PExP
PExP
Personal Ledger
Home·Dashboard·Terms of Service
PExP

Privacy Policy

Last updated: March 2026·Operated by: Cotek FZ LLC·Ras Al Khaimah Free Zone (RAKEZ), Ras Al Khaimah, UAE
support@cotek.live

This policy explains exactly what data PExP collects, why, how it is protected, and the rights you have over it. We believe in plain language — no legal fog. This policy is compliant with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), EU/UK GDPR, and applicable international data protection standards.

01Who We Are

PExP (“we”, “us”, “our”) is a personal finance ledger application developed and operated by Cotek FZ LLC, a company registered in the Ras Al Khaimah Free Zone (RAKEZ), Ras Al Khaimah, UAE.

PExP is a private, invitation-based financial tracking platform. It is not a bank, financial institution, payment processor, or investment adviser. We do not hold, move, or process money on your behalf.

As the data controller under UAE PDPL and GDPR (where applicable), Cotek FZ LLC is responsible for the collection and processing of your personal data. For all privacy matters, contact us at: support@cotek.live

We have not appointed a formal Data Protection Officer (DPO) as we do not meet the mandatory thresholds under current UAE PDPL regulations. However, privacy enquiries are handled directly by the company director and responded to within 30 days.

02Legal Basis for Processing (UAE PDPL & GDPR)

Under UAE Federal Decree-Law No. 45 of 2021 (PDPL) and, where applicable, the EU General Data Protection Regulation (GDPR), we are required to identify the legal basis on which we process your personal data. We rely on the following:

Processing activityLegal basis (UAE PDPL)Legal basis (GDPR)
Account creation & authenticationContractual necessity (Art. 4)Performance of contract (Art. 6(1)(b))
Storing your financial entriesContractual necessity (Art. 4)Performance of contract (Art. 6(1)(b))
Sending transactional emailsContractual necessity / Legitimate interest (Art. 4, 5)Performance of contract / Legitimate interest (Art. 6(1)(b)(f))
Push notificationsConsent (Art. 4) — browser permissionConsent (Art. 6(1)(a))
AI features / receipt scanningConsent (Art. 4) — feature opt-inConsent (Art. 6(1)(a))
Security & fraud preventionLegal obligation / Legitimate interest (Art. 4, 5)Legal obligation / Legitimate interest (Art. 6(1)(c)(f))
Compliance with legal obligationsLegal obligation (Art. 4)Legal obligation (Art. 6(1)(c))

Where we rely on consent as our legal basis, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. To withdraw consent, contact us at support@cotek.live or use your device/browser settings to revoke push notification permission.

03Data We Collect

We only collect data that is necessary to deliver the service. We do not sell data, run advertising, or build profiles for third-party use.

Account & identity data

  • Full name and email address (provided at sign-up or invite)
  • Hashed password (bcrypt — we never store plaintext passwords)
  • Role within your ledger (Admin, Member, or Viewer)
  • Account creation date and agreement timestamp (date you accepted these terms)

Financial ledger data

This is the core data you enter manually. We store exactly what you provide — nothing is inferred or enriched from external sources.

  • Transaction entries: date, amount, type, description, category, account
  • Account names and balances derived from entries
  • Category names and emoji labels
  • Recurring transaction rules (description, amount, frequency, next due date)
  • Debt records: counterparty name, direction, amounts, due dates, payment history
  • Monthly close summaries: income, expenses, net, notes
  • Budget goals per category per month

Session & authentication data

  • Session tokens (stored as secure HTTP-only cookies via NextAuth.js)
  • Your current ledger context and role, embedded in the session token
  • Password reset tokens (one-time use, expire in 1 hour)

Device & notification data

  • Web push subscription endpoint and encryption keys (stored when you grant notification permission)
  • These are stored per user and used solely to deliver PExP notifications to your device

Payment & access data

  • If you purchase a paid plan, your payment is processed by Stripe. We do not store card numbers, CVV codes, or full payment credentials.
  • We store: your email address linked to an access grant record, the plan type purchased, and the date access was granted.
  • Stripe stores payment details under their own PCI-DSS compliant infrastructure.

