Privacy Policy

MyFina (the “Service”) is operated as an independent project. The data controller for the purposes of GDPR (EU 2016/679) and similar regulations is the operator listed on the Contact section below.

If you are an EU/EEA resident, you have the rights described in section 6.

Account data: email address, password hash (bcrypt), display name, optional avatar, locale, timezone. If you sign in via Google OAuth, we receive your email and Google account ID — we do not receive or store your Google password.

Financial data: accounts, transactions, categories, budgets, goals, debts, subscriptions and currency preferences that you create inside the app. This data lives on our servers in the EU.

Device data: an FCM (Firebase Cloud Messaging) push token bound to your device, the device platform (iOS/Android/Web), locale and user-agent — used solely to deliver notifications you opted into.

Usage data: minimal, aggregated server logs (IP address, request path, status code) retained briefly for security and debugging. We do not run third-party analytics SDKs.

Optional bank-sync data: when you connect a bank via PSD2 (GoCardless EU) or Monobank (UA), we receive read-only account and transaction data from those providers on your behalf.

Performance of contract (GDPR Art.6.1.b): authenticating you, storing your accounts and transactions, processing subscription payments through Stripe, delivering notifications you enabled.

Legal obligation (GDPR Art.6.1.c): retaining billing records as required by tax/accounting law in the operator’s jurisdiction.

Legitimate interest (GDPR Art.6.1.f): operating the service, preventing abuse, fixing bugs, communicating about service availability.

Consent (GDPR Art.6.1.a): optional bank-sync providers, optional AI features (Anthropic), and marketing/feature notifications. You may withdraw consent at any time inside the app.

Stripe, Inc. — payment processing for Pro subscriptions (we never store full card numbers). https://stripe.com/privacy

Google Firebase Cloud Messaging — push-notification delivery. The push payload itself contains an opaque event identifier; the human-readable text is rendered locally on your device.

GoCardless Bank Account Data (formerly Nordigen) — optional PSD2 bank aggregation in the EU/EEA. Used only when you explicitly connect a bank.

Monobank (UA) — optional bank webhook integration. Used only when you explicitly enable it.

Hosting and infrastructure (database, object storage) — providers located in the EU. They process data strictly under our instructions.

Anthropic PBC — optional AI features (voice and receipt parsing; later an in-app assistant and insights) that you explicitly enable. When enabled, only the relevant text (e.g. a transaction description or receipt text extracted on your device) is sent to Anthropic's API to produce the result. It is processed under a data-processing agreement with zero retention and is not used to train any model. You can disable AI features at any time in Settings.

We do not sell your data, do not use it for advertising profiling, and do not share it with social networks.

Account data: until you delete your account. Deletion is available inside the app (Settings → Account → Delete account) and removes all your transactions, accounts, categories, budgets, goals, debts, subscriptions and FCM device tokens.

Billing records (Stripe transaction history): up to 7 years where required by tax law, even after account deletion.

Server logs: 30 days, then deleted.

Backups: encrypted at rest, rotated within 35 days. Deleted account data is purged from active backups within this rotation window.

Under GDPR (or equivalent local law) you can: access your data, correct it, request deletion, restrict processing, port it to another service, and object to processing based on legitimate interest.

You can exercise most rights directly in the app: Settings → Account lets you change your email, change your password, wipe transactions, wipe accounts, or delete your account entirely. For data export or other requests, contact us using the section below.

You also have the right to lodge a complaint with a supervisory authority in the EU/EEA member state where you live.

MyFina is not directed at children under 16. If you believe a minor has signed up, please contact us — we will delete the account.