Privacy Policy — WealthSense

1. Introduction

WealthSense B.V., registered in The Hague, Netherlands, is the data controller responsible for your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use the WealthSense personal finance management platform ("Service").

This policy applies to all information collected through the Service, including data you provide directly, data generated through your use of the Service, and data collected automatically. We process your data in compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Information We Collect

Account Information

When you create an account, we collect:

Email address
Password (stored in hashed form)
Google profile information (name, email, avatar) if you use Google OAuth

Financial Data

When you use the Service, you may provide:

Financial account details (names, types, balances, currencies)
Transaction records (descriptions, amounts, dates, categories)
Categories and budget configurations
Investment holdings and portfolio data
Recurring transaction rules
Financial goals and targets

Imported Data

If you use our import feature, we temporarily process CSV and Excel files containing financial data. These files are processed and then permanently deleted from our servers.

Billing Data

Payment information is collected and processed directly by Stripe, our payment processor. We receive limited billing information from Stripe (such as the last four digits of your card and billing status) but do not store full payment card details on our servers.

Automatically Collected Data

When you use the Service, we may automatically collect:

IP address
Browser type and version
Device information
Usage patterns (pages visited, features used)
Session recordings (with all input values masked to protect financial data)
Feature usage events (e.g., pages visited, actions taken — no financial data included)
Cookies and similar technologies (see Section 7)

3. How We Use Your Information

We use your information to:

Provide and maintain the Service, including account management, transaction tracking, budgeting, and financial analysis
Power AI-driven transaction categorization (using only transaction descriptions; see Section 5)
Process subscription payments and manage billing through Stripe
Send essential service communications (account verification, security alerts, billing notifications)
Analyse usage patterns to improve the Service
Detect and prevent fraud, abuse, and security threats
Comply with legal obligations

4. Legal Bases for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service you have subscribed to, including account management, data storage, and feature functionality.
Legitimate interests (Art. 6(1)(f)) — processing for service improvement, security, fraud prevention, and analytics, where our interests do not override your data protection rights.
Consent (Art. 6(1)(a)) — processing for AI-powered features (consent given by accepting our Terms of Service) and non-essential analytics cookies.
Legal obligation (Art. 6(1)(c)) — processing required to comply with applicable laws, such as financial regulations and tax obligations.

5. AI-Powered Processing

Our Service uses AI to assist with transaction categorization. We are committed to transparency about how AI processes your data:

What is shared: Only transaction descriptions are sent to our third-party AI provider for categorization. No financial amounts, account numbers, personal details, or other sensitive data is shared.
No model training: Your data is never used to train AI models. Transaction descriptions are processed in real-time for categorization purposes only and are not retained by the AI provider.
Consent: Your consent for AI processing is obtained through acceptance of our Terms of Service. You may contact us to opt out of AI features.
Automated decision-making: AI categorization constitutes automated processing under GDPR Article 22. The categorizations are suggestions only and do not produce legal effects or similarly significant effects on you. You can review, modify, or reject all AI-generated categories.
Right to human review: You have the right to request human review of any AI-generated categorization or decision.

6. How We Share Your Information

We share your information only with the following categories of recipients:

Stripe — billing data for payment processing and subscription management
AI provider — transaction descriptions only, for automated categorization
Google — authentication data if you use Google OAuth sign-in
PostHog (EU) — anonymised usage analytics, session recordings (with masked inputs), and feature usage events. No financial data, transaction amounts, or account details are shared. All data is stored within the EU.

We never:

Sell your personal data to third parties
Share your data for third-party marketing purposes
Provide your Financial Data to advertisers
Use your data for purposes other than providing and improving the Service

7. Cookies & Tracking

Essential Cookies

These cookies are necessary for the Service to function and cannot be disabled:

Authentication and session cookies
CSRF protection tokens
Cookie consent preference

Analytics Cookies

With your consent, we use PostHog for analytics to understand how the Service is used. PostHog records anonymised session replays to help us identify usability issues — all form inputs (including financial data) are automatically masked in recordings. PostHog data is stored exclusively within the EU (PostHog EU Cloud). You can manage your cookie preferences at any time through the cookie settings available in the footer of every page.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

Encryption in transit using TLS/SSL
Encryption at rest for sensitive data
Access controls and authentication requirements
Regular security assessments

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33 and inform affected users without undue delay as required by GDPR Article 34.

9. Data Retention

Active accounts: Your data is retained for as long as your account is active and you maintain a valid subscription.
Account deletion: Upon account deletion, your Financial Data is permanently removed. Certain data may be retained for a limited period to comply with legal obligations (such as billing records).
Billing records: Payment history and invoices are retained by Stripe in accordance with their data retention policies and applicable tax and accounting regulations.
AI processing: Transaction descriptions sent for AI categorization are not retained by the AI provider after processing.
Imported files: CSV and Excel files are permanently deleted after processing.
Analytics data: Session recordings and usage events are retained by PostHog in accordance with their data retention policies. No financial data is included in analytics.

10. International Data Transfers

Your data may be processed in countries outside the European Economic Area (EEA), particularly when using third-party services such as Stripe and our AI provider. When data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

EU Standard Contractual Clauses (SCCs)
EU adequacy decisions where applicable
Additional technical and organisational safeguards

11. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

Right of access — obtain a copy of your personal data we hold
Right to rectification — correct inaccurate or incomplete data
Right to erasure — request deletion of your data ("right to be forgotten")
Right to restrict processing — limit how we use your data in certain circumstances
Right to data portability — receive your data in a structured, commonly used, machine-readable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — withdraw consent at any time where processing is based on consent
Right to lodge a complaint — file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl

To exercise any of these rights, please contact us at the email address provided in Section 15. We will respond to your request within 30 days.

12. Automated Decision-Making

Our AI-powered transaction categorization constitutes automated processing. This processing assigns categories to your transactions based on their descriptions. These categorizations are suggestions and do not produce legal effects or similarly significant effects on you.

You retain full control over your transaction categories and can modify or reject any AI-generated suggestion at any time. You also have the right to request human review of any automated categorization by contacting us.

13. Children's Privacy

The Service is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us and we will take steps to delete such information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email to the address associated with your account. The updated policy will include a revised effective date at the top of the document. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

15. Contact

For any questions about this Privacy Policy or to exercise your data protection rights:

Data Controller: WealthSense B.V.
Email: [email protected]
Address: The Hague, Netherlands

You also have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl