Privacy Policy
Last updated April 2026
1. Who We Are
Utgift is a household expense tracking app developed by:
- Developer: Daniel Svendsen
- Country: Norway
- Role: Data controller under the General Data Protection Regulation (GDPR)
- Contact: privacy@effisense.no
When we say "Utgift", "we", "us", or "our" in this policy, we mean Daniel Svendsen as the developer and operator of the Utgift app.
2. What We Collect
2.1 Account Information
When you create an account, we collect the following depending on your chosen authentication method:
- Apple Sign In: name, email address, and Apple account identifier
- Email/password: email address and a securely hashed password (we never store plaintext passwords)
We also store your display name, household membership, and a push notification token for delivering notifications to your device.
2.2 Receipt and Expense Data
When you scan or import a receipt, we collect and store:
- Store name and address
- Business organization number (if visible on the receipt)
- Payment method and last 4 digits of the card used
- Purchase date and time
- Individual item names, quantities, prices, and categories
- Total amount
- Receipt image
- Any notes you add
- Gift card expiry dates (if applicable)
We only store the last 4 digits of payment card numbers. We never store full card numbers.
2.3 Budget and Financial Data
Data you actively submit through your use of the app:
- Budget limits per spending category
- Fixed expenses (name, amount, category, notes)
- Fixed incomes (name, amount, category, notes)
- Saved payment cards (last 4 digits and owner name only)
2.4 Household and Collaboration Data
When you create or join a household, we store:
- Household name and invite code
- Member list (user IDs)
- Join requests (requester name, email, and status)
All household members can see shared receipts, budgets, and expenses.
2.5 Automatically Collected Data
We collect limited analytics data through Firebase Analytics (without advertising identifiers):
- Screen views and feature usage
- App version and device type
- Aggregate usage statistics
We do not collect advertising identifiers, and we do not track you across other apps or websites.
2.6 Share Extension Data
If you use the Utgift Share Extension to import receipts from other apps (such as email or Photos), the extension reads the shared image or PDF. This data is processed in the same way as a camera-scanned receipt. The Share Extension stores pending receipts temporarily on your device until they are synced to the app.
3. How We Use Your Data
We use the data we collect to:
- Provide the service: create and manage your account, scan and store receipts, track budgets, and enable household collaboration
- Power AI features: send receipt images to OpenAI's API for automated data extraction (store name, items, amounts, categories)
- Look up store information: use business organization numbers to retrieve store addresses from the Norwegian Business Registry (Brreg)
- Deliver notifications: send push notifications when someone requests to join your household, and local reminders for expiring gift cards
- Improve the service: analyze anonymous usage patterns to fix bugs and develop new features
- Ensure security: verify app integrity using Firebase App Check with Apple's AppAttest
4. Legal Basis for Processing (GDPR)
Under the General Data Protection Regulation, we process your personal data based on the following legal grounds:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Performance of contract | Art. 6(1)(b) |
| Receipt scanning and data storage | Performance of contract | Art. 6(1)(b) |
| AI-powered receipt extraction via OpenAI | Performance of contract | Art. 6(1)(b) |
| Household collaboration features | Performance of contract | Art. 6(1)(b) |
| Push notifications | Performance of contract | Art. 6(1)(b) |
| Analytics and service improvement | Legitimate interest | Art. 6(1)(f) |
| App integrity and security (App Check) | Legitimate interest | Art. 6(1)(f) |
Where we rely on legitimate interest, we have ensured our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us at privacy@effisense.no.
5. Who We Share Your Data With
We do not sell your personal data. We have never sold personal data and have no plans to do so.
We share your data with the following categories of recipients:
- OpenAI: Receipt images are sent to OpenAI's API (GPT-4o model) to extract purchase details such as store name, items, amounts, and categories. OpenAI processes this data under their data processing terms. OpenAI does not use data submitted via the API to train their models.
- Firebase (Google): We use Firebase for authentication, database storage (Firestore), image storage (Cloud Storage), backend functions (Cloud Functions), push notifications (Cloud Messaging), analytics, and app integrity (App Check). Google processes this data as a data processor under their data processing terms.
- Norwegian Business Registry (Brreg): When a receipt contains a business organization number, we query the public Brreg API to retrieve the store's registered address. Only the organization number is sent; no personal data is transmitted.
- Your household members: When you join a household, other members can see shared receipts, budgets, expenses, and incomes according to the household structure.
- Legal requirements: We may disclose data to law enforcement or regulatory authorities when required by law or court order.
6. International Data Transfers
The developer of Utgift is based in Norway, which is part of the European Economic Area (EEA). Your data is primarily processed within Google's cloud infrastructure.
Some of our service providers are located outside the EEA, primarily in the United States:
- OpenAI (United States) — for receipt image processing
- Firebase / Google Cloud (may include US locations) — for data storage and services
When personal data is transferred outside the EEA, we ensure adequate protection through:
- EU-U.S. Data Privacy Framework (DPF), where the recipient is certified
- Standard Contractual Clauses (SCCs) approved by the EU Commission
- Adequacy decisions by the European Commission
You may request a copy of the applicable transfer safeguards by contacting us at privacy@effisense.no.
7. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Receipts and expense data | Duration of account + 30 days after deletion |
| Receipt images | Deleted when removed by user or on account deletion |
| Budget and financial data | Duration of account + 30 days after deletion |
| Household data | Duration of household + 30 days after deletion |
| Analytics data (Firebase) | 14 months, then automatically deleted by Google |
| Pending Share Extension receipts | Deleted when synced to the app or on next app launch |
When you delete your account, we perform a complete cascade deletion: your user record, all receipts (including images), budgets, expenses, incomes, and household data (if you are the admin) are permanently removed.
8. Your Privacy Rights
8.1 Rights for Everyone
Regardless of where you live, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your account and associated data
- Withdraw consent where processing is based on consent
8.2 GDPR Rights (EEA Residents)
If you are located in the European Economic Area, you have the following additional rights under the GDPR:
| Right | Description | GDPR Article |
|---|---|---|
| Right of access | Obtain confirmation of whether we process your data and receive a copy | Art. 15 |
| Right to rectification | Correct inaccurate or incomplete personal data | Art. 16 |
| Right to erasure | Request deletion of your personal data ("right to be forgotten") | Art. 17 |
| Right to restriction | Restrict processing of your data in certain circumstances | Art. 18 |
| Right to data portability | Receive your data in a structured, machine-readable format | Art. 20 |
| Right to object | Object to processing based on legitimate interests | Art. 21 |
To exercise any of these rights, contact us at privacy@effisense.no. We will respond within 30 days, as required by the GDPR. If we need additional time (up to 60 additional days for complex requests), we will inform you.
You also have the right to lodge a complaint with your local data protection supervisory authority. In Norway, the supervisory authority is the Datatilsynet (Norwegian Data Protection Authority).
9. AI Processing
Utgift uses AI to extract information from receipt images. When you scan a receipt:
- The receipt image is sent to OpenAI's API (GPT-4o model) over an encrypted connection
- OpenAI processes the image and returns structured data (store name, items, amounts, etc.)
- The extracted data is presented for your review before being saved
- OpenAI does not retain the image or use it for model training (per their API data usage policy)
This processing is:
- Assistive only — you review and can edit all extracted data before saving
- Not solely automated decision-making — no decisions with legal or significant effects are made without your involvement
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in transit: all data transmitted between your device and our servers uses TLS (HTTPS)
- Encryption at rest: data stored in Firebase is encrypted at rest using Google's default encryption
- App integrity: Firebase App Check with Apple's AppAttest verifies that requests come from a genuine instance of the app
- Authentication security: passwords are hashed using Firebase Authentication's industry-standard algorithms; Apple Sign In uses secure token exchange
- Minimal data collection: we only store the last 4 digits of payment cards, not full card numbers
While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.
11. Children's Privacy
Utgift is not intended for anyone under the age of 16. We do not knowingly collect personal data from individuals under 16 years of age. If we become aware that we have collected personal data from a person under 16, we will take steps to delete that data as soon as possible. If you believe a child under 16 has provided us with personal data, please contact us at privacy@effisense.no.
12. Data Breach Procedures
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the supervisory authority: report the breach to the Datatilsynet within 72 hours of becoming aware of it, as required by GDPR Art. 33
- Notify affected individuals: if the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required by GDPR Art. 34
- Document and remediate: we will document the breach, its effects, and the remedial actions taken
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. For material changes, we will:
- Post the updated policy on this page with a revised "Last updated" date
- Where required by law, obtain your consent to the updated policy
We encourage you to review this policy periodically. Your continued use of the app after the effective date of any changes constitutes your acceptance of the updated policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Privacy inquiries: privacy@effisense.no
- Developer: Daniel Svendsen, Norway
If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. In Norway, the supervisory authority is:
- Datatilsynet (Norwegian Data Protection Authority) — datatilsynet.no