Spent Log (“Spent Log”, “the app”, “we”, “us”, or “our”) is a personal finance and people-ledger app. This policy explains exactly what data the app handles, what stays on your device, what (if anything) is sent to our servers, and the choices and rights you have.
The short version
- Spent Log is offline-first. Your transactions, wallets, people, categories and budgets are stored only on your device.
- You can use the entire app without an account. In that mode, nothing ever leaves your device and we receive nothing.
- If you choose to create an account, we store your login and any encrypted backups. Backups are encrypted on your device before upload, so we cannot read their contents.
- We do not sell your data, show ads, run third-party analytics, or track you across apps or websites.
1Who this policy applies to
This policy applies to the Spent Log applications (iOS, iPadOS, macOS, Android) and the optional account and backup service operated at spentlog.com.
2Data stored on your device
By design, the following is created and stored locally on your device and is not transmitted to us (except inside an encrypted backup, if you create one — see Section 4):
- Transactions (expenses, income, loans, repayments) and their notes, dates and amounts
- Wallets / accounts and their balances
- People you track, and any phone numbers, emails or notes you add
- Categories, budgets, streaks and preferences (currency, language, theme)
- Your PIN, if you enable the optional app lock — stored only as a one-way hash in your device’s secure storage, and never sent anywhere
We have no access to this on-device data. If you uninstall the app without a backup, this data is permanently gone.
3Account information (only if you create an account)
Creating an account is optional and is only needed to enable encrypted cloud backups across devices. If you create one, we store:
- Your name (as you enter it)
- Your email address
- Your password, stored only as a secure cryptographic hash — we never store or see your actual password
- Authentication tokens used to keep you signed in (stored hashed)
We use this solely to create and secure your account, sign you in, and link your encrypted backups to you. We do not use it for marketing.
4Encrypted backups (only if you create a backup)
If you are signed in and choose to create a backup:
- Your data is encrypted on your device using AES-256 before anything is uploaded. The key is tied to your account.
- We store the resulting encrypted file — which we cannot decrypt or read — plus minimal metadata: a timestamp, the file size, and any optional label you type.
- Backups are transmitted over an encrypted HTTPS connection.
Because backups are encrypted before they leave your device, the contents of your financial data remain private to you even though the file is stored on our server.
5Information we do NOT collect
The app requests only what it needs to work: internet access (to sign in and upload/restore encrypted backups) and secure storage (your platform Keychain/Keystore, for the auth token, backup key and optional PIN).
6Server logs
Our servers and our infrastructure provider (Cloudflare) keep standard technical logs — such as IP address, date/time, and request information — for security, abuse prevention, and to keep the service running. These logs are not used to profile you and are kept only as long as reasonably necessary.
7How we use information
- Provide and secure your optional account
- Store and restore the encrypted backups you create
- Maintain, protect, and troubleshoot the service
- Comply with legal obligations
We do not sell or rent your personal information, and we do not use it for advertising or cross-app/website tracking.
8Sharing and disclosure
We do not share your personal information with third parties except:
- Service providers that host and protect the service (e.g. our server host and Cloudflare), strictly to operate Spent Log on our behalf.
- Legal reasons — if required by law or to protect the rights, safety and security of users or the public.
We never sell your data.
9Data security
- Client-side AES-256 encryption of backups before upload
- HTTPS/TLS for all network communication
- Hashed passwords and authentication tokens
- Secrets stored in the device’s platform secure storage (iOS/macOS Keychain, Android Keystore)
No method of transmission or storage is 100% secure, but we protect your information using industry-standard measures.
10Data retention
- On-device data stays until you delete it or uninstall the app.
- Account data and backups are kept while your account exists. You can delete individual backups anytime, and deleting your account erases your account and all associated backups (see Section 11).
11Your rights and choices
Depending on where you live, you may have rights under laws such as the GDPR (EU/UK) or CCPA/CPRA (California) — including the right to access, correct, export, or delete your personal data. Spent Log gives you direct control:
- Use without an account — sign-in is never required.
- Delete backups — from the Backup & Restore screen.
- Sign out — anytime from Settings; local data stays on your device.
- Delete your account — from Settings → Delete account, which permanently erases your account, all cloud backups, and the data on your device. You may also email us to request deletion.
12Children’s privacy
Spent Log is not directed to children under 13 (or the minimum age in your country), and we do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.
13International users & transfers
Spent Log is available globally. If you create an account, your account information and encrypted backups may be stored and processed on servers in a country different from where you live. We protect your information consistent with this policy wherever it is processed.
14Changes to this policy
We may update this policy from time to time. When we do, we will revise the “Last updated” date above and, where appropriate, provide additional notice. Continued use of the app after changes take effect means you accept the updated policy.
15Contact us
Questions, requests, or concerns about this policy or your data?
- Email: [email protected]
- Website: spentlog.com