WeSpend← Back

Privacy Policy

Last updated: March 15, 2026

1. Controller

The data controller for WeSpend is Dmitriy Maletskiy, operating as a sole developer. Contact: i@nomad.gd.

2. What Data We Collect

2.1 Account data

When you sign in with Google we receive your name, email address, and profile picture from Google's OAuth service. When you sign in with Telegram we receive your Telegram user ID and display name. We do not receive or store your Google or Telegram passwords.

2.2 Financial data you enter

All financial records you create in the app — accounts, transactions, categories, budgets, and tags — are stored on our servers to deliver the service. This data belongs to you and is not shared with third parties except as described below.

2.3 Bank data via Open Banking

If you connect a bank account, we retrieve your account details and transaction history through Enable Banking's Open Banking API. Your bank credentials are never shared with us — authentication occurs directly between you and your bank. We store only the data returned by the API (account name, IBAN, balance, transactions).

2.4 Technical data

We store authentication tokens in HttpOnly cookies. We do not collect IP addresses, browser fingerprints, or behavioural analytics data.

3. Legal Basis for Processing (GDPR Art. 6)

  • Performance of a contract (Art. 6(1)(b)) — processing your account and financial data is necessary to provide the service you requested.
  • Legitimate interests (Art. 6(1)(f)) — maintaining security logs and preventing fraud.
  • Consent (Art. 6(1)(a)) — connecting bank accounts via Open Banking is entirely optional and requires your explicit action.

4. How We Use Your Data

  • To authenticate you and maintain your session
  • To store and display your financial records across your devices
  • To enable family sharing when you create or join a family group
  • To sync bank transactions when you connect a bank account
  • To calculate balances, analytics, and budget progress

We do not sell, rent, or share your personal data with advertisers or data brokers. We do not use your financial data for profiling or automated decision-making.

5. Third-Party Processors

We share data only with the following processors, under binding data processing agreements:

  • Hetzner Online GmbH — infrastructure provider (VPS, Germany/Finland, EU). All data is stored on EU servers. Privacy Policy.
  • Google LLC — OAuth authentication only. We receive only the data Google provides at sign-in. Privacy Policy.
  • Telegram Messenger Inc. — optional Telegram login. Subject to Telegram's Privacy Policy.
  • Enable Banking Oy — Open Banking API provider (Finland, EU). Used only if you choose to connect a bank. Subject to Enable Banking's Privacy Policy.

6. International Transfers

Your data is processed within the European Economic Area (EEA). Google LLC is based in the United States; data transfers are covered by Google's Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Security

We use HTTPS/TLS for all data in transit, bcrypt for password hashing (where applicable), HttpOnly and Secure cookies for authentication tokens, and access controls to limit who can access production data. We conduct periodic security reviews and apply dependency updates promptly.

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data is permanently deleted within 30 days. Anonymised aggregate statistics may be retained indefinitely.

9. Cookies

We use two HttpOnly, Secure, SameSite=Strict cookies exclusively for authentication: an access token (15-minute expiry) and a refresh token (7-day expiry). We do not use advertising cookies, tracking pixels, or third-party analytics scripts.

10. Your Rights Under GDPR

If you are located in the EEA, you have the following rights:

  • Access (Art. 15) — request a copy of all personal data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure (Art. 17) — request deletion of your data ("right to be forgotten").
  • Restriction (Art. 18) — request that we limit processing of your data.
  • Data portability (Art. 20) — receive your data in a machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interests.
  • Withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email i@nomad.gd. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

11. Changes to This Policy

We will notify users of material changes to this policy by updating the "Last updated" date and, where appropriate, via an in-app notice. The current version is always available at wespend.app/legal/privacy.

12. Contact

Questions or requests regarding this Privacy Policy: i@nomad.gd

Terms & ConditionsBack to WeSpend