Privacy Policy — EveryPenny
Last updated: 1 June 2026 Data Controller: ФОП Ольховатий Ігор Васильович, вулиця Максимовича Михайла, буд. 28е, під'їзд 3, кв. 375, м. Київ 01001, Україна. Contact: [email protected]
Summary (the short version)
EveryPenny is a personal finance app. It stores as little about you as possible, and only what's needed to show you your own money. We never sell or share your data with advertisers.
Specifically, we hold:
- An identifier from the sign-in provider you chose (Apple, email, or Google) so we can recognise you across sign-ins. If you signed in with Apple's Hide My Email, all we ever see is a relay address — your real email never reaches us.
- Your email address if you signed in with Apple without Hide-My-Email, with our email magic-link, or with Google. We never see a password — Apple, our magic-link sender (Resend), and Google handle that respectively.
- The manual accounts, balances, and transactions you enter yourself.
- The bank accounts and transactions we sync on your behalf if you connect a bank (we only read; we never move money).
- Encrypted bank access tokens so we can re-sync your data later without asking you to re-log in. Each user's tokens are encrypted with a per-user subkey derived from a master key plus your account id, so they can't be cross-decrypted between users.
- Device tokens so we can send you push notifications (e.g. a reminder that a subscription charge is due tomorrow).
Everything is stored in the European Economic Area (Frankfurt, Germany). You can delete your entire account from inside the app at any time. You can also remove a single bank account or a single sub-account of a connected bank without deleting the rest of your data — see Your rights below.
1. What data we collect
1.1 Data you give us directly
| Category | Examples | Purpose |
|---|---|---|
| Account identity | Provider-issued user id (Apple opaque string, Google sub, or our internal id for email sign-in), email address (or Apple private relay), display name (first sign-in only) |
Recognise you at sign-in; send security notifications |
| Device identity | Identifier-for-vendor (hashed), APNs device token, device model name | Push notifications, session revocation |
| Manual-entry finance data | Account names, currencies, balances, transaction dates, amounts, merchants, categories | Core app feature |
1.2 Data we receive from third parties on your behalf
| Source | Data | Triggered by |
|---|---|---|
| Monobank | Account list, balances, statements, near-real-time transaction events | You choose Monobank in the Connect Bank flow. Where we have been granted Monobank Corporate API access, we receive transaction events from your bank as they happen via an authorised webhook (no polling). Otherwise we use the legacy public API where you paste a personal X-Token from api.monobank.ua. Either way, the access is read-only — we cannot initiate payments. |
| Enable Banking | Account list, balances, statements (read-only) | You connect an EEA bank under PSD2; data is fetched via the aggregator after your bank's Strong Customer Authentication |
| Apple | Identity token verification via Apple's JWKS; server-to-server notifications about account deletion or Hide-My-Email toggles | Apple's internal lifecycle events |
Verified email + name from your Google account (returned in the OAuth id_token and verified against Google's JWKS) |
You choose "Continue with Google" at sign-in | |
| Resend | Delivery of our magic-link sign-in email to your inbox | You choose "Continue with email" at sign-in |
| fawazahmed0/exchange-api + Frankfurter | Foreign-exchange rate data (public, no personal data shared) | Automatic, every few hours |
1.3 Data we derive automatically
- Recurring pattern detection — we cluster your transactions to identify subscriptions and recurring bills. This happens on our servers and the output stays in your account.
- Hashed attribution — when you sign in, we store an HMAC-SHA256 hash of your IP address and User-Agent so we can recognise suspicious logins without storing the raw values.
1.4 Data we do NOT collect
- Raw IP addresses or User-Agent strings (we keep only keyed hashes).
- Advertising identifiers.
- Location.
- Contacts, photos, microphone, or camera access.
- Biometric data. Face ID / Touch ID stay on your device — they never reach our servers.
- Your bank login credentials. You generate a read-only token on Monobank's own site and give it to us directly; we never see your Monobank password.
2. Legal basis (GDPR Art. 6)
- Contract (Art. 6(1)(b)) — everything we need to provide the product you signed up for. Account identity, manual entries, bank sync, push notifications.
- Legitimate interest (Art. 6(1)(f)) — hashed attribution for fraud/abuse detection; Sentry error reports; audit event log.
- Consent (Art. 6(1)(a)) — connecting a bank is explicit consent. You can withdraw consent at any time by disconnecting the bank inside EveryPenny.
3. Where the data lives
| Category | Processor | Region | Encryption at rest |
|---|---|---|---|
| Postgres (users, accounts, transactions, audit log) | Neon Inc. | eu-central-1 (Frankfurt) | AES-256 at the storage layer, with additional AES-256-GCM column-level encryption on bank tokens using a per-user HKDF-derived subkey (so a row pasted from one user's column to another's fails to decrypt) |
| Redis (sessions, idempotency, BullMQ jobs, magic-link rate-limit counters) | Upstash, Inc. | eu-central-1 (Frankfurt) | TLS in transit; encrypted at rest |
| Errors + traces | Sentry (Functional Software GmbH) | EU region (Frankfurt) | Sentry-side encryption; we scrub PII server-side before anything leaves our process |
| Logs | Fly.io (Hashicorp region tag fra) |
Frankfurt | Fly's internal encryption |
| Push notifications | Apple Push Notification Service | global | Apple-managed |
| Transactional email | Resend Inc. | EU region | Resend-managed; we send only the recipient address + a single Penny-voice sign-in link or bug-report payload |
All data stays in the European Economic Area except for the Apple Push Notification service, which is handled by Apple globally under their own data-processing addendum, and Resend, which operates from EU and US regions; we use Resend's EU region for the magic-link and bug-report sends.
