Effective date: January 16, 2025
Last updated: January 16, 2025
The data controller responsible for processing your personal data is:
NOVA V
Onze Lieve Vrouwestraat 63
8770 Ingelmunster
Belgium
Email: sven@svenvanpoucke.com
Given the nature and scale of our data processing activities, we are not required to appoint a Data Protection Officer under Article 37 of the GDPR. For any privacy-related inquiries, please contact us at the email address above.
This Privacy Policy applies to the MyMoney personal finance platform (the "Service") and describes how we collect, use, disclose, and protect your personal data in accordance with:
This Service is intended exclusively for users located in the European Union and European Economic Area (EU/EEA). By using the Service, you confirm that you are located within the EU/EEA.
We collect and process the following categories of personal data:
Data we do NOT collect: We do not collect IP addresses for tracking purposes, location data, device fingerprints, browsing history outside the Service, or any biometric data.
We process your personal data for the following purposes, each with a specific legal basis under Article 6(1) GDPR:
| Purpose | Legal Basis | Data Categories |
|---|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) | Account data |
| Providing the personal finance tracking service | Contract performance (Art. 6(1)(b)) | Financial data, Account data |
| Bank account synchronization via Open Banking | Contract performance (Art. 6(1)(b)) | Financial data |
| AI-powered categorization and insights | Contract performance (Art. 6(1)(b)) | Aggregated financial summaries |
| Service performance monitoring | Legitimate interest (Art. 6(1)(f)) | Anonymized technical data |
| Responding to support inquiries | Contract performance (Art. 6(1)(b)) | Account data, inquiry content |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) | As required by law |
Legitimate interest assessment: For performance monitoring, our legitimate interest is ensuring the Service operates reliably. This processing uses anonymized metrics that do not identify individual users, minimizing any impact on your privacy. You may object to this processing by contacting us.
Mandatory data: Providing your email address and password is necessary to create an account and use the Service. Without this data, we cannot provide the Service to you.
Optional data: Connecting bank accounts and entering financial data is voluntary. However, without this data, certain features of the Service (such as automatic transaction import and insights) will not be available.
We share your personal data with the following categories of recipients, acting as data processors under written agreements that comply with Article 28 GDPR:
Purpose: Database hosting, user authentication, and data storage
Data processed: All account and financial data
Location: European Union (EU region)
Safeguards: Data encrypted at rest (AES-256) and in transit (TLS 1.3)
Purpose: Open Banking connectivity (Account Information Service Provider under PSD2)
Data processed: Bank account identifiers, transaction history (accessed via your bank's API with your authorization)
Location: European Union
Note: We never receive or store your bank login credentials. Authentication occurs directly with your bank.
Purpose: AI-powered financial insights and transaction categorization
Data processed: Aggregated, anonymized financial summaries (not individual transactions with identifying details)
Location: United States and other countries
Safeguards: Standard Contractual Clauses (SCCs) approved by the European Commission
Purpose: Application hosting and performance monitoring
Data processed: Anonymous Web Vitals performance metrics (page load times); no personal data
Location: Global with EU edge nodes
Safeguards: Standard Contractual Clauses (SCCs)
Purpose: Transactional email delivery for contact form notifications
Data processed: Name, email address, and message content from contact form submissions
Location: United States
Safeguards: Standard Contractual Clauses (SCCs)
We do not sell, rent, or trade your personal data to third parties. We do not share your data with advertisers or data brokers.
Your data is primarily processed within the European Economic Area. However, some processors (Google, Vercel) may process data outside the EEA.
For transfers to countries without an adequacy decision from the European Commission, we rely on:
You may request a copy of the relevant safeguards by contacting us.
We use the following cookies and storage mechanisms:
These cookies are essential for the Service to function and cannot be disabled.
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth token | Maintains your authenticated session | Session / 7 days |
Legal basis: These cookies are exempt from consent requirements under Article 5(3) of the ePrivacy Directive as they are strictly necessary to provide the service you requested.
With your consent, we use Vercel Speed Insights to collect anonymized performance metrics (Core Web Vitals). This data helps us improve page load times and does not identify individual users.
Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw consent at any time via our cookie banner or by contacting us.
We use browser localStorage to remember your UI preferences (e.g., selected account, view settings). This data remains on your device and is cleared when you log out.
We retain your personal data according to the following criteria:
| Data Category | Retention Period |
|---|---|
| Account and financial data | Duration of your account, plus 30 days after deletion request |
| Authentication logs | 90 days (for security purposes) |
| Backup copies | Purged within 90 days of account deletion |
| Support correspondence | 2 years after resolution (for legal compliance) |
When you delete your account, we immediately revoke all bank connections and initiate permanent deletion of your personal data. Complete erasure occurs within 30 days, with backups purged within 90 days.
You have the following rights regarding your personal data:
How to exercise your rights: Contact us at sven@svenvanpoucke.com. We will respond within 30 days. If your request is complex, we may extend this period by up to 60 additional days, in which case we will inform you of the extension and the reasons.
Identity verification: To protect your privacy, we may request information to verify your identity before processing your request.
We use AI (Google Generative AI) to assist with transaction categorization and generate financial insights. This processing:
We do not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:
Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly addressing any security incident.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34 GDPR.
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately so we can delete it.
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or for other operational reasons. When we make material changes:
We encourage you to review this policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy, except where consent is required.
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority.
For Belgium, the competent authority is:
Gegevensbeschermingsautoriteit (GBA)
Drukpersstraat 35
1000 Brussels
Belgium
Website: www.gegevensbeschermingsautoriteit.be
Email: contact@apd-gba.be
You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work.
This Privacy Policy and any disputes arising from it shall be governed by the laws of Belgium, without regard to conflict of law principles. This choice of law does not deprive you of the protection afforded by provisions that cannot be derogated from by agreement under the law of your country of habitual residence.
If any provision of this Privacy Policy is found to be invalid or unenforceable by a court of competent jurisdiction, that provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall continue in full force and effect.
Our failure to enforce any right or provision of this Privacy Policy shall not constitute a waiver of that right or provision.
This Privacy Policy is provided in English. In the event of any conflict between translated versions and the English version, the English version shall prevail.
For any questions about this Privacy Policy or our data practices, please contact:
NOVA V
Onze Lieve Vrouwestraat 63
8770 Ingelmunster
Belgium
Email: sven@svenvanpoucke.com