Receipt images (transient)

  • If you use the "Scan Receipt" feature, the image is sent to Anthropic's Claude API for text extraction. The image is not stored by us. See Section 11 for full details.

Data we do NOT collect

  • We do not collect bank account numbers, card numbers, or any payment credentials
  • We do not track your location or IP address for profiling purposes
  • We do not use advertising trackers, analytics SDKs, or pixel tags
  • We do not scrape or import data from your bank or any external source
  • We do not collect biometric data
  • We do not collect sensitive personal data as defined under UAE PDPL (health, religion, race, political opinions) — do not enter such data into the app

04How We Use Your Data

We use your data for one purpose: to provide and improve the PExP service to you.

Core service delivery

  • Authenticating you and maintaining your session securely
  • Displaying your financial entries, summaries, and reports
  • Generating automated recurring entries and reminders on your behalf
  • Calculating debt balances and payment histories
  • Producing monthly close summaries and budget tracking
  • Enforcing feature access based on your subscription tier

Notifications & email

  • Sending transactional emails (password reset, invite links, weekly reminders, monthly digests)
  • Delivering push notifications to your device based on your browser permission
  • You can opt out of email digests at any time via Settings
  • You can revoke push notification permission at any time via your browser settings

AI-assisted features

  • Processing receipt images through Anthropic's API to extract transaction details
  • Responding to natural-language financial queries in the AI tab
  • No AI output is stored or used to train models — see Section 11
  • AI features are only available to users with lifetime access

Legal and safety

  • Complying with applicable UAE PDPL, cybercrime law, and international law
  • Detecting and preventing unauthorised access or abuse
  • Resolving disputes and enforcing our terms
  • Establishing, exercising, or defending legal claims
We do not use your financial data for profiling, advertising targeting, credit scoring, or any purpose other than delivering the service you signed up for.

05Data Storage & Security

Infrastructure

  • All data is stored in a PostgreSQL database hosted on Neon (neon.tech), a serverless Postgres provider with data centres in the United States.
  • The application is deployed on Vercel, using serverless functions running in secure, isolated environments.
  • All data is encrypted at rest and in transit using TLS 1.2+.

Password security

  • Passwords are hashed using bcrypt with a minimum cost factor of 10. We never store or log plaintext passwords.
  • Password reset links are single-use and expire after 1 hour.

Access control

  • Ledger data is strictly scoped — users can only access ledgers they belong to.
  • Role-based access control (Admin, Member, Viewer) is enforced on every API route at the server level.
  • Viewer-role users cannot create, edit, or delete any data.
  • All session tokens are signed and verified on every request.

Security incident response

In the event of a personal data breach, we will act in accordance with UAE PDPL Article 14 and, where applicable, GDPR Article 33. Specifically:

  • We will notify the UAE Data Office within 72 hours of becoming aware of a breach likely to result in risk to individuals' rights
  • We will notify affected users without undue delay where the breach is likely to result in high risk to their rights and freedoms
  • Notification will include: the nature of the breach, categories of data affected, likely consequences, and steps taken or proposed
  • We maintain an internal breach register regardless of whether notification is required

06Data Sharing & Third Parties

We do not sell, rent, or trade your personal or financial data. We share data with the following third parties only to the extent necessary to operate the service:

ProviderRoleData sharedLocationPrivacy policy
Neon (neon.tech)Database hostingAll stored app dataUnited Statesneon.tech/privacy
Vercel Inc.Application hostingRequest logs, env variablesUnited Statesvercel.com/legal/privacy-policy
ResendTransactional emailEmail address, email contentUnited Statesresend.com/privacy
Anthropic PBCAI featuresReceipt images, query text (transient)United Statesanthropic.com/privacy
Stripe Inc.Payment processing (when active)Email, payment details (PCI-DSS)United Statesstripe.com/privacy

Each third-party provider is bound by their own privacy policy and applicable data protection regulations. We conduct reasonable due diligence on providers before engaging them.

