Privacy Policy

1. Information We Collect

1.1 Account and Profile Information

When you register for SpendWay, we collect:

• First name and last name;
• Email address (used for login and communications);
• Password (stored securely using industry-standard hashing; we never store your password in plain text).

For each account you create within SpendWay, you may provide:

• Account name;
• Account type (created and maintained entirely by you; i.e. cash, investment, savings, credit card, or loan);
• Interest rate (user-entered reference value only);
• Opening date, closing date, statement date, and payment date.

1.2 Transaction Data

You may enter or import transaction data through the following means:

• Manual entry: entered directly by you;
• Statement upload: extracted from a document you upload (see Section 4);
• SMS sync: if you enable this optional feature, SpendWay reads SMS messages from supported banks on your device to automatically identify and import transactions.

Transaction data collected includes:

• Description;
• Amount;
• Date and time;
• Category (e.g. debit or credit; initially suggested by the system but owned and maintained by you);
• Tags: user-controlled labels (e.g. "groceries", "subscriptions", "fees"). Auto-tagging can be disabled in your settings.

1.3 Uploaded Documents

If you use the statement extraction feature, you may upload bank statements or similar financial documents. These are processed as described in Section 4 and are not stored in raw form beyond what is needed to complete the extraction.

1.4 Usage Data

We may collect technical information about how you use the Service, including:

• Device type, operating system, and browser;
• IP address;
• Pages visited and features used;
• Error logs and performance data.

This information is used to improve the Service, diagnose issues, and maintain security. It is not linked to your individual transaction or financial data.

2. How We Use Your Information

2.1 To Provide the Service

We use your account and transaction data to:

• Display your expenses, accounts, and reports within SpendWay;
• Generate AI-assisted summaries and expense reports (see Section 3);
• Process uploaded bank statements and extract transaction data (see Section 4);
• Maintain your account and provide customer support.

2.2 To Communicate with You

We may use your email address to:

• Send account-related notifications (e.g. password resets, security alerts);
• Notify you of important changes to the Service or these policies;
• Send product updates or announcements (you may opt out at any time).

2.3 To Improve the Service

Aggregated and anonymised usage data may be used to understand how the Service is used and to improve its features and performance.

2.4 Internal Analytics

Spendway Pvt Ltd collects the following aggregated, anonymised platform metrics for internal analytics purposes:

• Total number of transactions recorded across the platform;
• Average number of transactions per user.

These metrics are statistical in nature and cannot be used to identify any individual user.

3. AI-Assisted Reports: What We Share with AI

SpendWay uses AI to help you generate expense reports. We are committed to sharing the minimum data necessary for this purpose.

When you generate an AI-assisted report, the following fields, and only these fields, are sent to the AI service:

Per account:

• accountId: an internal database identifier assigned by SpendWay. This is not your bank account number, email address, or any information you have provided;
• accountType: the account type label you have set.

Per transaction (array):

• description, tags, category, amount, datetime

The following are never sent to the AI:

• Your name, email address, or any other contact information;
• Your login credentials;
• Any bank account numbers, card numbers, or financial institution identifiers;
• Interest rate, opening date, closing date, statement date, or payment date;
• Raw uploaded document content.

4. Statement Extraction: How We Handle Uploaded Documents

When you upload a bank statement or other financial document, SpendWay provides document preparation tools and processes your submission as follows:

5. SMS Transaction Sync

If you enable the SMS sync feature, SpendWay monitors incoming SMS messages to identify and import transactions from supported banks. The following applies:

• Opt-in only: SMS sync is disabled by default. You must explicitly enable it in your settings. You may disable it at any time.
• Pattern matching only: SpendWay only processes SMS messages that match the known transaction alert patterns of banks it currently supports. All other messages, including those from unsupported senders and any personal or unrecognised SMS, are completely ignored without their contents being read or stored.
• Data minimisation: Only the transaction details extracted from qualifying messages (amount, description, date/time) are stored. Full SMS content is never retained.
• No sharing: SMS content is never sent to third parties, including our AI service.
• Accuracy: Pattern matching is not infallible. It is your responsibility to review and correct all SMS-synced transactions.

