Privacy

Privacy Policy

Effective: 29 May 2026 · Last updated: 29 May 2026

This Privacy Policy explains how Alar Finance (the “Service”) collects, uses, shares, and protects your personal data. It applies to our website alarfinance.com, the web application at app.alarfinance.com, the Telegram Mini App, and any related installable apps.

We try to keep this readable. Every section answers a real question you might have. If anything is unclear, write to [email protected].

Contents

Who is responsible
What data we collect
How we use it
Legal basis (GDPR)
Who we share data with
International transfers
How long we keep data
Security
Your rights
Children
Changes to this policy
Contact

1. Who is responsible

The data controller for the Service is Illia Vyshnevskyi, an individual operating from Kraków, Poland (the “Operator”, “we”, “us”).

Contact for all privacy matters: [email protected]. Postal address available on request via the same email.

We do not have a Data Protection Officer (DPO) — we are below the threshold that requires one — but the contact email above goes directly to the person responsible.

2. What data we collect

We collect only what we need to run the Service. Concretely:

2.1 Account data

Email + password hash (for email accounts). Password is hashed with PBKDF2-SHA256, never stored in plain text.
Telegram ID + display name (for Telegram Login / Mini App users).
OAuth identifier (Google / Apple / Facebook ID) when you sign up via those providers.
Display name you choose.
Preferences: language, currency, timezone, notification toggles, theme.
Email verification code (temporary, 15-minute lifetime).

2.2 Financial data you enter

Transactions: amount, category, date, account. The optional free-text description is encrypted with AES-256-GCM at rest using a key only we control.
Accounts (profiles): name, type, currency, balance.
Budgets: per-category limits, period.
Recurring bills: name, amount, day of month.
Receipts: the structured items extracted from a scanned receipt (item name, quantity, unit price, total), plus merchant name and date. We do not retain the receipt photo or its raw OCR text — they are processed in memory and discarded after the structured items are saved.
Crypto exchange API keys, if you connect a crypto account, encrypted with AES-256-GCM at rest. We use read-only key permissions where the exchange supports them.

2.3 Payment data (paid subscribers)

If you subscribe to Alar Finance Pro, payment is processed by Stripe. We never see, store, or have access to your card details. We only receive a Stripe customer ID, the subscription status, current period end, and trial end date. See the Stripe Privacy Policy.

2.4 Technical data

Server access logs (IP address, user-agent, request timestamps) retained for ~30 days for security and abuse mitigation. Provided by Cloudflare.
Device-bound identifiers stored locally on your device (see our Cookie / Local Storage Policy).

2.5 Voice input and receipt scanning

When you use voice input or scan a receipt, the audio recording or the receipt image is sent to Groq (US) for AI processing. We receive the parsed result and store only the structured fields described above. We do not retain the audio or photo on our side after processing.

2.6 What we do not collect

No tracking pixels, no advertising IDs, no fingerprinting.
No analytics like Google Analytics, Hotjar, Mixpanel, etc.
No marketing cookies. No retargeting.
No location data beyond what your IP coarsely reveals to Cloudflare for security.

3. How we use your data

Provide the Service: store and display your transactions, accounts, budgets; sync between your devices.
Authenticate you: verify your email, issue session tokens, gate access.
Process payments: handed off to Stripe for subscription billing.
Send transactional emails: email verification codes, payment reminders 24 h before charge, account-critical notifications. Sent via Brevo (EU).
Send Telegram messages (Telegram users only): daily reminders, monthly reports, payment reminders. Sent via the Telegram Bot API.
Security and abuse prevention: rate-limit logins, detect brute-force attacks, block known bad actors.
Voice and receipt AI processing: only when you actively trigger the feature.

We do not use your transaction data to train AI models, sell to third parties, or share with brands. We do not profile you for advertising.

4. Legal basis (GDPR Art. 6)

Purpose	Legal basis
Providing the Service to you	Performance of contract (Art. 6(1)(b))
Processing payments for Pro	Performance of contract
Transactional emails / Telegram notifications you can disable	Performance of contract + legitimate interest (Art. 6(1)(f))
Security, fraud prevention, log retention	Legitimate interest
Anonymised analytics, future cashback features	Consent (Art. 6(1)(a)) — opt-in only, can be withdrawn
Tax records (paid subscribers)	Legal obligation (Art. 6(1)(c))

5. Who we share data with

We share data only with the processors strictly needed to run the Service. Each one is bound by a Data Processing Agreement or equivalent.