We may disclose data if required by UAE law, a valid UAE court order, or competent authority request, or where necessary to prevent imminent harm. We will notify affected users where legally permitted to do so.

We will never share your data with third parties for their own marketing or commercial purposes.

07Data Retention

Active accounts

We retain your data for as long as your account exists and the ledger is active. Your financial data is yours — we do not delete it without your instruction.

Account deletion

  • When you request account deletion, we will permanently delete all your personal data and financial entries within 30 days.
  • Email us at support@cotek.live to request deletion.
  • Deletion is irreversible. Please export any data you need before requesting.
  • We may retain certain data for longer where required by UAE law, to resolve disputes, prevent fraud, or enforce our agreements. In such cases we will inform you of the retention period and its legal basis.

Specific retention periods

  • Password reset tokens: deleted immediately upon use or after 1 hour, whichever comes first
  • Session tokens: expire after approximately 30 days of inactivity
  • Push subscriptions: deleted when permission is revoked, or when a push delivery returns expired/invalid status
  • Email delivery logs: retained by Resend per their own policy (typically 30 days)
  • Payment records: retained for 5 years as required by UAE commercial law
  • Backup copies: may persist for up to 90 days in automated backup systems before permanent deletion

08Your Rights

Under UAE Federal Decree-Law No. 45 of 2021 (PDPL) and, where applicable, GDPR and other international data protection laws, you have the following rights regarding your personal data:

  • Right of access — Request a copy of all personal data we hold about you (UAE PDPL Art. 6; GDPR Art. 15)
  • Right to rectification — Correct inaccurate or incomplete data; most data can be edited directly in the app (UAE PDPL Art. 7; GDPR Art. 16)
  • Right to erasure — Request deletion of your personal data and ledger (UAE PDPL Art. 8; GDPR Art. 17)
  • Right to portability — Request your data in a structured, machine-readable format (CSV or JSON) (GDPR Art. 20 — EEA/UK users)
  • Right to restriction — Ask us to restrict processing of your data in certain circumstances (GDPR Art. 18)
  • Right to object — Object to processing based on legitimate interests (UAE PDPL Art. 9; GDPR Art. 21)
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
  • Right to non-discrimination — We will not penalise you for exercising any of your data rights

To exercise any of these rights, email support@cotek.live. We will respond within 30 days. Complex requests may take up to 90 days, in which case we will notify you of the extension. We may need to verify your identity before acting on your request.

California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know, right to delete, right to opt-out of sale (we do not sell data), and right to non-discrimination. To exercise these rights, contact us at support@cotek.live.

09Cookies & Local Storage

PExP uses a minimal set of cookies strictly necessary for the service to function. We do not use third-party tracking cookies, advertising cookies, or analytics cookies of any kind.

Cookie nameTypePurposeDuration
next-auth.session-tokenStrictly necessaryAuthenticates your session. HTTP-only, Secure, SameSite=Lax.30 days
next-auth.csrf-tokenStrictly necessaryCSRF protection for authentication flows.Session
next-auth.callback-urlFunctionalStores the URL to redirect to after sign-in.Session

Because all cookies are strictly necessary for authentication and security, no cookie consent banner is required under applicable law. These cookies do not track you across third-party websites or share data with advertisers.

10Children's Privacy

PExP is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. Access to PExP requires explicit account creation or a direct invitation, which provides a natural barrier to unsolicited minor access.

Under UAE law and COPPA (US), if we discover that a child under the applicable age of digital consent has provided us with personal data, we will delete it promptly. If you believe this has occurred, contact us at support@cotek.live immediately.

11AI Features & Receipt Scanning

PExP uses Anthropic's Claude AI model for two features available to paid users: the AI financial assistant and receipt scanning.

