Tesoro Privacy Policy
Last Updated: July 10, 2026
This Privacy Policy describes how Tesoro ("Tesoro," "we," "us," or "our") collects, uses, discloses, and protects information when you use the Tesoro mobile application (the "App"). We are committed to being transparent about our data practices, particularly given that Tesoro handles your personal financial information.
Tesoro is currently operated by an independent developer based in Canada. If Tesoro is later operated through a registered business entity, this Policy will be updated to reflect that change, and the "last updated" date above will change accordingly.
Contact for privacy questions or requests: [email protected]
Summary
Privacy policies are dense by nature, so here's the short version: Tesoro collects the account and expense information needed to run the app, uses a small number of named service providers (listed in Section 3) to do that, and does not sell your data, share it for advertising, or use any third-party ad or tracking SDKs of any kind. We will never sell your financial data. The details below explain exactly what we collect, why, and who (if anyone) it's shared with.
1. Information We Collect
| Category | Examples | Why We Collect It | Shared With |
|---|---|---|---|
| Account Identity | Apple/Google account identifier, email address (or Apple's private relay address, if you choose to hide your real one), name, display name, avatar | Creating and securing your account; recognizing you across sign-ins | Apple or Google only, at the moment of sign-in (see Section 3) |
| Financial Data | Expense amounts, descriptions, dates, categories; monthly budget amounts you set; data extracted from a statement or receipt you choose to upload | The core purpose of the app — tracking and categorizing your spending | Anthropic receives only the expense description text, for automatic categorization (see Section 3). Never shared with anyone else. |
| Device & Session Data | IP address, user agent, and push notification device token | Detecting sign-ins from an unfamiliar location, and delivering security alerts you've opted into | Apple's Push Notification service (APNs) receives only your device token, only to deliver that alert |
| Usage Analytics | Whether onboarding was completed, whether an in-app tip was shown/dismissed | Understanding how the app is used, in aggregate | Not shared with anyone; no third-party analytics SDK is used at all |
A few things we deliberately do not collect, since they don't apply to how Tesoro works today: we do not link your bank accounts directly (you enter expenses manually, or import a statement/receipt yourself), we do not process payments (Tesoro has no paid subscription at this time), and we do not use any advertising, tracking, or session-replay technology on any website or in the app.
Biometric authentication (Face ID / Touch ID): if you use this to lock the app, it's handled entirely by Apple's operating system on your device. Tesoro never receives, transmits, or stores any biometric data — we only receive a yes/no result telling us whether you unlocked successfully.
If you sign in with both Apple and Google using the same verified email address, we treat both as the same account rather than creating a duplicate one.
2. How We Use Your Information
We use the information described above to:
- Provide and maintain your account and the App's core features (expense tracking, categorization, budgeting insights).
- Automatically categorize expenses you enter (see Section 3 regarding Anthropic's Claude API).
- Generate your Monthly Recap and other spending summaries.
- Detect likely duplicate entries when a statement or receipt you import matches an expense you already logged manually, so nothing gets double-counted.
- Detect and alert you to sign-ins from unfamiliar locations, as a security measure.
- Send you push notifications you've opted into.
- Maintain the security of the App, including rate-limiting abusive requests and revoking sessions when you log out or when a security concern is identified.
- Improve the App based on aggregate, de-identified usage patterns.
We do not use your financial information for advertising, and we do not sell or share your personal information with data brokers or advertisers.
