Privacy Policy — EveryPenny
Last updated: 16 April 2026 Data Controller: ФОП Ольховатий Ігор Васильович, вулиця Максимовича Михайла, буд. 28е, під'їзд 3, кв. 375, м. Київ 01001, Україна. Contact: hello@everypennyapp.com
Summary (the short version)
EveryPenny is a personal finance app. It stores as little about you as possible, and only what's needed to show you your own money. We never sell or share your data with advertisers.
Specifically, we hold:
- An Apple-issued anonymous user id so we can recognise you across sign-ins. If you chose Apple's Hide My Email, all we ever see is a relay address — your real email never reaches us.
- The manual accounts, balances, and transactions you enter yourself.
- The bank accounts and transactions we sync on your behalf if you connect a bank (we only read; we never move money).
- Encrypted bank access tokens so we can re-sync your data later without asking you to re-log in.
- Device tokens so we can send you push notifications (e.g. a reminder that a subscription charge is due tomorrow).
Everything is stored in the European Economic Area (Frankfurt, Germany). You can delete your entire account from inside the app at any time.
1. What data we collect
1.1 Data you give us directly
| Category | Examples | Purpose |
|---|---|---|
| Account identity | Apple user id (opaque string), email address (or Apple private relay), display name (first sign-in only) | Recognise you at sign-in; send security notifications |
| Device identity | Identifier-for-vendor (hashed), APNs device token, device model name | Push notifications, session revocation |
| Manual-entry finance data | Account names, currencies, balances, transaction dates, amounts, merchants, categories | Core app feature |
1.2 Data we receive from third parties on your behalf
| Source | Data | Triggered by |
|---|---|---|
| Monobank public API (Ukraine only) | Account list, balances, statements | You paste a Monobank X-Token from api.monobank.ua (or grant access via the native Monobank app consent once Corporate API access is granted to us) |
| Apple | Identity token verification via Apple's JWKS; server-to-server notifications about account deletion or Hide-My-Email toggles | Apple's internal lifecycle events |
| fawazahmed0/exchange-api | Foreign-exchange rate data (301 currencies, CC0 licensed) | Automatic, every 6 hours |
1.3 Data we derive automatically
- Recurring pattern detection — we cluster your transactions to identify subscriptions and recurring bills. This happens on our servers and the output stays in your account.
- Hashed attribution — when you sign in, we store an HMAC-SHA256 hash of your IP address and User-Agent so we can recognise suspicious logins without storing the raw values.
1.4 Data we do NOT collect
- Raw IP addresses or User-Agent strings (we keep only keyed hashes).
- Advertising identifiers.
- Location.
- Contacts, photos, microphone, or camera access.
- Biometric data. Face ID / Touch ID stay on your device — they never reach our servers.
- Your bank login credentials. You generate a read-only token on Monobank's own site and give it to us directly; we never see your Monobank password.
2. Legal basis (GDPR Art. 6)
- Contract (Art. 6(1)(b)) — everything we need to provide the product you signed up for. Account identity, manual entries, bank sync, push notifications.
- Legitimate interest (Art. 6(1)(f)) — hashed attribution for fraud/abuse detection; Sentry error reports; audit event log.
- Consent (Art. 6(1)(a)) — connecting a bank is explicit consent. You can withdraw consent at any time by disconnecting the bank inside EveryPenny.
3. Where the data lives
| Category | Processor | Region | Encryption at rest |
|---|---|---|---|
| Postgres (users, accounts, transactions, audit log) | Neon Inc. | eu-central-1 (Frankfurt) | AES-256 at the storage layer, with additional AES-256-GCM column-level encryption on bank tokens using a per-user HKDF-derived subkey |
| Redis (sessions, idempotency, BullMQ jobs) | Upstash, Inc. | eu-central-1 (Frankfurt) | TLS in transit; encrypted at rest |
| Errors + traces | Sentry (Functional Software GmbH) | EU region (Frankfurt) | Sentry-side encryption; we scrub PII server-side before anything leaves our process |
| Logs | Fly.io (Hashicorp region tag fra) |
Frankfurt | Fly's internal encryption |
| Push notifications | Apple Push Notification Service | global | Apple-managed |
All data stays in the European Economic Area except for the Apple Push Notification service, which is handled by Apple globally under their own data-processing addendum.
