Privacy Policy

1. What We Collect

We collect only what is necessary to provide the service:

• Email address, used for authentication, password resets, and account-related communication.
• Financial data you enter, including transaction names, amounts, categories, dates, accounts, and any tags, budgets, or savings goals you create.
• App preferences, such as currency, theme, language, date format, and week start day.
• Household membership (if you join or create a shared household), so members can collaborate on shared finances.

We do not collect: location data, contacts, photos, calendar entries, advertising identifiers, browsing history, or any data outside the app.

2. How We Use Your Data

Your data is used solely to provide and improve Spentum: to display your transactions, calculate balances and forecasts, sync across your devices, and generate optional spending insights you explicitly request. We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.

3. Third-Party Services

Spentum relies on the following sub-processors. Each has been chosen because it offers strong privacy protections and supports EU data-protection requirements:

• Supabase — authentication and database (EU region). Stores your account email and the financial data you enter.
• Vercel — application hosting. Receives standard server-access logs (IP address, request path, user agent) which are retained for a short period for operational purposes.
• xAI / OpenAI — only when you explicitly use the AI-powered CSV import or generate spending insights. We send the relevant transaction text to the AI provider to categorize or summarize it. We do not send your email, account ID, or any data unrelated to the request. AI providers may retain the request for a short period for abuse-prevention purposes only.
• Google Sign-In — only when you choose to sign in with Google. Google receives standard sign-in metadata.

4. Where Your Data Is Stored

Your data is stored on secure cloud infrastructure hosted in the European Union. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

5. On-Device Data and Biometrics

The mobile app may use Face ID, Touch ID, or fingerprint authentication to lock the app. Biometric data never leaves your device — it is processed entirely by your phone's secure enclave. Spentum only receives a yes/no result from the operating system. We do not store, transmit, or have access to any biometric template.

The app caches your most recent transactions, balances, and accounts locally so you can read them when offline. This local cache is stored in encrypted device storage and is removed when you sign out or uninstall the app.

6. Notifications

If you enable reminders in Settings, the app schedules local notifications on your device for upcoming bills, daily logging reminders, weekly digests, and budget alerts. These notifications are computed and stored on your device — no notification content is sent to or from our servers.

7. Cookies and Local Storage

We use cookies solely for authentication session management. We also use localStorage to store your theme, language, and currency preferences for instant page loads. No tracking, analytics, or advertising cookies are used.

8. Data Retention

Your data is retained for as long as your account is active. When you delete your account from Settings, all of your personal data and financial records are permanently removed from our systems within 30 days. Encrypted backups containing your data are also purged within 90 days.

9. Your Rights (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (right to erasure).
• Export your data in a portable format (you can do this from Settings → Data → Backup).
• Object to or restrict our processing of your data.
• Lodge a complaint with your local data-protection authority.

Our lawful basis for processing your data is the performance of our contract with you (providing the Spentum service). Where you opt in to AI-powered features, the lawful basis is your consent, which you can withdraw at any time by disabling those features.

10. Children's Privacy

Spentum is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Significant changes will be communicated via email or an in-app notice.

12. Contact

If you have any questions, requests, or wish to exercise any of your data-protection rights, contact us at privacy@spentum.com.