Privacy Policy

Last updated: 10 June 2026 · Version 1.1

This Privacy Policy explains what personal data Monairo collects, why we collect it, the legal bases we rely on, who we share it with, and the rights you have. It covers both the EU/UK General Data Protection Regulation (GDPR) and US federal and state privacy laws (including the FTC Act, GLBA safeguarding principles, and the California CCPA/CPRA and similar state laws). Monairo handles financial data, so we apply the principles of data minimisation and purpose limitation throughout. Region-specific rights are in §11 (EU/UK) and §12 (US).

The short version: We collect only what we need to run the app. Your bank access tokens are encrypted on our server and are never readable by the app or by us in plain form. We never sell your data or use your transactions for advertising. You can export or delete your account at any time from inside the app.

1. Who we are (data controller)

Monairo (“we”, “us”, “our”) is the data controller responsible for your personal data when you use the Monairo mobile app and the monairo.app website.

If we are required to appoint a Data Protection Officer (DPO) or an EU/UK representative under Articles 27/37 GDPR, their contact details will be listed here.

2. What data we collect

CategoryExamples
Account & identityUser ID, email address (only if you link an account via magic link), display name, authentication state.
Financial / transaction dataAmounts (in integer minor units), currency, merchant, category, notes, account names, budgets, goals, and reconciliation status.
Bank connection dataThe institution name and an encrypted bank access token used to sync transactions (held server-side only — see §8).
Voice & receipt inputSpoken expense phrases are transcribed on your device. If you enable the cloud parser, the short text utterance (not audio) is sent to our parsing service. Receipt photos are processed into line items.
Device notification data (Android, optional)If you enable auto-capture, bank/wallet payment alerts are read on-device and only the parsed amount and merchant become a transaction. The notification content is never sent off your device.
Apple Pay / FinanceKit (iOS, optional)With your permission, transaction summaries from Apple Card, Cash and Savings are imported into your ledger.
Purchase dataSubscription plan, product ID, and validation status from the App Store / Google Play. We never receive your card number.
Technical & diagnosticApp version, device type, and error logs needed to operate and debug the service.

3. Why we use it & our legal bases

PurposeLegal basis (Art. 6 GDPR)
Provide the core ledger, budgeting, sync and sharing features you ask forPerformance of a contract (Art. 6(1)(b))
Connect your bank and reconcile transactionsPerformance of a contract (Art. 6(1)(b)); your explicit action to connect
Read device notifications / Apple Pay for auto-captureConsent (Art. 6(1)(a)) — you opt in and can switch it off anytime
Parse voice/receipt text with our AI service (if enabled)Performance of a contract (Art. 6(1)(b)); on-device parsing needs no transfer
Validate purchases and manage subscriptionsPerformance of a contract (Art. 6(1)(b)); legal obligation for tax/records (Art. 6(1)(c))
Keep the service secure, prevent abuse and rate-limitLegitimate interests (Art. 6(1)(f)) — running a safe service
Send essential service emails (e.g. magic-link sign-in)Performance of a contract (Art. 6(1)(b))
Optional product/marketing emailsConsent (Art. 6(1)(a)) — opt-in, with one-tap unsubscribe

We do not use your financial transactions for advertising, and we do not sell your data.

4. Where the data comes from

Most data you provide directly by using the app (entering or speaking transactions, setting budgets, linking an account). We also receive data indirectly from:

5. Who we share it with

We share personal data only with processors that help us run Monairo, under data processing agreements, and only as needed:

We may also disclose data where required by law, or to protect our rights, users, or the security of the service.

6. International transfers

Some processors may process data outside the European Economic Area (EEA) or the UK. Where they do, we rely on appropriate safeguards under Articles 44–49 GDPR — typically the European Commission’s Standard Contractual Clauses (and the UK Addendum), or an adequacy decision. You can request a copy of the relevant safeguards using the contact details in §17.

7. How long we keep it

8. How we protect it

9. Automated processing & AI

Monairo uses automated processing to categorise transactions, detect recurring payments, generate spending insights, and warn you before a purchase exceeds a budget. This helps you understand your spending; it does not produce legal or similarly significant decisions about you within the meaning of Article 22 GDPR, and you can always edit or override any suggestion. If you enable the cloud parser, a short text version of your voice/receipt input is processed by an AI provider solely to extract the amount, merchant and category.

