Privacy Policy
WeaveLedger ("we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the WeaveLedger application, website, and related services (the "Service"). By using the Service, you agree to the practices described in this policy.
1. Information We Collect
Account Information: When you create an account, we collect your email address and password. Your password is cryptographically hashed and never stored in plain text. If you enable multi-factor authentication, we store the associated TOTP secret.
Receipt and Expense Data: We collect data you provide or upload, including receipt images, PDFs, merchant names, transaction amounts, dates, categories, subcategories, payment methods, tax information, and notes. This data is provided by you directly or extracted via AI processing of uploaded images and forwarded emails.
Email Data: If you use the email forwarding feature, we process the content of forwarded emails to extract receipt information. You may also link additional email addresses to your account for receipt forwarding purposes.
Financial Integration Data: If you connect third-party services (such as Stripe, Google Play, or App Store), we store the API credentials you provide and the transaction data retrieved from those services.
Usage Data: We collect basic server logs including IP addresses, request timestamps, and user agent strings for security monitoring and abuse prevention. We do not use analytics or tracking cookies.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service
- Process and analyze receipt images using AI for data extraction
- Authenticate your identity and secure your account
- Process forwarded emails to extract receipt data
- Retrieve income data from connected third-party integrations
- Generate expense reports, tax summaries, and financial exports
- Facilitate book sharing between users you authorize
- Communicate with you about your account or the Service
- Detect and prevent fraud, abuse, or security incidents
- Comply with legal obligations
We do not sell your personal information. We do not use your data for advertising. We do not use your receipt images or financial data to train AI models for purposes unrelated to providing you with the Service.
3. Data Sharing
We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:
- Service Providers: We use Cloudflare (Workers, D1 database, R2 storage, Workers AI) to host and operate the Service. These providers process data on our behalf and are bound by their own privacy and security commitments.
- Book Sharing: When you share an expense book with another user, that user can access the data within the shared book according to the permissions you set.
- Legal Requirements: We may disclose your information if required by law, legal process, or government request, or to protect the rights, property, or safety of WeaveLedger, our users, or the public.
4. Data Storage and Security
Your data is stored on Cloudflare's global infrastructure, including:
- D1 Database: Account information, expense records, categories, and settings
- R2 Object Storage: Receipt images, PDFs, and email attachments
We implement the following security measures:
- Passwords are hashed using PBKDF2 with SHA-256 and individual salts
- Authentication uses JSON Web Tokens (JWT) with short expiration periods
- Optional multi-factor authentication (TOTP) is available
- API rate limiting protects against brute-force attacks
- All data is transmitted over HTTPS/TLS encryption
- CORS policies restrict API access to authorized origins
While we take reasonable measures to protect your data, no system is completely secure. You are responsible for maintaining the security of your account credentials.
5. Data Retention
We retain your data for as long as your account is active and as needed to provide the Service. If you delete your account, we will delete your personal data within a reasonable timeframe, except where retention is required by law or necessary for legitimate business purposes (such as resolving disputes or enforcing our Terms).
Receipt images and associated files stored in R2 are deleted when you delete the corresponding receipt or your account.
6. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data and account
- Export: Export your expense data in multiple formats (CSV, JSON, PDF, QBO, OFX)
- Restrict Processing: Request that we limit how we process your data
- Object: Object to certain types of data processing
- Withdraw Consent: Where processing is based on consent, withdraw that consent at any time
To exercise any of these rights, contact us at support@weavehub.app. We will respond to your request within 30 days.
7. For EU/EEA Residents (GDPR)
If you are located in the European Union or European Economic Area, the legal bases for processing your data are:
- Contract Performance: Processing necessary to provide the Service you requested (Article 6(1)(b))
- Legitimate Interests: Processing for security, fraud prevention, and service improvement (Article 6(1)(f))
- Consent: Where you have explicitly opted in to specific processing (Article 6(1)(a))
- Legal Obligation: Processing required to comply with applicable law (Article 6(1)(c))
Your data may be transferred to and processed in the United States via Cloudflare's infrastructure. Cloudflare maintains appropriate safeguards for international data transfers. You have the right to lodge a complaint with your local data protection authority.
8. For California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- Right to Know: You may request details about the categories and specific pieces of personal information we collect
- Right to Delete: You may request deletion of your personal information
- Right to Opt-Out: We do not sell personal information, so no opt-out is necessary
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
9. Cookies and Tracking
The Service does not use analytics cookies, tracking pixels, or third-party advertising trackers. We use only essential authentication tokens (JWT) stored in your application to maintain your session. The web application may use localStorage for user preferences (such as display settings), which does not track you across sites.
10. Children's Privacy
The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal information, please contact us at support@weavehub.app.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service and update the effective date at the top of this page. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at support@weavehub.app.