Private expense tracker with Google Drive & OneDrive sync. Your data stays on your device and in your own cloud.
Last updated: 11 June 2026
This Privacy Policy describes how the Spendium mobile application (“Spendium”, “the app”, “we”) handles your information.
Spendium is an independently-developed open-source mobile application published by Volodymyr Shpynta. We can be reached at volodymyr.shpynta.n@gmail.com.
This privacy policy and the Spendium landing page are hosted on GitHub Pages.
Spendium does not run any backend server and does not collect, transmit, or sell your personal data.
Everything you record in the app — your expenses, categories, currency, language and display preferences — is stored locally on your device in an on-device SQLite database. We have no access to that database.
The app does not include any analytics SDK, advertising SDK, crash reporter SaaS, or third-party tracker.
Spendium offers an optional feature called Cloud sync that lets you keep your expenses in sync between multiple devices that you own. You can use the app indefinitely without ever enabling it.
When you choose to enable Cloud sync and sign in:
https://www.googleapis.com/auth/drive.appdata
scope. This grants access only to a hidden, app-specific folder
(appDataFolder) that no other app — including other apps you own — can
read or modify. Spendium cannot see, list, or modify any other file in
your Google Drive.Files.ReadWrite.AppFolder
and offline_access scopes. This grants access only to a hidden,
app-specific folder (approot) on your OneDrive. Spendium cannot see,
list, or modify any other file in your OneDrive.A single compressed JSON file containing your expense events is written to that app-specific folder. It is your file in your own cloud account; it is never transmitted to any server controlled by the developer.
You can revoke Spendium’s access to your cloud at any time:
When Cloud sync is enabled, the access and refresh tokens issued by
Google or Microsoft are stored on your device using the platform’s secure
storage (Android Keystore via expo-secure-store). They are not
transmitted anywhere except directly to Google’s or Microsoft’s official
OAuth and Drive APIs over HTTPS.
Spendium contacts the following third-party services only when you explicitly use the corresponding feature:
| Service | When it is contacted | What is sent |
|---|---|---|
| Google OAuth / Drive API | Only after you tap “Sign in to Google Drive” in Cloud sync | OAuth credentials and your encrypted sync file |
| Microsoft OAuth / Microsoft Graph | Only after you tap “Sign in to OneDrive” in Cloud sync | OAuth credentials and your encrypted sync file |
| frankfurter.dev | Periodically, only if you record expenses in a currency other than your default currency | A request for publicly-available historical exchange rates — no user identifier is sent |
Spendium does not contact any other server.
Spendium declares only the standard INTERNET Android permission,
which is required to reach the OAuth and exchange-rate endpoints listed
above. The app does not request access to your contacts, photos,
location, microphone, camera, SMS, or call log.
None. Spendium does not share, sell, or rent your data to anyone.
Spendium is a general-purpose expense tracker and is not directed at children under 16. We do not knowingly collect personal information from children under 16.
Because Spendium does not transmit your data to us, deletion is fully under your control:
If we materially change how Spendium handles data, we will update this page and bump the date at the top. Continued use of the app after such changes constitutes acceptance of the revised policy.
Questions, concerns, or data-subject-rights requests: volodymyr.shpynta.n@gmail.com.