sanitization or render-only processing policy
  • Complete legal and privacy review for file retention, support, and incident response
  • Document a suspicious-upload support and incident playbook

Private receipt originals

Original scans, PDFs, screenshots, and emailed attachments stay in private storage. The app creates short-lived access only after checking the signed-in account owns the record.

Owner-scoped records

Saved records, recurring charges, email intake history, and Insight context are read and written for the authenticated app user only.

AI use

ExpenseLense uses OpenAI only for receipt extraction, category fallback, and Insight. Receipt text, filenames, merchant names, and email content are treated as untrusted input.

No bank connection required

You can use ExpenseLense with forwarded receipts, scanned receipts, PDFs, statements, and typed records. You do not need to connect a bank account.

Upload safety

Uploaded files are checked for supported type, file signature, size limits, and basic PDF validity. ExpenseLense does not yet run malware scanning or PDF sanitization.

First-party analytics

Growth events are stored with query strings removed, referrer reduced to host, and IP address and browser user agent hashed. Analytics must stay out of private receipt, email, Insight, merchant, amount, and file data.

Private-safe error monitoring

Technical errors and limited performance traces can be sent to Sentry after ExpenseLense removes request bodies, headers, cookies, query strings, user data, error messages, and private span payloads. Session replay, log capture, local variables, and AI content capture are disabled.

Export and deletion

Account privacy controls let you export saved records and request deletion of product data associated with your account.

Support

Send security, privacy, or account questions to aiacobe@icloud.com. Do not include full card numbers, passwords, or account credentials.