Privacy Policy

1. Controller

The data controller for WeSpend is Individual Entrepreneur Kostiantyn Neskoromnyi (ФОП Нескоромний Костянтин Миколайович), registered in Ukraine. Contact: info@wespend.app.

2. What Data We Collect

2.1 Account data

When you sign in with Google we receive your name, email address, and profile picture from Google's OAuth service. When you sign in with Telegram we receive your Telegram user ID and display name. If you register with an email address and password, we store your email address and a securely hashed (bcrypt) version of your password — never the password itself. We never receive or store your Google or Telegram passwords.

2.2 Financial data you enter

All financial records you create in the app — accounts, transactions, categories, budgets, tags, savings goals, templates, and category rules — are stored on our servers to deliver the service. If you attach receipts (images or PDF files) to transactions or upload a custom profile picture, those files are stored as well. This data belongs to you and is not shared with third parties except as described below.

2.3 Bank data (Monobank)

If you connect your Monobank account, you provide a personal access token issued by Monobank (api.monobank.ua). This token is read-only: it lets WeSpend retrieve your account details and transaction history, but it can never move money or change your bank settings. We never receive your bank login or password — you generate and control the token yourself and can revoke it at any time. We store only the data Monobank returns (account name, balance, and transactions). Support for additional banks via EU & US Open Banking is planned for the future; this policy will be updated before any such integration goes live.

2.4 Technical & session data

We store authentication tokens in HttpOnly cookies (web) or the app's secure local storage (native apps). For each active login session we also store basic metadata — IP address, browser/user-agent, device model, and app version — so that you can review your active sessions and sign out of devices remotely. This session metadata is held in our cache for the lifetime of the session (up to 7 days) and is used solely for security and session management. We do not build advertising profiles, use tracking pixels, or perform behavioural analytics.

3. Legal Basis for Processing (GDPR Art. 6)

• Performance of a contract (Art. 6(1)(b)) — processing your account and financial data is necessary to provide the service you requested.
• Legitimate interests (Art. 6(1)(f)) — maintaining security logs and preventing fraud.
• Consent (Art. 6(1)(a)) — connecting your Monobank account is entirely optional and requires your explicit action (providing a personal access token).

4. How We Use Your Data

• To authenticate you and maintain your session
• To store and display your financial records across your devices
• To enable family sharing when you create or join a family group
• To sync your transactions when you connect your Monobank account
• To calculate balances, reports, and budget progress

We do not sell, rent, or share your personal data with advertisers or data brokers. We do not use your financial data for profiling or automated decision-making.

5. Third-Party Processors

We share data only with the following processors, under binding data processing agreements:

• Hetzner Online GmbH — infrastructure provider (VPS, Germany/Finland, EU). All data is stored on EU servers. Privacy Policy.
• Google LLC — OAuth authentication only. We receive only the data Google provides at sign-in. Privacy Policy.
• Telegram Messenger Inc. — optional Telegram login. Subject to Telegram's Privacy Policy.

6. International Transfers

Your data is processed within the European Economic Area (EEA). Google LLC is based in the United States; data transfers are covered by Google's Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Security

We use HTTPS/TLS for all data in transit, bcrypt for password hashing, HttpOnly and Secure cookies for authentication tokens, and access controls to limit who can access production data. We conduct periodic security reviews and apply dependency updates promptly.

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data is permanently deleted within 30 days. Anonymised aggregate statistics may be retained indefinitely.

9. Cookies

On the web we use two HttpOnly, Secure, SameSite=Lax cookies exclusively for authentication: an access token (60-minute expiry) and a refresh token (7-day expiry, sent only to authentication endpoints). On the native iOS, Android, and Telegram apps these tokens are stored in the app's secure local storage instead of cookies. We do not use advertising cookies, tracking pixels, or third-party analytics scripts.

10. Your Rights Under GDPR

If you are located in the EEA, you have the following rights:

• Access (Art. 15) — request a copy of all personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure (Art. 17) — request deletion of your data ("right to be forgotten").
• Restriction (Art. 18) — request that we limit processing of your data.
• Data portability (Art. 20) — receive your data in a machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interests.
• Withdraw consent — withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email info@wespend.app. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

11. Changes to This Policy

We will notify users of material changes to this policy by updating the "Last updated" date and, where appropriate, via an in-app notice. The current version is always available at wespend.app/legal/privacy.

12. Contact

Questions or requests regarding this Privacy Policy: info@wespend.app