Privacy Policy

1. Controller

The controller within the meaning of the GDPR is:

• Hauke Olf
• Südostallee 114
• 12487 Berlin
• Germany
• Email: hauke.olf@gmail.com

A data protection officer is not required by law. For questions, please write directly to the email address above.

2. What data is processed

2.1 Account and authentication data

• Email address
• Display name (optional)
• Device identifier of the authentication platform
• When signing in with „Sign in with Apple" or „Sign in with Google": the ID-token information transmitted by the provider

2.2 Content data

• Transactions (amount, category, date, note, receipt photo, if recorded)
• Budgets, savings goals, recurring entries, categories
• Memberships and invitations in shared household books
• In-app configuration (e.g. dashboard layout, theme)

2.3 Receipt photos and OCR

When you capture a receipt photo, the image is processed locally on your device for text recognition (Google ML Kit, on-device OCR). The image data does not leave your device in the process. If you then save the photo, it is uploaded encrypted to your private storage area at Firebase Storage.

2.4 AI-supported categorisation

Optionally, you can have transaction texts or receipt contents analysed by a language model for automatic categorisation. In the release version, processing takes place via Google Vertex AI (model: Gemini) through the global Vertex AI endpoint. In developer builds, Google AI is used; processing then takes place in the USA. Only the short transaction text or the receipt text extracted by OCR is transmitted. No training is performed on your data.

2.5 Technical data and diagnostics

• Device and operating system information
• App version, language, time zone
• Crash reports and stack traces (Firebase Crashlytics) — if enabled in the device settings

2.6 Usage analytics

To improve the app and understand which features are used, we collect pseudonymous usage statistics with Firebase Analytics. In particular, screens viewed and events around the Premium purchase (e.g. “paywall viewed”, “purchase started”, “purchase successful”) are recorded. In doing so, a pseudonymous identifier assigned by Firebase as well as technical properties such as the subscription status (premium_tier), whether the account is anonymous, and the app language are processed. No transaction contents, amounts, notes or receipt photos are transmitted to Analytics. The legal basis is our legitimate interest in improving and economically sustaining the app (Art. 6(1)(f) GDPR).

2.7 Device and app attestation

To protect the server interfaces against automated abuse, we use Firebase App Check. The operating system issues an attestation token (Apple App Attest or Google Play Integrity) that confirms the request originates from a genuine, unmodified installation of the app. The token does not allow identification of the user. The legal basis is our legitimate interest in security and abuse prevention (Art. 6(1)(f) GDPR).

2.8 Device permissions

The app requests permissions only for features you actively use:

• Camera — for scanning receipts.
• Microphone — for voice input of transactions.
• Photo library — for selecting existing receipt photos.
• Biometrics (Face ID / Touch ID / fingerprint) — for optional protection of app access.
• Notifications — for reminders and hints.
• Home-screen widget — for displaying the current balance on the home screen.

Permissions can be revoked at any time in the device settings. Without the relevant permission, the corresponding feature is not available.

3. Legal bases

• Art. 6(1)(b) GDPR — for performance of the contract to provide the app and its features.
• Art. 6(1)(c) GDPR — for compliance with legal obligations (e.g. tax retention).
• Art. 6(1)(f) GDPR — for safeguarding legitimate interests (security of the app, error analysis, abuse prevention).
• Art. 6(1)(a) GDPR — based on consent (e.g. Crashlytics, AI categorisation, push notifications). Consent can be withdrawn at any time with effect for the future.

4. Purposes of processing

• Provision and synchronisation of the household book
• Management of memberships and invitations
• Handling Premium subscriptions (entitlement check)
• Maintenance, security and error correction
• Optional automatic categorisation of transactions and receipts
• Pseudonymous usage analytics to improve the app
• Security of the server interfaces and abuse prevention
• Compliance with legal obligations

5. Recipients and processors

We use carefully selected service providers. Contracts under Art. 28 GDPR exist with all processors.

Transparency on storage and processing locations: productive Firebase services run in the globally configured Firebase infrastructure. Individual server functions intentionally run in fixed regions (notably europe-west3 and us-central1), see below.