Receipt scanning

  • When you tap "Scan Receipt", the image is converted to base64 and sent from our server to Anthropic's API.
  • The image is used solely to extract the amount, merchant name, and date. It is not stored by us after the API call completes.
  • As of the date of this policy, Anthropic does not use API inputs to train their models by default. See Anthropic's privacy policy for their current commitments.
  • If you do not wish to use this feature, simply do not tap "Scan Receipt". You can always enter entries manually.
  • By using receipt scanning, you consent to the transient transmission of the image to Anthropic's API.

AI financial assistant

  • Queries you send to the AI tab include a summary of your ledger data so the AI can answer questions about your finances.
  • This data is sent to Anthropic's API in the context of your query and is not stored by us beyond the current API call.
  • Do not include sensitive personal information (passport numbers, bank credentials, health data) in AI queries.
  • By using the AI assistant, you consent to the transient processing of your ledger summary by Anthropic's API.
AI responses are for informational purposes only and do not constitute financial, legal, investment, or tax advice. Always verify AI-generated information before acting on it. PExP and Cotek FZ LLC accept no liability for decisions made based on AI output.

12Push Notifications & Email

Push notifications

  • Push notifications are delivered via your browser's native Web Push mechanism, which requires your explicit permission.
  • Your push subscription (endpoint + VAPID encryption keys) is stored in our database linked to your user account.
  • You can revoke push notifications at any time via your browser's site settings for pexp.cotek.live.
  • Expired or revoked subscriptions are deleted automatically from our database.
  • Push notifications contain only operational content relating to your ledger activity — no promotional content.

Email communications

  • We send transactional emails only: password resets, invite links, weekly entry reminders, and monthly digest summaries.
  • Email is sent via Resend. Your email address is passed to Resend solely for delivery purposes.
  • You can disable email digests and weekly reminders in Settings at any time.
  • We do not send marketing emails, promotional offers, or newsletters without your explicit prior consent.
  • Transactional emails are necessary to deliver the service and cannot be entirely opted out of (e.g., password reset emails).

13International Data Transfers

Cotek FZ LLC is based in the UAE. Our infrastructure providers (Neon, Vercel, Resend, Anthropic, Stripe) are headquartered in the United States and process data in US data centres.

Under UAE PDPL Article 22, transfers of personal data outside the UAE are permitted where the recipient country provides an adequate level of data protection, or where appropriate safeguards are in place. The United States is not currently on the UAE adequacy list; however, our providers implement Standard Contractual Clauses (SCCs) and maintain security standards consistent with international best practice.

By using PExP, you acknowledge that your data may be processed outside your country of residence, including in the United States, subject to the safeguards described above.

If you are based in the European Economic Area, Switzerland, or the United Kingdom, transfers of your personal data to the US are conducted under Standard Contractual Clauses (SCCs) pursuant to GDPR Article 46(2)(c) or equivalent UK transfer mechanisms. You may request a copy of applicable SCCs by emailing support@cotek.live.

If you are based in a jurisdiction with data localisation requirements, please contact us at support@cotek.live before using the service.

14Limitation of Liability

To the fullest extent permitted by applicable law, Cotek FZ LLC and its officers, directors, employees, and agents shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising out of or related to your use of PExP, including but not limited to:

  • Loss of data, revenue, profits, or business opportunities
  • Unauthorised access to or alteration of your data by third parties
  • Any errors, inaccuracies, or omissions in financial data you have entered
  • Decisions made based on AI-generated output or reports produced by the service
  • Service interruptions, downtime, or loss of access to your ledger
  • Actions or inactions of third-party providers (Neon, Vercel, Resend, Anthropic, Stripe)

Our total aggregate liability to you for any claim arising out of or relating to this policy or the service shall not exceed the greater of (a) the total fees paid by you to us in the twelve months preceding the claim, or (b) USD 100. This limitation applies regardless of the form of action, whether in contract, tort, negligence, strict liability, or otherwise.