11. Your EU/UK (GDPR) rights

If you are in the EU, EEA or UK, you have the right to:

To exercise any right, email jetlumajeti@gmail.com. We respond within one month (GDPR Art. 12). You also have the right to lodge a complaint with your local supervisory authority (in the EU, your national Data Protection Authority; in the UK, the Information Commissioner’s Office, ico.org.uk).

12. Your US rights (CCPA/CPRA & state laws)

We act as a “business” under the California Consumer Privacy Act as amended by the CPRA, and we extend equivalent choices to residents of other US states with comprehensive privacy laws (e.g. Virginia, Colorado, Connecticut, Texas). Because we process transaction and account data, US law classifies it as Sensitive Personal Information (SPI) and, in CCPA terms, Category D – Commercial Information / financial data.

Notice at Collection

At or before sign-up we collect the categories listed in §2 (identifiers, financial/commercial information, and limited technical data) to provide and secure the expense-tracking service. We do not collect this data for advertising.

We do not “sell” or “share” your data

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. Because of this, no money changes hands for your data and there is nothing to opt out of for advertising — but you can still exercise the controls below.

Right to limit the use of Sensitive Personal Information

You may direct us to use your financial information only for the core purpose of tracking your expenses and running the service. We already operate this way by default: we never use your financial transactions to train advertising models or to target ads. The optional on-device/cloud AI parser is used solely to read an amount and merchant from text you submit, and only when you enable it.

Global Privacy Control (GPC)

Our website honors the Global Privacy Control browser signal as a valid opt-out of any data “sharing/selling.” Since we do not sell or share data, a GPC signal simply confirms our existing posture.

GLBA & FTC safeguarding

Although Monairo is an informational expense tracker and not a bank or lender, when you connect a bank account through our open-banking providers we treat the resulting nonpublic personal financial information consistently with the safeguarding principles behind the Gramm-Leach-Bliley Act (GLBA) and the FTC Act §5: we secure it (see §8), and our statements here about encryption and non-sale are accurate and not deceptive.

Your CCPA/CPRA rights

To exercise any of these, email jetlumajeti@gmail.com or use the in-app “Delete account” and “Export CSV” controls. We respond within 45 days (extendable once where permitted). You may use an authorized agent where state law allows.

13. EU vs US at a glance

TopicEU / UK (GDPR)US (CCPA/CPRA & state)
Data categorisationSpecific personal-data types, purpose-limited and minimised (§2–§3).Statutory buckets — incl. CCPA Category D (Commercial/Financial Information), treated as SPI.
“Selling” / “Sharing”No “sale” concept; we disclose sub-processors / third-party controllers (§5).We do not sell or share for ads; GPC honored. No “Do Not Sell” needed because we don’t sell.
User-rights response timeAccess, erasure, portability — within 30 days.Know, delete, correct, limit — within 45 days.
ChildrenConsent age 13–16 depending on member state.COPPA: no users under 13 without verified parental consent.

14. Cookies, SDKs & tracking

The monairo.app website uses only cookies strictly necessary to serve the pages. The Monairo app contains no advertising or behavioral tracking SDKs — no ad identifiers, no third-party analytics trackers fire on launch. Because of this, the app does not show an Apple App Tracking Transparency (ATT) prompt, and there are no non-essential SDKs to consent to under the ePrivacy Directive. Features that send any data off-device (cloud AI parser, bank sync, Android notification capture, Apple Pay/FinanceKit import) are opt-in and off by default; the core tracker works fully without them. If we ever add analytics, we will gate it behind an explicit, granular consent banner (no pre-ticked boxes) before any such SDK initialises.

15. Children (COPPA / GDPR age limits)

Monairo is not directed at children. In the US, we do not knowingly collect personal information from children under 13 (COPPA); in the EU/UK, the applicable digital-consent age (13–16) varies by member state. If you believe a child has provided us data, contact us and we will delete it.

16. Changes to this policy

We keep this policy under review and post any updates here with a new “last updated” date. For material changes we will notify you in the app or by email.

17. How to contact us

Questions, requests, or complaints about privacy:

This document is a template tailored to Monairo’s data flows. Before publishing, fill the bracketed placeholders and have it reviewed by a qualified data-protection adviser for your jurisdiction. It does not constitute legal advice.