Privacy Policy
Last updated: 15 April 2026
1. Data Controller.
The controller of your personal data is Moneydy, an independent service established in Portugal, European Union. Contact: moneydy-official@gmail.com. Moneydy has not appointed a Data Protection Officer as it is not legally required under Article 37 GDPR.
2. Scope.
This Privacy Policy explains what personal data we collect when you use Moneydy, why we collect it, the legal basis for processing it, how long we keep it, with whom we share it, and how you can exercise your rights under the EU General Data Protection Regulation (GDPR) and other applicable laws.
3. Personal data we collect.
- Account data — first name, last name, email address, password (stored as a bcrypt hash). Provided by you at registration.
- Authentication data — JWT token stored in your browser's localStorage to keep you signed in; if you sign in with Google, the Google account identifier and the basic profile information Google returns.
- Financial records you enter — transactions (amount, category, date, description, status), budgets, savings entries (type, institution, interest rate, dates, notes), investment entries (asset type, ticker, quantity, prices, commissions). This is self-reported data. Moneydy does not connect to your bank.
- Billing data — for Premium subscribers, a customer reference, plan, subscription status, and billing history. Full payment card details are processed directly by Stripe and never touch our servers; we receive only a tokenized reference and masked card metadata (last 4 digits, expiry, brand).
- Technical and usage data — IP address, browser type, device type, pages visited, referring URL, approximate location derived from IP, actions within the app. Collected automatically through our hosting logs and analytics.
- Support communications — the content of emails you send to moneydy-official@gmail.com.
4. Why we process your data and legal basis (Article 6 GDPR).
| Purpose | Legal basis |
|---|---|
| Create and maintain your account | Performance of a contract — Art. 6(1)(b) |
| Store and display your financial records | Performance of a contract — Art. 6(1)(b) |
| Process Premium subscriptions and payments | Performance of a contract — Art. 6(1)(b) |
| Keep tax and accounting records for paid subscriptions | Legal obligation — Art. 6(1)(c) |
| Secure the service, detect abuse, prevent fraud | Legitimate interests — Art. 6(1)(f) |
| Respond to your support requests | Legitimate interests — Art. 6(1)(f) |
| Analytics to understand how the product is used | Consent — Art. 6(1)(a) |
| Send product updates or marketing (if applicable) | Consent — Art. 6(1)(a) |
| Comply with legal requests from authorities | Legal obligation — Art. 6(1)(c) |
Our 'legitimate interests' are running and securing a reliable service; we weigh these against your rights and will not process where your rights override ours.
5. Special categories.
Moneydy does not ask for special-category data (health, political opinions, etc.) and you should not enter any in your transactions or notes.
6. Cookies and similar technologies.
- Strictly necessary — localStorage is used to store your authentication token and language/currency preference. These are essential for the service to function and do not require consent.
- Analytics — we use analytics cookies to understand aggregate usage patterns. These are only set after you give consent through the cookie banner shown on first visit. You can change or withdraw consent at any time from the cookie settings link.
7. How we share your data (recipients and sub-processors).
We do not sell your personal data. We share it only with service providers who act as our data processors under Article 28 GDPR, and only as needed to deliver the service.
| Recipient | Role | Location | Safeguard |
|---|---|---|---|
| MongoDB Atlas (MongoDB, Inc.) | Database hosting | Configurable region | Standard Contractual Clauses + DPA |
| Vercel Inc. | Application and frontend hosting | United States / global edge network | Standard Contractual Clauses + DPA |
| Stripe Payments Europe, Ltd. | Payment processing for Premium | Ireland (EU) / United States | Standard Contractual Clauses + DPA |
| Google LLC | "Sign in with Google" authentication (optional) | United States | Standard Contractual Clauses |
We may also disclose data when required by law, to enforce our Terms, or to protect the rights, property, or safety of Moneydy, our users, or others.
8. International data transfers.
Where our processors transfer personal data outside the European Economic Area, they do so under the European Commission's Standard Contractual Clauses (2021/914) or an adequacy decision, together with supplementary technical and organizational measures where required by the Schrems II judgment.
9. How long we keep your data (retention).
- Account data and financial records — for the life of your account and then deleted within 30 days of account closure, except where retention is required by law.
- Billing records — retained for the period required by Portuguese tax law (currently 10 years for invoicing records).
- Support emails — up to 24 months after the last exchange.
- Server and security logs — up to 12 months.
- Analytics data — up to 14 months in aggregated form.
- Backups — rolling backups are overwritten within 35 days.
10. Your rights under the GDPR.
If you are in the EU/EEA (and in many other jurisdictions with similar rights) you have the right to:
- Access the personal data we hold about you (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erase your data ("right to be forgotten") (Art. 17);
- Restrict processing (Art. 18);
- Object to processing based on legitimate interests (Art. 21);
- Receive your data in a structured, machine-readable format and have it transmitted to another controller — data portability (Art. 20);
- Withdraw consent at any time, without affecting processing done before withdrawal (Art. 7(3));
- Lodge a complaint with a supervisory authority — in Portugal, the Comissao Nacional de Protecao de Dados (CNPD), https://www.cnpd.pt/, or the authority in your country of residence.
To exercise any of these rights, email moneydy-official@gmail.com. We will respond within one month in accordance with Article 12(3) GDPR.
11. Automated decision-making.
Moneydy does not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR.
12. Children.
Moneydy is not directed at children under 16. We do not knowingly collect data from children under that age. If you believe a child has provided us personal data, contact moneydy-official@gmail.com and we will delete it.
13. Security.
We apply technical and organizational measures appropriate to the risk, including HTTPS/TLS for all traffic, bcrypt password hashing, access controls, least-privilege database credentials, and hosted-provider security on MongoDB Atlas and Vercel. No system is perfectly secure, and we cannot guarantee absolute security.
14. Data breach notification.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours under Article 33 GDPR and, where the risk is high, notify affected users without undue delay under Article 34.
15. Changes to this Privacy Policy.
We may update this Policy from time to time. The "Last updated" date at the top will reflect the most recent change. For material changes we will notify you by email or in-app banner before the change takes effect.
16. Contact.
For any privacy question or to exercise your rights: moneydy-official@gmail.com.