Security
Last updated 18 June 2026
SpentOn reads financial email and turns it into your money picture, so the data we hold is among the most sensitive a person has. Security is built into how the product works, not bolted on. Here is how we protect it.
Encryption
- In transit. All traffic uses HTTPS/TLS, everywhere.
- At rest. Sensitive raw email content (subject, body, sender) is field-level encrypted before it is stored — it is gibberish to anyone reading the database directly. Money-math fields (amount, date, category) stay queryable so we can compute your numbers.
- OAuth tokens. Your Gmail credentials are encrypted separately at the field level, never stored in plaintext.
Access & authentication
- No Google password. You connect Gmail via Google OAuth. We never see or store your Google password — only a scoped, revocable, read-only token.
- Read-only Gmail. We request only
gmail.readonly. SpentOn cannot send, delete, modify, archive, label, or forward your email. - Tenant isolation. Every user's data is isolated at the database level with row-level security — one account can never read another's rows.
- Least privilege. Internal access is limited to what is needed to run the service. We do not allow humans to read your Gmail data except with your explicit consent, for security, to comply with law, or on aggregated/anonymised data.
AI & vendor handling
To interpret email, only triaged, financial-relevant text is sent to our LLM provider via an AI gateway, under zero-retention terms where available. The AI interprets; it never writes your ledger directly — deterministic, rules-based code does, and AI-discovered items sit in escrow until you approve them. Our sub-processors are listed in the Privacy Policy.
Data lifecycle
- Minimisation. Non-financial email is discarded at triage, before any AI sees it.
- Backups & retention. Data is backed up encrypted; deleted data is purged from backups on our standard retention cycle.
- Deletion & revocation. You can disconnect Gmail or delete your account at any time; deletion revokes the Google grant at the source and wipes your data. See Data Deletion.
Monitoring & incident response
Administrative and support access is logged for audit. If we ever detect a breach affecting your data, we will investigate, contain it, and notify affected users and the relevant authorities within the timeframes required by applicable law. Report a security concern to privacy@spenton.dev.
Compliance
Because Gmail read access is a restricted scope, SpentOn follows the Google API Services User Data Policy, including its Limited Use requirements (see our Google API Disclosure), and undergoes the periodic security assessment required for restricted scopes.
Questions about your data or these terms? Email privacy@spenton.dev.