4. How long we keep it
- Your live data — as long as your account is active.
- Deleted account — your
usersrow and every record tied to it (accounts, transactions, bank connections, device tokens, sessions) are removed from our production database immediately when you tap Delete Account (or when Apple tells us your Apple ID was permanently deleted). Cascade-deleted rows are gone from live Postgres within the request. Neon's point-in-time backup snapshots continue to hold the pre-delete state for up to the retention window of our Neon plan (currently 6 hours) after which they expire naturally. - Audit events — kept indefinitely with
userIdset toNULLafter deletion, so the system-level trail survives but is no longer tied to you personally. - Session rows — pruned 90 days after expiry (anonymous data only — no PII).
- Idempotency keys — pruned 30 days after creation (hashes of request bodies, no PII).
- Sync cache (Redis) — 24 hours; nothing permanent.
5. Your rights (GDPR Art. 15-22)
You have the right to:
- Access your data — email us and we'll send you a JSON export of everything we hold.
- Correct inaccurate data — edit in-app, or email [email protected].
- Delete your account — tap Delete Account in Settings. Takes effect immediately and permanently: your data is gone from our live database the moment the request completes.
- Delete a single bank account or sub-account — long-press an account in EveryPenny and choose Disconnect bank (removes the entire connection and every transaction tied to it) or Remove this account (removes one bank-synced sub-account and its transactions while leaving the rest of the connection intact). Both are scoped to that account; nothing else is touched.
- Port your data — the export above is in portable JSON.
- Object to processing — disconnect banks; disable push notifications in iOS Settings.
- Withdraw consent — disconnecting a bank revokes EveryPenny's access immediately.
- Complain — to the data-protection authority of your EU country, or to Ukraine's Office of the Commissioner for the Protection of Personal Data.
We aim to respond to any written request within 30 days.
6. Security
We follow industry best practices for a finance app:
- TLS 1.3 everywhere. HSTS with preload.
- All bank tokens encrypted with per-user HKDF-derived AES-256-GCM subkeys, with the user's identifier bound into the auth tag so a row can't be cross-decrypted between users.
- Identity tokens from Apple and Google are verified against the respective provider's JWKS (JSON Web Key Set) on every sign-in — we never trust an unverified token.
- Email magic-link sign-in nonces are stored as SHA-256 hashes (never plaintext), expire 15 minutes after generation, are single-use, and are rate-limited per email and per IP to deter abuse.
- Refresh tokens stored as SHA-256 hashes, never plaintext; rotated on every use; device-bound.
- Session revocation on logout, on Apple account deletion, on request.
- Rate limiting at both the edge (Cloudflare) and the application tier.
- WAF + DDoS protection via Cloudflare.
- Append-only audit log on every money-touching action.
- Automated CVE scanning and dependency updates on every CI run.
No system is 100 % secure. If we discover a breach that affects you, we'll notify you without undue delay and at the latest within 72 hours, as GDPR requires.
7. Third-party sub-processors
These are the only companies that ever touch your data, and only in the specific roles below:
| Sub-processor | Role | DPA |
|---|---|---|
| Apple Inc. | Identity (Sign In with Apple), push notifications, App Store distribution | Apple Developer Program Licence + DPA |
| Google LLC | Identity (Google OAuth) when you choose "Continue with Google" | Google Cloud DPA |
| Resend Inc. | Transactional email — sign-in magic links + bug-report fanout | Resend DPA |
| Fly.io, Inc. | Application hosting (EU Frankfurt) | Fly Data Processing Addendum |
| Neon Inc. | Managed Postgres (EU Frankfurt) | Neon DPA |
| Upstash, Inc. | Managed Redis (EU Frankfurt) | Upstash DPA |
| Cloudflare, Inc. | DNS + WAF + DDoS (EU edge POPs) | Cloudflare DPA |
| Functional Software, Inc. (Sentry) | Crash + error reporting | Sentry DPA |
| Universal Bank (Monobank) | Direct account access (Ukraine only) | Direct relationship between you and the bank |
| Enable Banking Oy | EEA bank account aggregator (PSD2 AISP) | Enable Banking DPA |
| fawazahmed0/exchange-api + Frankfurter | FX rates (public data, no personal data shared) | CC0 / no DPA needed |
We'll update this list whenever we add or swap a sub-processor. Material changes trigger an in-app notice.
8. Children
EveryPenny is not directed at anyone under 16. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us and we'll delete the account.
9. Changes to this policy
Significant changes are announced in-app before they take effect, and you'll be asked to re-consent. The change history is available on request.
10. Contact
For any privacy-related question or request: [email protected]
Appendix A — What Sentry actually receives
Sentry is initialised with sendDefaultPii: false and a scrubber that removes every key whose name matches email, phone, password, token, secret, iban, pan, dateOfBirth, address, firstName, lastName, fullName, and many other finance-adjacent terms, recursively, before any event leaves the process.
What Sentry sees:
- Sanitised stack traces
- HTTP route names (e.g.
POST /auth/apple) — never path params with ids - Error class + message (with PII regex-scrubbed)
- Opaque userId (UUID) — never the Apple user id or email
What Sentry never sees:
- Any bank account number, balance, or transaction amount
- Any real or relay email address
- Any authentication token in any form