Privacy Policy

1. Data Controller

The data controller for this service under the General Data Protection Regulation (GDPR) is:
Aleksandras Vilčinskas, a private individual residing in Vilnius, Lithuania.
Email: vilcastudioapp@gmail.com

2. Data We Collect

We collect only the data you provide while using the service:

  • Account data: name, email, cryptographic password hash.
  • Google account data (if signing in with Google): Google account ID, name, email.
  • Financial records: your income and expense transactions (date, amount, description, category).
  • Receipt images you upload for AI recognition.
  • Bank CSV statements you import.
  • Subscription data: Stripe customer ID, subscription status. Payment card data NEVER touches our servers — it is handled exclusively by Stripe.
  • Technical logs: request timestamps, IP address, errors (for security and diagnostics).

3. Purposes and Legal Basis

  • Service delivery (account management, transaction storage, AI categorization, export) — performance of contract (GDPR Art. 6(1)(b)).
  • Security, fraud prevention, logging — legitimate interest (GDPR Art. 6(1)(f)).
  • Payment processing — performance of contract (GDPR Art. 6(1)(b)).
  • Newsletters or marketing communications (if ever sent) — only with your consent (GDPR Art. 6(1)(a)).

4. Third Parties (Data Processors)

We use the following service providers who process your data on our behalf:

  • Google Cloud (GCP, us-central1, JAV)server hosting infrastructure (Cloud Run).
  • Neon (JAV)PostgreSQL database (stores accounts and transactions).
  • Firebase Hosting (Google, JAV)website frontend delivery.
  • Stripe (Airija / JAV)payment processor. Stripe is a separate data controller for payment card data.
  • OpenAI (JAV)AI models (GPT-4o) used for receipt recognition and categorization. Uploaded receipt images are sent to the OpenAI API. OpenAI commits not to use API data for training its models.
  • Resend (JAV)transactional email delivery (signup confirmations, password resets, contact form).
  • Google (Google Sign-In)authentication (if you choose to sign in with a Google account).

All these processors are bound by GDPR requirements via Data Processing Agreements (DPAs).

5. International Data Transfers

Most of our service providers (Google Cloud, Neon, OpenAI, Resend, Stripe) are based in the United States. This means your data may be transferred outside the European Economic Area (EEA). Such transfers are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission or under Data Privacy Framework certification, which provide GDPR-equivalent protection.

6. Retention Periods

  • Account and transaction data: retained as long as you use the service. After account deletion, data is removed within 30 days (backups rotate every 30 days).
  • Payment records (Stripe): retained for 10 years per Lithuanian accounting law requirements.
  • Technical logs: 30 days.
  • Receipt images sent to the OpenAI API: per OpenAI policy, API data is retained for up to 30 days for fraud prevention and then deleted.

7. Your Rights

Under GDPR you have the following rights:

  • Access your data (Art. 15).
  • Request correction of inaccurate data (Art. 16).
  • Request erasure ("right to be forgotten") (Art. 17). You can delete your account directly from the settings page.
  • Restrict processing (Art. 18).
  • Data portability (Art. 20). You can export all your transactions in CSV and PDF formats from the export page.
  • Object to processing based on legitimate interest (Art. 21).
  • Lodge a complaint with a supervisory authority. In Lithuania — the State Data Protection Inspectorate (VDAI).

To exercise these rights, email vilcastudioapp@gmail.com.

8. Cookies

We use a minimal set of cookies:

  • __sessionauthentication session cookie (essential, HttpOnly, Secure, SameSite=Lax).
  • languageyour selected interface language (essential for functionality).

We do NOT use advertising, tracking, or third-party analytics cookies.

9. Security

Data is transmitted only over HTTPS/TLS. Passwords are stored using one-way hashing (bcrypt). The database is encrypted at rest on the Neon platform. Access is restricted to the data controller.

10. Changes to This Policy

We will notify you by email of material changes at least 30 days before they take effect. Minor changes will be reflected on this page with an updated revision date.

11. Contact

All data privacy questions: vilcastudioapp@gmail.com

Last Updated: May 10, 2026

by Vilca