The short version. We read the bank and MoMo statements you give us, save the transactions to your account, and use them to show you charts and insights. We never sell your data. We never give it to advertisers. You can delete everything any time from your settings.
Who we are
spend40 is a product of 40 Analytics Ltd., a private company incorporated in Ghana with offices in Accra. In this policy, "we", "us", and "spend40" refer to 40 Analytics Ltd. "You" means anyone who creates an account, uploads a statement, or otherwise uses spend40.
This policy explains what personal data we collect, how we use it, who we share it with, and what rights you have under the Data Protection Act, 2012 (Act 843) of the Republic of Ghana. We are the data controller for the data described below.
What we collect
1. Account information (you give us)
- Name — first and last, when you sign up.
- Phone number — used to send the OTP that signs you in.
- Email address — used to send the OTP and important account notices.
2. Statement and transaction data (you upload)
- PDF statements from MTN MoMo, Vodafone Cash, AirtelTigo, GTBank, Fidelity Bank, CalBank, Ecobank, Stanbic, ABSA, Access, UBA, Republic, and other supported providers.
- Extracted transactions — date, amount, type (debit/credit), merchant or recipient, reference, balance, fees, and any account identifier on the statement.
- Categorisation labels — labels we (or the AI) apply to each transaction, plus any edits you make.
3. Usage data (collected automatically)
- IP address and approximate location (country, region) — for security and fraud prevention.
- Device and browser — user-agent string, screen size, language.
- Login events — the date, time, and IP of each successful sign-in.
4. Payment data (Pro subscribers)
Payments are processed by Paystack. We never see your card or mobile-money PIN. Paystack returns to us a transaction reference, the amount, the currency, and a status (success/failed) — that's all we store. Read Paystack's privacy policy for how they handle your card details.
How we use your data
We use your data to:
- Run the service — read your statements, categorise transactions, build your dashboard.
- Authenticate you with one-time passwords (OTP).
- Process subscription payments via Paystack.
- Detect and prevent fraud, abuse, and unauthorised access.
- Send you essential account notices (billing receipts, security alerts).
- Improve the product — for example, fix parsing errors specific to a bank's statement format.
- Comply with legal obligations under Ghanaian law.
We do not sell your data, share it with advertisers, or use it to train any AI model that benefits other users or third parties.
AI features (Pro)
If you use AI Chat or AI categorisation, we send the relevant transaction details (amounts, dates, recipient names, categories) to Anthropic (Claude) to generate the response. We do not send your name, phone, email, account numbers, or any other personally-identifying information. Anthropic's commercial terms prohibit training models on this data.
Who we share data with
We share the minimum data necessary with:
| Provider | Purpose | Data shared |
|---|---|---|
| Neon (US) | Database hosting | All account & transaction data |
| Resend (US) | Email delivery (OTPs, receipts) | Email address, message contents |
| Paystack (Nigeria/Ghana) | Payment processing | Email, amount, payment reference |
| Anthropic (US) | AI chat & categorisation (Claude) | Anonymised transaction details |
| Google Cloud (EU) | App hosting | All app data, in transit and at rest |
We may also share data to comply with a valid legal request from a Ghanaian court or regulatory body, or to protect the rights, property, or safety of spend40, our users, or the public.
Where your data lives
Your data is stored in encrypted form on cloud infrastructure operated by Google Cloud Platform and Neon Tech. Statements you upload are stored in object storage tied to your account; raw PDFs are deleted automatically 30 days after upload — we keep only the structured transaction data after that.
Data may be transferred to and processed in the United States, the European Union, or other countries that may have different data-protection laws than Ghana. We rely on standard contractual safeguards with each processor.
How long we keep it
- Account data — until you delete your account.
- Raw PDF statements — 30 days.
- Extracted transactions — until you delete them, or 24 months after your account is closed (for tax/audit reasons).
- Login & security logs — 12 months.
- Payment receipts — 7 years (statutory requirement).
Your rights
Under the Data Protection Act, 2012 you have the right to:
- Access your data — get a copy of everything we hold on you.
- Correct your data — fix anything that's wrong.
- Delete your data — erase your account and transactions (Settings → Data & Privacy).
- Export your data — download your transactions as CSV.
- Restrict or object — limit how we use your data.
- Withdraw consent — for any processing based on consent.
- Lodge a complaint — with the Data Protection Commission of Ghana.
To exercise any of these rights, email privacy@spend40.com. We respond within 14 days.
Security
We protect your data with industry-standard measures:
- TLS 1.3 encryption for all data in transit.
- AES-256 encryption for data at rest.
- Passwordless OTP authentication — no password to leak.
- HttpOnly, Secure, SameSite session cookies.
- Rate-limited auth endpoints to block brute-force attacks.
- Regular security reviews of our infrastructure and dependencies.
If we ever discover a breach affecting your data, we will notify you within 72 hours and report to the Data Protection Commission as required by law.
Cookies & similar technologies
spend40 uses a small number of strictly-necessary cookies and similar technologies:
spend40_session— keeps you signed in. HttpOnly, Secure, SameSite=Lax. Expires after 30 days.spend40_csrf— guards against cross-site request forgery on forms.localStorage— stores your theme preference and selected wallet. Stays on your device.
We do not use third-party advertising cookies, analytics that identify individuals, or tracking pixels.
Children
spend40 is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, email us and we'll delete it.
Changes to this policy
If we make material changes, we'll notify you by email at least 14 days before they take effect. Minor edits (typos, clarifications) may happen at any time, and the "last updated" date at the top will reflect them.
Contact us
Privacy questions, deletion requests, or anything else:
- Email — privacy@spend40.com
- Post — 40 Analytics Ltd. · Accra · Ghana
This policy is governed by the laws of the Republic of Ghana. Any dispute arising from it is subject to the exclusive jurisdiction of the courts of Ghana.