Built around private receipts.
Last updated: July 12, 2026
ExpenseLense is designed for private receipt cleanup: source files stay private, records stay owner-scoped, and AI is used only for the product job.
Fake privacy control proof
The source trail stays useful without becoming public.
This example uses fake data to show the controls around a saved receipt, analytics, export, deletion, and upload safety.
Cafe receipt.jpg
Fake source attached to one saved record
Private source
Opening or downloading the original requires the owner account.
Upload safety
ExpenseLense checks supported type, signature, size, and basic PDF validity. Malware scanning and PDF sanitization are not part of the current upload path.
Owner check
Signed-in account only
Analytics boundary
No merchant, amount, filename, email body, or Insight text
Export
Records and source trail can be exported
Deletion
Product data deletion is available from privacy controls
Upload safety status
Current uploads use local validation. Broader public launch requires scanner, PDF policy, legal, and incident review work first.
Active checks
- Supported file type allow-list
- MIME normalization and file signature checks
- Image and PDF size limits
- PDF parseability and page-count checks
- Authenticated source ownership checks after save
Before broader launch
- Choose and integrate a malware scanning vendor before broad public launch
- Approve a PDF sanitization or render-only processing policy
- Complete legal and privacy review for file retention, support, and incident response
- Document a suspicious-upload support and incident playbook
Private receipt originals
Original scans, PDFs, screenshots, and emailed attachments stay in private storage. The app creates short-lived access only after checking the signed-in account owns the record.
Owner-scoped records
Saved records, recurring charges, email intake history, and Insight context are read and written for the authenticated app user only.
AI use
ExpenseLense uses OpenAI only for receipt extraction, category fallback, and Insight. Receipt text, filenames, merchant names, and email content are treated as untrusted input.
No bank connection required
You can use ExpenseLense with forwarded receipts, scanned receipts, PDFs, statements, and typed records. You do not need to connect a bank account.
Upload safety
Uploaded files are checked for supported type, file signature, size limits, and basic PDF validity. ExpenseLense does not yet run malware scanning or PDF sanitization.
First-party analytics
Growth events are stored with query strings removed, referrer reduced to host, and IP address and browser user agent hashed. Analytics must stay out of private receipt, email, Insight, merchant, amount, and file data.
Private-safe error monitoring
Technical errors and limited performance traces can be sent to Sentry after ExpenseLense removes request bodies, headers, cookies, query strings, user data, error messages, and private span payloads. Session replay, log capture, local variables, and AI content capture are disabled.
Export and deletion
Account privacy controls let you export saved records and request deletion of product data associated with your account.
Support
Send security, privacy, or account questions to aiacobe@icloud.com. Do not include full card numbers, passwords, or account credentials.