Privacy Policy

Last updated: February 28, 2026 · Effective: February 28, 2026

This English version is the legally authoritative version of this document. Translations in other languages are provided for convenience only.

Spend Story ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the Spend Story mobile application ("Service").

1. Data Controller

Spend Story operates as the data controller for personal data processed through this app. For inquiries regarding data processing:

Email: [email protected]

2. Information We Collect

a) Information You Provide

Account Information: Email address used for registration and authentication.
Financial Data: Bank statement files (PDF, Excel, CSV, TXT, OFX/QFX, QIF, MT940/SWIFT) that you voluntarily upload. This includes transaction amounts, dates, merchant names, and descriptions.

b) Information Collected Automatically

Device Information: Device type, operating system version, app version, and language preference.
Usage Data: App interaction data such as app session data and performance metrics (collected via Sentry).
Crash & Performance Data: Error logs, crash reports, and performance metrics (collected via Sentry).

c) Information We Do NOT Collect

Bank login credentials or passwords.
Precise GPS location. Note: Optional location permission is used solely on-device to center the spending map. Your location is not sent to our servers.
Contacts, photos, or other device data.
Biometric data.

3. Legal Basis for Processing (GDPR Art. 6)

Contract Performance (Art. 6(1)(b)): To provide the Service you signed up for.
Legitimate Interest (Art. 6(1)(f)): To improve our Service, ensure security, and prevent fraud.
Consent (Art. 6(1)(a)): For optional features like AI art generation. You may withdraw consent at any time.

4. How We Use Your Data

To analyze your spending patterns and provide financial insights.
To generate AI-powered summaries, spending scores, and story cards.
To process in-app purchases and manage your subscription.
To diagnose technical issues and improve app performance.
To provide customer support.
To comply with legal obligations.

5. Data Sharing & Third-Party Processors

We do NOT sell, rent, or trade your personal data. We share data only with the following processors, under strict data processing agreements:

Supabase (Supabase Inc., USA/EU) — Database and authentication. Data hosted in EU (eu-central-1). Compliant with GDPR via Standard Contractual Clauses.
Google Gemini AI (Google LLC, USA) — Transaction analysis and categorization. Data processing is subject to Google's API Terms of Service (https://ai.google.dev/gemini-api/terms).
Railway (Railway Corp., USA) — Backend hosting. Processes data in transit only.
Sentry (Functional Software Inc., USA) — Crash reporting and performance monitoring. Collects anonymized diagnostic data only.
RevenueCat (RevenueCat Inc., USA) — Subscription and purchase management. Processes purchase tokens and subscription status.
Apple / Google — App Store and Play Store process payments. We never access your payment card details.
Google AdMob (Google LLC, USA) — Displays non-personalized banner advertisements. May collect device identifiers and ad interaction data. See Google's Privacy Policy.

6. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. We ensure adequate protection through:

EU Standard Contractual Clauses (SCCs) with all US-based processors.
Data hosting in the EU (Supabase eu-central-1) for primary storage.
Encryption in transit (TLS 1.3) and at rest (AES-256).

7. Data Retention

Account Data: Retained while your account is active. Deleted within 30 days of account deletion.
Financial Data (transactions): Retained while your account is active. Deleted upon account deletion.
Uploaded Files (PDF/Excel): Automatically deleted from our servers immediately after AI processing. We do not retain original files.
Crash & Performance Data: Retained for 90 days by Sentry.
Purchase History: Retained as required by tax and accounting laws (up to 7 years).

8. Data Security

Encryption: TLS 1.3 in transit, AES-256 at rest.
Row Level Security (RLS): Each user can only access their own data.
JWT Authentication: Tokens stored in device secure storage (Keychain/Keystore).
Rate Limiting: API endpoints are rate-limited to prevent abuse.
Regular security audits and dependency updates.

9. Your Rights

a) For All Users

Access: View your data at any time within the app.
Export: Download your transaction data (Profile > Export Data).
Deletion: Delete your account and all data (Profile > Delete Account). Completed within 30 days.
Correction: Update your account information at any time.

b) EU/EEA Residents (GDPR)

Right to restriction of processing.
Right to data portability.
Right to object to processing based on legitimate interest.
Right to withdraw consent at any time.
Right to lodge a complaint with your local Data Protection Authority.

c) California Residents (CCPA/CPRA)

Right to know what personal information is collected, used, and shared.
Right to delete personal information.
Right to opt-out of the sale of personal information (we do not sell your data).
Right to non-discrimination for exercising your privacy rights.
California residents may contact us at: [email protected]

d) Turkish Residents (KVKK)

Rights under the Turkish Personal Data Protection Law (Law No. 6698) apply.
You may contact us to exercise your rights under KVKK.

e) Brazilian Residents (LGPD)

Rights under Brazil's Lei Geral de Proteção de Dados (Law No. 13.709/2018) apply.
You have the right to confirmation of data processing, access, correction, anonymization, portability, deletion, and information about shared data.
You may contact us or Brazil's National Data Protection Authority (ANPD) to exercise your rights.

f) Japanese Residents (APPI)

Rights under Japan's Act on the Protection of Personal Information apply.
You have the right to request disclosure, correction, suspension of use, or deletion of your personal data.
Cross-border transfers are conducted under appropriate safeguards per APPI requirements.

g) South Korean Residents (PIPA)

Rights under South Korea's Personal Information Protection Act apply.
You have the right to access, correct, suspend processing, and delete your personal data.
You may file a complaint with the Personal Information Protection Commission (PIPC).

h) Thai & Indonesian Residents (PDPA)

Rights under Thailand's Personal Data Protection Act B.E. 2562 (2019) and Indonesia's Personal Data Protection Law (UU PDP No. 27/2022) apply respectively.
You have the right to access, correct, delete, restrict, and port your personal data.
You may withdraw consent and lodge complaints with the relevant supervisory authority.

10. Cookies & Tracking

Spend Story does not use cookies or third-party tracking for analytics purposes. We display non-personalized banner advertisements via Google AdMob, which may use advertising identifiers (IDFA/GAID) to serve and measure ads. You can opt out of personalized advertising through your device settings (iOS: Settings > Privacy > Tracking; Android: Settings > Google > Ads). Sentry collects anonymized performance data only.

11. Children's Privacy

Spend Story is not intended for users under 18 years of age. We do not knowingly collect data from children. If we discover that a child under 18 has created an account, we will promptly delete it.

12. Changes to This Policy

We will notify you of material changes via in-app notification at least 14 days before they take effect. Continued use of the Service after changes constitutes acceptance.

13. Contact

For privacy inquiries, data access requests, or complaints:

Email: [email protected]
Response time: Within 30 days of receipt.