3. Third Parties We Share Information With
We rely on a small number of service providers to operate Tesoro. Each only receives the minimum information necessary for its specific purpose:
| Third Party | What They Receive | Purpose |
|---|---|---|
| Apple (Sign in with Apple, APNs) |
Identity token during sign-in; device push token | Authentication; delivering push notifications |
| Google (Sign in with Google) |
Identity token during sign-in | Authentication (only if you choose to sign in with Google) |
| Anthropic (Claude API) |
The text description you enter for an expense (e.g., "Pizza at Domino's") | Automatically suggesting a spending category. If this fails or is unavailable, Tesoro falls back to simple keyword matching without contacting Anthropic at all. We access Claude through Anthropic's commercial API (not the consumer Claude.ai app) — under Anthropic's commercial terms, this data is never used to train Anthropic's models, and API inputs/outputs are automatically deleted on Anthropic's side within 30 days, retained only that briefly for abuse/safety monitoring. |
| DigitalOcean (hosting) |
All categories of data described in Section 1, since our servers and database run on DigitalOcean's infrastructure | Storing and running the App's backend on our behalf. DigitalOcean does not access or use your data for its own purposes — it's purely our infrastructure provider. |
We do not use any other third-party analytics, advertising, or data-broker services. None of these providers are permitted to use the information they receive for their own advertising purposes — it's used solely to provide the specific function listed above.
4. Data Retention and Deletion
Your data is retained for as long as your account is active. You can permanently delete your account and all associated data (expenses, categories, sessions, device tokens) at any time directly within the App, from the Profile tab's Delete Account row — no email, phone call, or support ticket is required. Deletion is immediate. The only exception is aggregate, de-identified usage analytics (see Section 1.4), which is retained without any link back to you once your account is deleted.
5. Your Rights
Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information, and to object to or restrict certain processing. Specifically:
- All users: You can view and edit your profile information and expense data directly in the App at any time, and delete your account and data as described in Section 4.
- EU/UK users (GDPR): You have the rights described above, plus the right to data portability and the right to lodge a complaint with your local data protection authority. Our legal basis for processing your information is primarily the necessity of providing the service you've signed up for (contractual necessity), with security-related processing (like login-location alerts) based on our legitimate interest in protecting your account.
- California users (CCPA/CPRA): We do not sell or share your personal information for cross-context behavioral advertising, so there is no "Do Not Sell or Share My Personal Information" mechanism required. You still have the right to know, delete, and correct your personal information as described above.
- Canadian users (PIPEDA and BC's PIPA): You have the right to access and request correction of your personal information, consistent with the rights described above. As a BC-based operation, we're primarily governed by BC's Personal Information Protection Act (PIPA) for personal information handled within BC, with Canada's federal PIPEDA applying to the interprovincial and international data flows inherent in operating an App Store app used outside BC.
To exercise any right not already available directly in the App (such as requesting a full export of your data), contact us at the email address listed at the top of this Policy.
6. Children's Privacy
Tesoro is not directed at, and is not intended for use by, children under the age of 13 (or the applicable minimum age in your region). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.
7. Security
We take reasonable technical measures to protect your information, including:
- Encryption of data in transit (TLS/HTTPS) between the App, our servers, and the third parties listed in Section 3.
- Encryption of data at rest on our hosting provider's (DigitalOcean's) managed database infrastructure.
- Rate limiting on authentication and API endpoints to reduce abuse.
- Server-side session revocation, so signing out (or a suspected compromise) immediately invalidates your session rather than waiting for it to expire naturally.
- On-device biometric app locking (Face ID/Touch ID), which never transmits biometric data to us.
No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
8. Future Feature: Automatic Bank Account Sync
Tesoro may in the future offer an optional way to automatically connect your bank or credit card accounts, so your transactions sync in without manual entry, statement uploads, or receipt scanning. This is planned, but does not exist in the App today — everything described in Section 1 reflects only what Tesoro actually does right now.
If and when this feature launches, the following will be true, and this Policy will be updated with the specific provider's name before the feature becomes available to anyone:
- It will require your separate, explicit opt-in — connecting an account will never happen automatically or as a side effect of using the rest of the App.
- Access will be read-only. Tesoro will never be able to move money, make a payment, or modify any connected account in any way.
- We will use a licensed, established financial data aggregator (the same category of service used by other budgeting apps) to broker the connection — your online banking credentials, if entered, go directly to that provider and are never stored by Tesoro or seen by us.
- The provider's own privacy policy will be linked from this section once named.
9. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last Updated" date above and, where appropriate, notify you through the App.
10. Contact Us
If you have questions about this Privacy Policy or how your information is handled, contact us at: [email protected]