SpendFlow Open app

Legal

Privacy Policy

Last updated: June 15, 2025

1. Who we are

SpendFlow ("we", "us", "our") is a personal finance application available at https://app.spendflow.eu. SpendFlow is operated as an independent service. For privacy-related questions, contact us at diogomalafaya8@gmail.com.

2. What data we collect

We collect the minimum data necessary to provide the service:

  • Account information — your name, email address, and profile picture obtained when you sign in with Google.
  • Transaction data — financial transactions you import via CSV/Excel file upload, or retrieved from your bank via our open banking integration (EnableBanking).
  • Bank connection data — when you connect a bank account, we store the session identifiers and account references provided by EnableBanking. We never store your bank login credentials.
  • Usage data — basic technical information such as error logs, necessary for maintaining and improving the service.

3. How we use your data

  • To provide and operate the SpendFlow application.
  • To retrieve and display your bank transactions via the open banking integration.
  • To apply your categorisation rules and preferences to transactions.
  • To keep your data securely stored and accessible across devices.

We do not sell, share, or use your financial data for advertising.

4. Third-party services

SpendFlow relies on the following third-party processors:

  • Google Firebase / Firestore — authentication and database storage. Your data is stored in Google's infrastructure under their privacy policy.
  • EnableBanking — open banking aggregator that facilitates read-only access to your bank accounts under PSD2. EnableBanking acts as an Account Information Service Provider (AISP) and handles your bank authorisation. See their privacy policy.
  • Vercel — hosting and serverless infrastructure for the application and API.

5. Open banking access

When you connect a bank account, SpendFlow requests read-only access to your account information and transaction history via EnableBanking. We cannot initiate payments or make any changes to your bank account. You can revoke access at any time from the Settings page within the app, or directly through your bank.

6. Data retention

Your data is retained for as long as your account is active. You may delete your account and all associated data at any time by contacting us at diogomalafaya8@gmail.com. We will process deletion requests within 30 days.

7. Your rights (GDPR)

If you are located in the European Economic Area, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data ("right to be forgotten").
  • Object to or restrict our processing of your data.
  • Receive your data in a portable format.
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at diogomalafaya8@gmail.com.

8. Security

We use industry-standard security measures including HTTPS encryption in transit and Firebase security rules to ensure only you can access your data. Bank connections use OAuth 2.0 flows — your bank credentials are never shared with SpendFlow.

9. Changes to this policy

We may update this policy from time to time. We will notify you of significant changes by updating the "Last updated" date above. Continued use of SpendFlow after changes constitutes acceptance of the updated policy.

10. Contact

For any privacy-related questions or requests, contact us at diogomalafaya8@gmail.com.