Privacy Policy

Last updated: March 2026

Simple Money SRL ("Simple Money", "we", "us", "our") is a Romanian company (SRL) committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our mobile application, web application, and related services (collectively, the "Service").

1. Data controller

Simple Money SRL, registered in Romania, is the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and applicable Romanian data protection legislation.

Contact: privacy@simplemoney.app

2. Data we collect

2.1 Account data

When you create an account, we collect:

• Email address for authentication and account recovery
• Password (stored as a bcrypt hash; we never store your plaintext password)
• Display name (optional, provided by you)

2.2 Financial data

When you use the Service, you may enter:

• Transaction amounts, merchants, notes, dates, categories, and tags
• Account names and balances
• Budget configurations
• Debt details (balances, interest rates)
• Goal amounts and progress

All financial data is encrypted at rest using AES-256-GCM encryption. Each user has a unique encryption key (per-user KEK pattern). Amounts, merchant names, notes, and account names are encrypted before they are written to the database. Our team cannot read your financial data.

2.3 Technical data

• Device type and browser (for session management and security)
• IP address (for rate limiting and security; not stored long-term)
• Session tokens (for authentication)

2.4 Analytics data (only with your consent)

If you consent to analytics cookies, we collect anonymized usage data via PostHog to understand how the app is used. This data does not include any financial information. You can withdraw analytics consent at any time from Settings or by clearing your cookie preferences.

3. Data we do NOT collect

• Bank credentials. We never connect to your bank. We never ask for your banking login, account numbers, or routing numbers.
• Financial aggregator data. We do not use Plaid, Finicity, Yodlee, or any similar service.
• Location data. We do not track your geographic location.
• Contact lists. We do not access your phone contacts.

4. How we use your data

• Provide the Service: display your transactions, calculate budgets, run financial calculators, generate reports
• Account security: authenticate your sessions, detect suspicious activity, enforce rate limits
• Email communications: account verification, password reset, subscription notices. We do not send marketing emails without your explicit opt-in.
• Product improvement: if you consent to analytics, we use anonymized usage patterns to improve the Service

5. Data sharing

We do not sell, rent, or share your personal or financial data with third parties.

The only third-party services that process data on our behalf are:

• Stripe for payment processing (receives your email and payment method; we never see your full card number)
• Resend for transactional email delivery (receives your email address and message content)
• Cloudflare for hosting and CDN (processes network-level data)
• PostHog for analytics (only if you consent; receives anonymized usage data)

Each of these providers is bound by data processing agreements and processes data only as instructed by us.

6. Data storage and security

• Data is hosted on servers within the European Union
• All financial data is encrypted at rest using AES-256-GCM
• Each user has a unique encryption key (per-user KEK), itself encrypted with a master key
• All connections use TLS 1.2+ (encrypted in transit)
• Passwords are hashed with bcrypt (never stored in plaintext)
• Session tokens are signed with JWT and expire after 15 minutes (refreshable)
• PIN lock data is obfuscated and stored locally on your device

7. Data retention

• Active accounts: data is retained as long as your account is active
• Deleted transactions: soft-deleted for 30 days (recoverable), then permanently purged
• Account deletion: when you request account deletion, we schedule permanent removal after a 30-day grace period. You can cancel the deletion during this period. After 30 days, all data (including encrypted financial data) is permanently and irreversibly deleted.
• Audit logs: retained for 12 months for security purposes, then deleted

8. Your rights under GDPR

As a data subject under the GDPR, you have the right to:

• Access your personal data (Settings > Data > Download my data)
• Rectify inaccurate data (edit your profile, transactions, or accounts at any time)
• Erase your data (Settings > Delete my account)
• Restrict processing (contact us at privacy@simplemoney.app)
• Data portability (export your data as CSV or JSON)
• Object to processing based on legitimate interest
• Withdraw consent for analytics at any time

To exercise any of these rights, use the in-app tools or contact us at privacy@simplemoney.app. We will respond within 30 days.

9. Cookies

We use the following categories of cookies:

• Essential (always active): authentication tokens, session management, CSRF protection. Required for the Service to function.
• Analytics (opt-in): PostHog tracking for anonymized usage patterns. Disabled by default. You choose whether to enable this.
• Marketing (opt-in): currently unused. Reserved for future use. Disabled by default.

You can manage your cookie preferences at any time through the cookie banner or in Settings.

10. Children's privacy

Simple Money is not intended for children under 16. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, contact us at privacy@simplemoney.app and we will delete it.

11. International transfers

Your data is stored within the EU. If any processing occurs outside the EU (e.g., email delivery via Resend), it is covered by Standard Contractual Clauses (SCCs) or adequacy decisions as required by GDPR.

12. Changes to this policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email or in-app notification. The "Last updated" date at the top of this page indicates the most recent revision.

13. Contact

For privacy-related questions, data requests, or complaints:

Email: privacy@simplemoney.app
Company: Simple Money SRL, Romania

You also have the right to lodge a complaint with the Romanian data protection authority (ANSPDCP) or any EU supervisory authority.