Privacy Policy

1. Controller and Contact

DolFin is operated by EMIGLOBAL S.R.L. ("DolFin", "we", "us", "our").

For privacy questions, data requests, support, or complaints, contact us at support@dolfinapp.org.

2. Data We Collect

2.1 Account and authentication data

• Email address, user ID, username or display name, preferred language, and authentication identifiers.
• Apple or Google sign-in identifiers if you choose those login methods.
• Session and security data needed to keep you signed in and protect your account.

2.2 App profile, education, and progress data

• Onboarding answers such as income range, money goal, experience level, spending style, and country/region settings.
• Lessons, quiz answers, XP, gems, streaks, habits, achievements, and app progress.
• Money Leak Audit actions, recurring-plan review status, and other in-app choices.

2.3 Financial and transaction data you choose to add

• Manual expenses, categories, budgets, recurring plans, merchant names, notes, and dates.
• Imported transaction rows that you review and choose to save.
• Financial overview inputs and Money Leak Check answers submitted on this website.

2.4 Bank statement uploads

• PDF statements are sent to a DolFin Supabase Edge Function for parsing.
• CSV files may be parsed in the app where possible.
• The raw statement file is used to extract transactions. DolFin does not intentionally save the raw PDF as a stored file.
• Parsed transaction rows are shown for review before they are saved to your tracker.
• Diagnostic logs may include parser metadata and raw or cleaned merchant text to improve parser reliability.

Bank statements can reveal highly personal information, including salary, rent, health-related payments, insurance, political or religious donations, union fees, gambling, debt, and other sensitive inferences. Upload only statements you are authorised to use.

2.5 Purchase and subscription data

• Subscription tier, product ID, entitlement status, renewal/restore events, and app-store or RevenueCat identifiers needed to validate purchases.
• Apple App Store or Google Play process payments. DolFin does not receive your full card details.

2.6 Website and email data

• Email addresses submitted through the early-access form.
• Money Leak Check answers submitted on the website, including income, fixed costs, spending estimates, savings bucket, investing status, goal, and worry.
• Messages you send to support.

2.7 Diagnostics, security, and local device data

• App version, parser outcome, file size, page count, text length, bank/parser name, error class, and security events.
• IP address, user agent, and request metadata where logged by our hosting, backend, or security infrastructure.
• Local app preferences, notification settings, cached app data, and copied statement files while they are being parsed.

2.8 Product analytics data

If you consent, the DolFin mobile app collects pseudonymous product-usage analytics to help us understand how features are used and improve the app.

• Events such as screens viewed, onboarding and lesson progress, imports started, and purchases viewed, together with your account identifier (a random user ID), app version, device type, and approximate region.
• We do not send your financial values, transaction details, statement contents, email, or name to our analytics provider.
• Analytics is off until you opt in, and you can turn it off at any time in the app under Profile → Share usage analytics.

3. Why We Use Data and Legal Bases

• Provide the service: account, lessons, progress, expense tracking, imports, and Money Leak Audits. Legal basis: contract.
• Personalise the app: adapt lessons, insights, and app state to your profile and activity. Legal basis: contract or legitimate interests.
• Process statement uploads: extract transactions you choose to review/import. Legal basis: contract and your affirmative upload action.
• Validate subscriptions: manage Pro access, restores, renewals, and purchase support. Legal basis: contract, legal obligation, and legitimate interests.
• Security and abuse prevention: protect accounts, rate-limit uploads, investigate misuse, and keep the service reliable. Legal basis: legitimate interests.
• Parser and reliability diagnostics: troubleshoot statement parsing and app reliability. Legal basis: legitimate interests, with limited retention.
• Product analytics: understand feature usage and improve the app using pseudonymous usage events. Legal basis: consent (you can withdraw it any time in the app).
• Notifications: local reminders and streak warnings if you enable them. Legal basis: consent/device permission.
• Website forms and early access: send your requested Money Leak Check, launch access, or support response. Legal basis: consent or pre-contractual request.
• Legal compliance: tax, accounting, disputes, consumer-law, and regulatory obligations. Legal basis: legal obligation and legitimate interests.

4. Bank Statement Processing

DolFin does not ask for your online banking password and does not connect directly to your bank account. If you choose to import a statement, you select the file yourself.

• PDF uploads are limited to 10 MB and are processed by a Supabase Edge Function.
• Parsed transactions may include dates, amounts, merchant names, descriptions, categories, confidence values, and import hashes.
• Preview rows are not saved to your tracker unless you choose to import them.
• Parser diagnostic logs may store raw and cleaned merchant text for up to 30 days.
• Parser attempt metadata may be stored for up to 90 days.
• Imported transactions you save remain in your account until you delete them or delete your account, subject to required legal/security retention.

5. Processors and Recipients

We use service providers only where needed to operate DolFin. Current or planned providers include:

• Supabase: authentication, database, storage-related infrastructure, and Edge Functions.
• RevenueCat: subscription entitlement and purchase status management.
• PostHog: pseudonymous product analytics, processed on PostHog's EU infrastructure, only where you have opted in.
• Apple App Store and Google Play: app distribution, sign-in where selected, purchases, refunds, and store account management.
• Formspree: website form submissions for early access and Money Leak Check emails.
• Website, email, and support providers: hosting, domain, email delivery, and support communications.

We do not share your personal data with data brokers and do not use it for third-party advertising. If we add crash reporting, email marketing, or AI/OCR providers that process personal data, we will update this policy and any required App Store privacy information.

6. International Transfers

Some processors may process data outside the European Economic Area. Where this happens, we rely on applicable transfer mechanisms such as adequacy decisions, EU Standard Contractual Clauses, and provider data-processing terms.

7. Retention

• Account, profile, progress, finance, and imported transaction data: retained while your account is active.
• Merchant parser logs from PDF parsing: intended retention up to 30 days, unless deleted earlier with account deletion.
• PDF parser attempt metadata: intended retention up to 90 days.
• Website early-access and Money Leak Check form submissions: retained as long as needed to send the requested result, manage launch access, or handle support, unless you ask us to delete them earlier.
• Purchase, tax, accounting, fraud-prevention, dispute, and security records: retained as required or reasonably necessary for those purposes.
• Store and processor records: retained under Apple, Google, RevenueCat, Formspree, and other provider policies.

8. Security

We use technical and organisational measures designed to protect personal data, including account access controls, encrypted transport, database access controls, rate limits, and limited retention for parser diagnostics. No app or cloud service can guarantee perfect security. You should keep your device and login credentials secure.

9. Your Rights

If you are in the EU or EEA, you may have the right to access, rectify, erase, restrict, port, or object to processing of your personal data, and to withdraw consent where processing is based on consent.

• You can delete your DolFin account in the app settings.
• You can request a copy of your data by contacting support.
• You can object to or ask us to restrict certain processing where the law allows.
• You can withdraw notification permission in your device settings.

Contact support@dolfinapp.org. We will respond as required by applicable law, usually within one month for GDPR requests.

You may lodge a complaint with your local data protection authority.

10. Automated Processing

DolFin categorises transactions, highlights possible recurring charges, estimates spending patterns, and may suggest review actions. These outputs are educational and review-oriented. DolFin does not make binding financial, credit, insurance, employment, legal, or similarly significant decisions about you.

11. Children

DolFin is intended for users aged 16 or older in the EU. Users under 16 must not create an account or submit website forms. If you believe a child under 16 has provided data to DolFin, contact support@dolfinapp.org.

12. Cookies, Analytics, and Tracking

The DolFin mobile app does not use browser cookies. With your consent, the app uses PostHog for pseudonymous product analytics, as described in section 2.8; this is off until you opt in and can be turned off any time under Profile → Share usage analytics. We do not use cross-app tracking and do not sell data. This website may use strictly necessary form and hosting functionality. If we enable non-essential website analytics or marketing cookies, we will provide the required cookie notice or consent controls before using them.

13. Changes

We may update this policy when DolFin changes or legal requirements change. Material changes will be communicated in the app, on this website, or by email where required.