6. Information We Do Not Collect or Use

To be explicit, Spendway Pvt Ltd does not:

• Collect your bank account numbers, card numbers, or login credentials for any financial institution;
• Access your bank accounts directly or connect to any banking system;
• Sell your data to advertisers, data brokers, or any third party;
• Use your financial data for advertising or marketing profiling;
• Share individually identifiable financial data with third parties for their own purposes.

7. Data Sharing and Third Parties

7.1 AI Service Providers

We use third-party AI services to power the expense report and statement extraction features. These providers receive only the minimum data described in Sections 3 and 4. They are contractually prohibited from using this data for any purpose other than delivering the requested AI functionality.

7.2 Infrastructure Providers

We use cloud hosting and infrastructure providers to operate the Service. These providers have access to data only as needed to run the platform and are bound by confidentiality obligations.

7.3 Legal Requirements

We may disclose information if required to do so by the laws of Sri Lanka, a court order, or a lawful request by a governmental authority, or where we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Spendway Pvt Ltd, our users, or the public.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of Spendway Pvt Ltd's assets, your data may be transferred to the acquiring entity. We will notify you of any such transfer and any material changes to how your data is handled.

8. Data Security

We implement industry-standard security measures to protect your data, including:

• Encryption of data in transit using TLS;
• Secure password hashing;
• Access controls limiting who within Spendway Pvt Ltd can access your data;
• Regular security reviews.

While we take security seriously, no system is completely immune to attack. You are encouraged to use a strong password and to contact us immediately at support@spendway.lk if you suspect your account has been compromised.

9. Data Breach Notification

9.1 Our Commitment

In the event of a data breach involving your personal data, Spendway Pvt Ltd will:

• Act immediately to contain the breach and assess its scope and impact;
• Notify all affected users as soon as reasonably practicable, with details of what data was affected and what steps are being taken;
• Report the breach to the Sri Lanka Data Protection Authority under the Personal Data Protection Act No. 9 of 2022, and to any other relevant regulatory or law enforcement authority as required by applicable law;
• Provide full cooperation, documentation, and assistance to any authority investigating the breach;
• Advise affected users of any steps they should take to protect their accounts or personal information.

9.2 Reporting a Suspected Breach to Us

If you suspect that your account has been compromised or that your data may have been accessed without authorisation, please contact us immediately at security@spendway.lk.

This inbox is monitored exclusively for security and data breach-related reports. SpendWay is not obligated to respond to non-security matters sent to it. General support enquiries should be directed to support@spendway.lk, and data privacy requests to privacy@spendway.lk.

10. Data Retention

We retain your account and transaction data for a period of 2 years from the date the data was created or your account last active, whichever is later. After this period, data is deleted from our active systems.

If you delete your account before the 2-year period:

• Your data will be removed from our active systems promptly;
• Some data may be retained in encrypted backups for up to 90 days for disaster recovery purposes, after which it will be permanently deleted;
• We may retain anonymised, aggregated data that cannot be linked back to you.

11. Your Rights

Under applicable Sri Lankan law and as a matter of our policy, you have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you;
• Correction: Request correction of inaccurate or incomplete data;
• Deletion: Request deletion of your account and associated data ahead of the standard retention period;
• Portability: Request your transaction data exported in a portable format;
• Objection: Object to certain uses of your data.

To exercise any of these rights, please contact us at privacy@spendway.lk.

12. Cookies and Tracking

SpendWay may use cookies and similar technologies for:

• Authentication (keeping you logged in);
• Session management;
• Service performance and error monitoring.

We do not use tracking cookies for advertising purposes. You can configure your browser to refuse cookies, though this may affect your ability to use certain features of the Service.

13. Children's Privacy

SpendWay is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at support@spendway.lk and we will take steps to remove it promptly.

14. No Bank Affiliation: Data Implications

SpendWay does not have a data-sharing relationship with any bank or financial institution. When you reference a bank within SpendWay (e.g. by selecting a bank logo to label an account), this is a cosmetic label within the app only. It does not cause any data to be sent to or received from that institution.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via a notice in the app before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

16. Governing Law

This Privacy Policy is governed by the laws of the Democratic Socialist Republic of Sri Lanka.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your data, please contact us: