← Home

Privacy Policy

Last updated May 3, 2026

My Spends is a personal finance app. This page explains exactly what we collect, how we use it, who sees it, and how to remove it.

What we collect

  • Account info from your sign-in.If you use Google, that's your email, name, and profile photo URL. If you use magic link, just the email you typed.
  • What you type into the app. Transaction amounts, currencies, categories, dates, and notes.
  • Your timezone. The browser tells us your IANA zone (e.g. Europe/Istanbul) so transactions land on the correct local calendar day.

We don't use cookies for tracking. We don't run any third-party analytics (no Google Analytics, no Mixpanel). We don't fingerprint your device.

What we don't collect

We don't store passwords (we don't use any). We don't ask for your social-security / national-insurance number, address, phone, or date of birth. We don't take card numbers — there's nothing to pay for.

How we use it

To run the app: sign you in, save your transactions, compute your balance, send you the monthly summary email if you opt in.

That's it. We don't profile you, target you, or sell your data.

Who sees your data

A small number of infrastructure providers process data on our behalf:

  • Vercel hosts the app code and runs server-side functions.
  • Neon hosts the Postgres database that stores transactions, categories, and account metadata.
  • Googlehandles the OAuth sign-in flow when you click "Continue with Google".
  • Resend delivers magic-link sign-in emails and the monthly summary email.
  • Frankfurter.app(European Central Bank data) for currency conversion rates. We send the currency codes we need; we don't send your data.
  • Anthropicif you use the natural-language quick-add (the typed text is sent to Claude for parsing). This is opt-in; we don't use it for anything else.

We don't sell or rent your data to anyone. We don't share it with advertisers. We don't share it with law enforcement unless legally compelled.

How long we keep it

As long as your account exists. When you delete your account (email support@spend.hindra.studio) we erase your row from the users table; transactions and categories cascade-delete. Backups roll forward and the data ages out within 30 days.

Your rights

Under GDPR (EU/UK) and similar laws elsewhere, you can ask us to:

  • Export everything we hold on you (we'll send a JSON dump).
  • Correct anything that's wrong.
  • Delete your account and all associated data.

One email is enough: support@spend.hindra.studio. We aim to respond within 7 days.

Security

Data is encrypted in transit (HTTPS everywhere) and at rest (Neon and Vercel both encrypt their storage). API secrets live in environment variables on Vercel, not in the code. Sessions use HTTP-only cookies signed with a per-deployment secret.

We're not a giant company with a security team — if you find an issue please email instead of disclosing publicly: support@spend.hindra.studio.

Changes

When we change anything material on this page we'll tell users in-app or by email before it takes effect.