• Firebase Authentication (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland) — authentication and account management.
• Cloud Firestore (Google Ireland Ltd.) — storage of app contents (transactions, budgets, memberships, categories).
• Firebase Storage (Google Ireland Ltd.) — storage of uploaded receipt photos in a private, rule-based storage area.
• Firebase Cloud Messaging (Google Ireland Ltd.) — delivery of push notifications, if enabled.
• Firebase Crashlytics (Google Ireland Ltd.) — anonymised crash reports for stability analysis, if enabled in the device settings.
• Firebase Analytics (Google Ireland Ltd.) — pseudonymous usage and reach analytics to improve the app (screens viewed, Premium-funnel events, technical user properties). No transaction contents are transmitted.
• Cloud Functions for Firebase (Google Ireland Ltd.) — server logic for auto-categorisation and Pro-status sync. Categorisation callable region: europe-west3. RevenueCat webhook region: us-central1.
• Firebase App Check (Google Ireland Ltd.) — device and app attestation (Apple App Attest or Google Play Integrity) to protect the server interfaces against abuse.
• Firebase AI / Vertex AI (Google Ireland Ltd., processing through the global Vertex AI endpoint) — AI-supported categorisation in the release version.
• Google AI (Google LLC, USA) — AI-supported categorisation in developer builds.
• Google ML Kit (Google LLC) — on-device text recognition for receipt photos. Processing takes place exclusively locally on the device; image data is not transmitted to Google in the process.
• RevenueCat, Inc. (12 E 49th St, New York, NY 10017, USA) — management of Premium subscriptions and entitlements. A pseudonymous app user ID, the subscription product and the subscription status are transmitted.
• Apple Inc. (One Apple Park Way, Cupertino, CA 95014, USA) and Google LLC / Google Ireland Ltd. — processing of in-app purchases and subscriptions via the platform stores.

6. Transfer to third countries

With some of the named services (in particular RevenueCat, Apple, Google AI), a transfer of personal data to the USA takes place. Insofar as the providers have not themselves submitted to the EU-US Data Privacy Framework, the transfer takes place on the basis of the EU Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR.

Insofar as exceptionally neither an adequacy decision nor appropriate safeguards apply, a transfer only takes place where it is necessary for the performance of the contract with you (Art. 49(1)(b) GDPR) or where you have expressly consented to the transfer (Art. 49(1)(a) GDPR). Please note that no level of data protection comparable to European law is guaranteed in the USA and that authorities may demand access to personal data under certain conditions.

7. Storage period

Personal data is stored for as long as it is necessary for the purposes mentioned above, but at the longest until the account is deleted. After deletion the data is fully removed within 30 days; statutory retention obligations (e.g. § 257 HGB, § 147 AO) remain unaffected.

Instructions for account deletion can be found on the page Delete account.

8. Data subject rights

You have the right at any time to:

• Information about your stored data (Art. 15 GDPR)
• Rectification of incorrect data (Art. 16 GDPR)
• Erasure („right to be forgotten") (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing based on legitimate interests (Art. 21 GDPR)
• Withdraw given consent with effect for the future (Art. 7(3) GDPR)

To exercise your rights, an informal email to hauke.olf@gmail.com is sufficient.

Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority — in particular with the authority of your habitual residence. The competent authority for the controller is the Berlin Commissioner for Data Protection and Freedom of Information.

9. Data export and portability

Within the app you can export your transactions as a CSV file at any time and thus take them over into other programs. We thereby technically implement your right to data portability (Art. 20 GDPR).

10. Cookies and tracking on the website

This website uses only technically necessary cookies that are required for operation (e.g. for storing the language preference). No tracking, no profiling and no reach measurement with a personal reference take place. Third-party scripts are not embedded.

11. Security

The transmission of data between app and server takes place encrypted (TLS). Access is restricted via the security rules of Cloud Firestore and Firebase Storage so that only the respective members of a household book have read and write rights. Optionally, app access can additionally be secured biometrically.

12. Automated decision-making

Automated decision-making within the meaning of Art. 22 GDPR does not take place. The optional AI-supported categorisation serves exclusively as a suggestion and can be manually overwritten at any time.

13. Changes to this policy

This privacy policy is updated where there are material changes to the scope of the app or to legal requirements. The version currently applicable is available on this page.