Privacy policy for Penso

Privacy policy for
Penso

This Privacy Policy applies to the Penso application (referred to as "Application") provided by Autonomee Michal Platek (referred to as "Service Provider"). This policy governs the collection, use, maintenance, and disclosure of information collected from users (each, a "User") of the Application.

I. Data Controller and Core Service

The Service Provider acts as the Data Controller for the personal data you provide. Penso is a budgeting application designed for couples, allowing Users to link their bank accounts to monitor transactions, manage shared finances, and reconcile expenses. By nature, this service involves processing sensitive financial data.

II. Information We Collect

We collect two main types of information:

A. User-Provided Information (Personally Identifiable Information - PII)

A. User-Provided Information (Personally Identifiable Information - PII)

A. User-Provided Information (Personally Identifiable Information - PII)

A.) User-Provided Information (Personally Identifiable Information - PII)

This is information you voluntarily provide during account setup and use of the Application:

  1. Identity and Contact Data:

    1. Name

    2. Email address

    3. Device ID (for unique identification)

  2. Sensitive Financial Data:

    1. Bank Account Number (IBAN/Account ID): Used to establish the connection with your financial institution.

    2. Transaction Data: This includes the full list of your transactions, including the Payee/Merchant Name, Transaction Amount, Transaction Date, and related metadata.

  3. Shared Financial Data: In the context of the Application, when you link your account with a partner, certain transaction data (particularly from joint accounts or transactions you choose to share) becomes accessible to your designated partner within the Application.

B. Automatically Collected Information

B. Automatically Collected Information

B. Automatically Collected Information

B. Automatically Collected Information

When you use the Application, we automatically collect certain non-financial data for operational and performance purposes:

  • Your device's Internet Protocol (IP) address.

  • The pages of the Application that you visit, the time and date of your visit, and the time spent on those pages.

  • The operating system you use on your mobile device.

Note on Location Data: The Application does not gather any precise or approximate information about the location of your mobile device.

III. How We Use Your Information

The Service Provider uses the collected data primarily to provide and improve the Penso service:

  • Service Provision: To link your bank accounts, fetch and display transaction data, facilitate budgeting, and enable transaction reconciliation between partners.

  • Security and Authentication: To verify your identity, maintain account security, and protect against fraudulent activity.

  • Communication: To contact you with required notices, important information about the service, and responses to support inquiries.

  • Analytics and Improvements: To analyze aggregated user behavior, monitor service performance, and fix errors.

IV. Data Sharing, Third-Party Processors, and Storage

We do not sell your Personal Data. We share your information only with trusted third-party service providers (processors) necessary to operate the service, as described below:

  • GoCardless (Account Information Service Provider—AISP): We access Bank Account Numbers, Transactions Data

  • Supabase (Backend, Database and Hosting Service): We access all User-Provided Information and Automatically Collected Data, such as Device ID

Security and Storage:

  1. GoCardless: GoCardless is a regulated entity and operates under strict security protocols to establish the connection between the Application and your bank. We rely on their systems to handle the secure fetching and transmission of your financial data.

  2. Supabase Database Security: All collected data is stored securely using Supabase. The database is protected by robust security measures, including user-defined Row-Level Security (RLS) policies. This RLS policy ensures that:

    • Financial transactions from a private account can only be viewed by the individual User who owns the account.

    • Financial transactions from joint accounts or marked as shared can only be viewed by the User and their designated partner.

    • Your access to the database is secured via email and password authentication, backed by industry-standard encryption protocols.

  3. Client-Side Tools: We use FlutterFlow for development, but this tool operates client-side and does not access, process, or store User data on its own servers.

V. Your Rights Regarding Your Personal Data (GDPR & CCPA)

As a User, you have specific rights regarding your data, which you can exercise by contacting us at the address provided in Section IX.

  • Right of Access (The Right to Know): You have the right to request confirmation of the personal data we hold about you and to receive a copy of that data.

  • Right to Rectification: You have the right to have inaccurate or incomplete personal data corrected or updated.

  • Right to Erasure (The Right to Be Forgotten): You have the right to request the deletion of your personal data when there is no compelling reason for its continued processing.

  • Right to Restrict Processing: You have the right to request that we cease or limit the way we process your personal data under certain conditions.

  • Right to Object to Processing: You have the right to object to the processing of your data for specific purposes, including marketing.

Security and Storage:

  1. GoCardless: GoCardless is a regulated entity and operates under strict security protocols to establish the connection between the Application and your bank. We rely on their systems to handle the secure fetching and transmission of your financial data.

  2. Supabase Database Security: All collected data is stored securely using Supabase. The database is protected by robust security measures, including user-defined Row-Level Security (RLS) policies. This RLS policy ensures that:

    • Financial transactions from a private account can only be viewed by the individual User who owns the account.

    • Financial transactions from joint accounts or marked as shared can only be viewed by the User and their designated partner.

    • Your access to the database is secured via email and password authentication, backed by industry-standard encryption protocols.

  3. Client-Side Tools: We use FlutterFlow for development, but this tool operates client-side and does not access, process, or store User data on its own servers.

VI. Opt-Out, Marketing, and Consent

Marketing Promotions: We may use the information you provided to offer you new features or special offers (such as early access discounts).

We will only send you such marketing promotions if you have given explicit, affirmative consent (e.g., via a separate checkbox at registration or during account settings). You can stop receiving marketing communications at any time by contacting us or using an 'unsubscribe' link where available.

Stopping Data Collection: You can stop all collection of information by the Application easily by uninstalling it. You may use the standard uninstall processes as available via your mobile device or application marketplace.

VII. Data Retention Policy

The Service Provider will retain User Provided data (including financial data) for as long as you use the Application and for a reasonable time thereafter necessary for legal or operational purposes.

If you would like us to delete all User Provided Data that you have provided via the Application, please contact us at michal.platek@autonomee.pl, and we will respond to your request within a reasonable timeframe.

VIII. Children’s Privacy

The Application is not intended for use by individuals under the age of sixteen (16). We do not knowingly solicit data from or market to children under 16.

If you are under 16 years of age, you MUST obtain the consent of your parent or legal guardian to use the Application and provide personal information. If you have reason to believe that a child under 16 has provided us with personal information, please contact us immediately so we can delete that information and disable the account.

IX. Security and Changes

Security: We are concerned about safeguarding the confidentiality of your information. We provide and enforce robust physical, electronic, and procedural safeguards to protect the information we process and maintain. While no security system is impenetrable, we strive to use commercially acceptable means to protect your data.

Changes to this Privacy Policy: This Privacy Policy may be updated from time to time. We will notify you of any material changes to the policy by email at least fourteen (14) days before the new policy takes effect. This allows you time to review the changes. You are advised to consult this Privacy Policy regularly for any non-material changes, as continued use is deemed approval of all such changes.

This Privacy Policy is effective as of 2025-10-29.

Contact Us: If you have any questions regarding privacy while using the Application, or have questions about our practices, please contact the Service Provider via email at michal.platek@autonomee.pl.

Privacy Policy

© 2025 Penso. All rights reserved.

Privacy Policy

© 2025 Penso. All rights reserved.