Privacy Policy

Last updated: February 2025. This policy describes how Spendary collects, uses, and protects your personal data in compliance with the GDPR.

1. Data Controller

Spendary is the data controller for the personal data processed through our service.

2. What Data We Collect

A. Data You Upload

  • Bank statement files (CSV, XLS)
  • Transaction records
  • Merchant names
  • Amounts
  • Dates
  • Currency

B. Account Data

  • Email address
  • Payment confirmation from 3rd party payment provider

C. Technical Data

  • IP address
  • Device information
  • Usage logs
  • Cookies (see Cookie Policy)

3. Legal Basis (GDPR Article 6)

We process personal data based on:

  • Contract performance (Art. 6(1)(b)) – To analyze your uploaded bank data
  • Consent (Art. 6(1)(a)) – Marketing communication
  • Legitimate interest (Art. 6(1)(f)) – Security & fraud prevention
  • Legal obligation (Art. 6(1)(c)) – Accounting & tax compliance

4. How We Use Data

  • Generate financial insights
  • Categorize transactions
  • Detect recurring subscriptions
  • Provide dashboards & PDF reports
  • Improve AI models (anonymized only)

We do NOT:

  • Sell personal data
  • Share bank data with third parties for marketing

5. AI Processing Transparency

Spendary uses AI models to:

  • Classify transactions
  • Detect patterns
  • Generate summaries

AI decisions are assistive only. No automated decision-making producing legal effects is performed (GDPR Art. 22).

6. Data Storage & Security

  • Encrypted in transit (TLS 1.2+)
  • Encrypted at rest
  • Access-controlled infrastructure
  • Data minimization principle applied
  • Uploaded bank files are automatically deleted after generation of report.

7. Data Retention

  • Payment records: 7 years (EU tax law)

8. Your GDPR Rights

Users may:

  • Access their data (Art. 15)
  • Rectify inaccuracies (Art. 16)
  • Request deletion (Art. 17 – Right to be forgotten)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)

Requests: support@spendary.net

9. International Transfers

If data is processed outside the EU, we rely on:

  • Standard Contractual Clauses (SCC)
  • Adequacy decisions where applicable

10. Supervisory Authority

Users may lodge a complaint with their local Data Protection Authority.

← Back to home