Last updated: July 1, 2026

This Privacy Policy explains how The Bearded Coder LLC ("we", "us", or "our") collects, uses, shares, and protects personal information when you use Whittle, our expense-tracking application, and related websites (the "Service"). For the personal data you enter into your account, The Bearded Coder LLC is the data controller. If you have any questions, contact us at thebeardedcoderco@gmail.com.

Information we collect

  • Account & profile data: your name, email address, password (stored only as a secure hash), and (where you provide them) your business or organization name, business mailing address, and profile picture.
  • Financial records you enter: expenses, budgets, mileage, and the receipt or document images you upload. Uploaded files are private and are served only through an authorized request that verifies you own them; they are not exposed at public URLs.
  • Imported transactions: when you use the import feature, the bank or card transactions you upload (transaction date, description, and amount), which you can match to existing expenses or turn into new ones.
  • Billing data: handled by our payment processor, Stripe. We never store full card numbers; we retain only your Stripe customer and subscription identifiers and limited card metadata (brand and last four digits) needed to display and manage your subscription.
  • Team data: if you create or join an organization account, we store membership and role information and the email addresses you invite, so we can send and manage invitations.
  • AI usage records: when you use an AI feature, we record which feature you used and how much you used it (such as token counts) so we can enforce your plan's usage quotas.
  • Feedback & support messages: the feedback you submit through the app and the messages you send us for support, so we can respond and improve the Service.
  • Technical & usage data: your IP address, your browser and device type (user-agent), the essential cookies that keep you signed in and protect form submissions (session and CSRF), your most recent sign-in time, and your email preferences (such as whether you have opted out of product-update emails). We also keep audit logs of sensitive actions (see Activity & security logs below).

How we use it

We use this information to provide and secure the Service, create and manage your account and team, process payments and subscriptions, send transactional email (such as account verification, password resets, team invitations, budget alerts, trial reminders, and payment-failure notices), respond to support requests and feedback, and comply with our legal obligations. We may also send occasional product-update emails, which you can opt out of at any time using the unsubscribe link in each message. When you use our AI-assisted features, we also process your receipts and expense data to read receipts, suggest categories, answer your questions, and generate insights (see AI features below). We do not sell your personal data, and we use no advertising or third-party tracking cookies.

AI features

Some features use artificial intelligence to save you data entry: receipt scanning, automatic categorization, the "ask your expenses" assistant, and monthly insights. When you use one of these features, the content it needs (for example, a receipt image, or the expense data required to answer your question or build your insights) is sent to our AI provider, Google Cloud (Vertex AI, using Google's Gemini models), to process on our behalf. This happens only when you use an AI feature; if you don't use them, your data is not sent for AI processing. Google handles this data as our subprocessor under its enterprise terms and does not use it to train its models. AI output can be wrong or incomplete, so you should review and confirm it before relying on it, and it is not professional tax, accounting, or financial advice (see our Terms of Service).

Legal bases (GDPR)

Where the EU/UK GDPR applies, we process personal data on these bases: performance of a contract (to deliver the Service you sign up for), legitimate interests (to secure, maintain, and improve the Service and prevent abuse), legal obligation (such as tax and accounting record-keeping), and consent (where we ask for it, for example optional communications, which you can withdraw at any time).

Cookies

We use only essential cookies: a session cookie to keep you signed in and a CSRF token to secure forms. We don't use advertising or third-party tracking cookies.

Sharing & subprocessors

We share data only with the providers that help us operate the Service, each bound by a data-processing agreement and permitted to use the data only on our instructions:

  • Stripe: payment processing and subscription billing.
  • Mailgun: delivery of transactional and operational email.
  • Bluehost: hosting of the application and storage of your data and uploaded files.
  • Google Cloud (Vertex AI / Gemini): AI processing for receipt scanning, categorization, the assistant, and insights (used only when you use those features, and not used to train Google's models).

We may also disclose information if required by law or valid legal process, to protect the rights, safety, or property of our users or the public, or as part of a merger, acquisition, or sale of assets, in which case we will continue to protect your information and notify you of any change in control or applicable policy.

International transfers

We and our providers are based in, or process data in, the United States. If you access the Service from outside the United States, your information will be transferred to and processed there. Where required, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses) for these transfers.

Activity & security logs

To keep accounts secure and meet our compliance obligations, we keep a log of sensitive actions, including: successful and failed sign-ins, viewing of receipts, AI feature usage, transaction imports, tax exports, expense approvals, feedback submissions, membership and ownership changes, billing changes, data exports and deletions, and any staff access to your account. Each entry records who performed the action, their IP address, and the time. These logs are used only for security, troubleshooting, and compliance, and are automatically deleted after 12 months.

Data retention

We keep your data while your account is active. Receipts, financial records, and imported transactions are retained for as long as you keep them; when you delete a record, it is removed from the live Service promptly. We may retain limited records where the law requires it. Activity & security logs are kept for 12 months. Backups are rotated and purged on a rolling schedule. When you delete your account, we permanently remove your data from the live Service promptly, and it ages out of backups on that rolling schedule.

Security

We protect your data with industry-standard measures: all traffic is encrypted in transit over HTTPS/TLS, passwords are stored only as secure hashes, each account's data is isolated from others, and uploaded receipts and profile images are accessible only through authorized requests rather than public links. We log sensitive actions as described above. No system can be guaranteed perfectly secure, but we work to safeguard your information and to address issues promptly.

Your rights (GDPR / CCPA)

Depending on where you live, you may have the right to access, export, correct, delete, restrict, or object to our processing of your data, to data portability, to withdraw consent, and to lodge a complaint with your local data-protection authority. We do not discriminate against you for exercising these rights. You can act on the main ones directly:

  • Sign in to export or delete your data, or email us to make a request.

For any other request, email us and we will respond within the timeframe required by applicable law.

Children

The Service is intended for users aged 18 and over. It is not directed to children, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us information, contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version here with a new "Last updated" date and, for material changes, notify you by email or in-app. Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

Contact

Questions or requests: thebeardedcoderco@gmail.com. See also our Terms of Service.