PExP is provided as a personal record-keeping tool only. It is not a regulated financial service. We accept no responsibility for financial loss, tax obligations, or legal consequences arising from your use of the platform.

Nothing in this section excludes or limits liability for death or personal injury caused by our negligence, fraud or fraudulent misrepresentation, or any liability that cannot be excluded by applicable law.

15Intellectual Property

All software, design, content, trademarks, and intellectual property associated with PExP are the exclusive property of Cotek FZ LLC or its licensors. Nothing in this policy transfers any intellectual property rights to you.

You retain full ownership of the financial data you enter into PExP. By using the service, you grant Cotek FZ LLC a limited, non-exclusive, royalty-free licence to store, process, and display your data solely for the purpose of providing the service to you. This licence terminates upon account deletion.

You may not copy, reverse-engineer, decompile, or create derivative works from any part of PExP without our prior written consent.

16Governing Law & Disputes

This Privacy Policy and any disputes arising from it shall be governed by and construed in accordance with the laws of the Emirate of Ras Al Khaimah and the federal laws of the United Arab Emirates, including but not limited to UAE Federal Decree-Law No. 45 of 2021 (PDPL), Federal Decree-Law No. 26 of 2021 (Cybercrime Law), and Federal Law No. 46 of 2021 (Electronic Transactions Law).

Any dispute shall first be attempted to be resolved through good-faith negotiation by contacting us at support@cotek.live. If unresolved within 30 days, disputes shall be submitted to the exclusive jurisdiction of the competent courts of Ras Al Khaimah, UAE.

Notwithstanding the above, users based in jurisdictions with mandatory local consumer protection laws retain the right to bring claims under those laws in their local courts. EEA users may also lodge complaints with their national data protection authority.

17General Provisions

Severability

If any provision of this policy is found to be unenforceable or invalid under applicable law, that provision shall be modified to the minimum extent necessary to make it enforceable. The remaining provisions shall continue in full force and effect.

Entire agreement

This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and Cotek FZ LLC with respect to the collection and use of your personal data.

Force majeure

Cotek FZ LLC shall not be liable for any failure or delay in performance resulting from circumstances beyond our reasonable control, including acts of God, natural disasters, war, civil unrest, government action, cyberattacks by third parties, or failures of third-party infrastructure providers.

Waiver

Failure by Cotek FZ LLC to enforce any right or provision of this policy shall not constitute a waiver of that right or provision unless acknowledged and agreed in writing.

Assignment

Cotek FZ LLC may assign its rights and obligations under this policy in connection with a merger, acquisition, or sale of assets, provided the acquiring entity agrees to be bound by the same data protection standards. You will be notified of any such transfer in advance.

18Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or the service. When we make significant changes, we will:

  • Update the "Last updated" date at the top of this page
  • Send an email notification to all registered users at least 14 days before material changes take effect
  • Display an in-app notification via the notification bell
  • Where required by UAE PDPL or GDPR, obtain fresh consent before processing data in a materially new way

Your continued use of PExP after changes are published constitutes acceptance of the updated policy. If you disagree with material changes, you may request account deletion at any time before the effective date.

19Contact & Complaints

For all privacy-related questions, requests, or complaints, contact us:

Cotek FZ LLC
Ras Al Khaimah Free Zone (RAKEZ), Ras Al Khaimah, UAE
support@cotek.live

We aim to respond to all privacy requests within 30 days. Complex requests may require up to 90 days, in which case we will notify you of the extension and the reasons for it.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

  • UAE residents: UAE Data Office (uaedataoffice.ae) — the supervisory authority for UAE PDPL
  • EEA residents: your national data protection authority (e.g. CNIL for France, BfDI for Germany, ICO for the UK)
  • Other jurisdictions: the relevant data protection regulator in your country
This policy applies to https://pexp.cotek.live and all associated interfaces including any future mobile applications. It does not apply to third-party services linked from PExP. © 2026 Cotek FZ LLC. All rights reserved.