Processor	What for	Where
Cloudflare	Hosting, database (D1), storage (KV), CDN, DDoS protection	EU + global edge
Stripe	Subscription payments (Pro)	Ireland (EU) + US
Brevo (Sendinblue)	Transactional email delivery	EU (France)
Groq	Voice transcription and receipt OCR (only on user action)	US
Telegram	Bot messages, Mini App authentication (Telegram users)	Global
Google / Apple / Facebook	OAuth login (only if you choose that method)	US

We do not sell personal data. We do not share data with advertisers. We do not give brands access to your purchase history.

If we are ever compelled by court order or law enforcement to disclose data, we will comply only to the extent legally required and, where permitted, we will notify you first.

6. International transfers

Some of our processors (Stripe US arm, Groq, Google/Apple/Facebook OAuth) process data in the United States. These transfers rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework. Stripe and the major OAuth providers are certified under the framework.

We use a US AI provider (Groq) for voice and receipt features because there is currently no EU-based provider offering comparable latency and quality at our price point. Only the audio or image necessary for that single transaction is sent, and no transaction history is shared.

7. How long we keep your data

While your account is active — we retain account, transaction, and profile data for as long as you use the Service.
After you delete your account — all personal data is deleted from our active database immediately. Encrypted backups may retain a copy for up to 30 days before being overwritten.
Tax / billing records — for paid subscribers, invoice metadata may be retained for up to 5 years as required by Polish tax law (Ustawa o rachunkowości).
Receipt photos and audio recordings — never stored. Discarded immediately after AI processing.
Server access logs — ~30 days.
Pre-charge notification tracking — 60 days, so we don't send duplicate reminders.

8. Security

Transport: all traffic is over HTTPS (TLS 1.3). HSTS is enforced.
Passwords: hashed with PBKDF2-SHA256 (100 000 iterations, 128-bit salt). We never see your password.
Sensitive fields at rest: transaction descriptions, crypto-exchange API keys, and crypto API secrets are encrypted with AES-256-GCM using a key held only in our server environment.
Sessions: 30-day, single-use tokens stored in your local storage (and a cookie on iOS for PWA continuity).
Email verification: required before account access — no anonymous twink accounts.
Rate limiting on login, registration, and code resend.
Webhook signature verification for Stripe and Telegram.

No system is perfectly secure. If you suspect your account has been compromised, change your password immediately and contact [email protected]. We will respond within 72 hours and notify the supervisory authority if a notifiable breach occurs (GDPR Art. 33).

9. Your rights under GDPR / RODO

You have the following rights regarding your personal data:

Right of access (Art. 15) — see what we hold about you. Use the in-app Export feature for transactions, or write to support for the rest.
Right to rectification (Art. 16) — fix incorrect data via the app, or write to us.
Right to erasure (Art. 17) — “right to be forgotten”. Use Settings → Delete account in the app, or write to us. We delete within 7 days (backups within 30).
Right to restriction (Art. 18) — ask us to stop processing certain data while we resolve a dispute.
Right to data portability (Art. 20) — receive your data in CSV or Excel. The in-app export covers this.
Right to object (Art. 21) — to processing based on legitimate interest.
Right to withdraw consent — anytime, by toggling off the relevant feature in Settings or writing to us.
Right to lodge a complaint — with the Polish supervisory authority (UODO — Urząd Ochrony Danych Osobowych, uodo.gov.pl) or your local DPA in the EU.

To exercise any right, write to [email protected]. We respond within one month (GDPR Art. 12(3)).

10. Children

The Service is not directed to children under 16. We do not knowingly collect data from anyone under 16. If you become aware that a minor has provided us personal data, please contact us and we will delete the account.

11. Changes to this policy

We may update this policy as the Service evolves. If we make material changes, we will:

Update the Last updated date at the top.
Notify active users via email or in-app banner before the change takes effect.
Keep prior versions available on request.

12. Contact

Privacy questions, data requests, complaints, breach reports — all go to:

[email protected]

Postal address available on request via the same email.