4. How long we keep it
- Your live data — as long as your account is active.
- Soft-deleted account — 30 days, then permanently purged. During the 30-day window your PII (email, name) is already redacted, but your internal user id stays so we can honour Apple's
account-deletedwebhook path. - Audit events — indefinitely, with
userIdset toNULLafter user deletion so the trail survives but is no longer tied to you personally. - Session rows — pruned 90 days after expiry.
- Idempotency keys — pruned 30 days after creation.
- Sync cache (Redis) — 24 hours; nothing permanent.
5. Your rights (GDPR Art. 15-22)
You have the right to:
- Access your data — email us and we'll send you a JSON export of everything we hold.
- Correct inaccurate data — edit in-app, or email hello@everypennyapp.com.
- Delete your account — tap Delete Account in Settings. Takes effect immediately; permanent within 30 days.
- Port your data — the export above is in portable JSON.
- Object to processing — disconnect banks; disable push notifications in iOS Settings.
- Withdraw consent — disconnecting a bank revokes EveryPenny's access immediately.
- Complain — to the data-protection authority of your EU country, or to Ukraine's Office of the Commissioner for the Protection of Personal Data.
We aim to respond to any written request within 30 days.
6. Security
We follow industry best practices for a finance app:
- TLS 1.3 everywhere. HSTS with preload.
- All bank tokens encrypted with per-user HKDF-derived AES-256-GCM subkeys.
- Refresh tokens stored as SHA-256 hashes, never plaintext; rotated on every use; device-bound.
- Session revocation on logout, on Apple account deletion, on request.
- Rate limiting at both the edge (Cloudflare) and the application tier.
- WAF + DDoS protection via Cloudflare.
- Append-only audit log on every money-touching action.
- Automated CVE scanning and dependency updates on every CI run.
No system is 100 % secure. If we discover a breach that affects you, we'll notify you without undue delay and at the latest within 72 hours, as GDPR requires.
7. Third-party sub-processors
These are the only companies that ever touch your data, and only in the specific roles below:
| Sub-processor | Role | DPA |
|---|---|---|
| Apple Inc. | Identity, push notifications, App Store distribution | Apple Developer Program Licence + DPA |
| Fly.io, Inc. | Application hosting (EU Frankfurt) | Fly Data Processing Addendum |
| Neon Inc. | Managed Postgres (EU Frankfurt) | Neon DPA |
| Upstash, Inc. | Managed Redis (EU Frankfurt) | Upstash DPA |
| Cloudflare, Inc. | DNS + WAF + DDoS (EU edge POPs) | Cloudflare DPA |
| Functional Software, Inc. (Sentry) | Crash + error reporting | Sentry DPA |
| Universal Bank (Monobank) | Direct account access (Ukraine only) | Direct relationship between you and the bank |
| fawazahmed0/exchange-api | FX rates (public data, no personal data shared) | CC0 licence — no personal data flows |
We'll update this list whenever we add or swap a sub-processor. Material changes trigger an in-app notice.
8. Children
EveryPenny is not directed at anyone under 16. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us and we'll delete the account.
9. Changes to this policy
Significant changes are announced in-app before they take effect, and you'll be asked to re-consent. The change history is available on request.
10. Contact
For any privacy-related question or request: hello@everypennyapp.com
Appendix A — What Sentry actually receives
Sentry is initialised with sendDefaultPii: false and a scrubber that removes every key whose name matches email, phone, password, token, secret, iban, pan, dateOfBirth, address, firstName, lastName, fullName, and many other finance-adjacent terms, recursively, before any event leaves the process.
What Sentry sees:
- Sanitised stack traces
- HTTP route names (e.g.
POST /auth/apple) — never path params with ids - Error class + message (with PII regex-scrubbed)
- Opaque userId (UUID) — never the Apple user id or email
What Sentry never sees:
- Any bank account number, balance, or transaction amount
- Any real or relay email address
- Any authentication token in any form