Data Policy

1. Data Collection

1.1 What Data We Collect

We collect the following types of data:

Personal Information

• Identity Data: Name, phone number, email address
• Account Data: Username, password (encrypted), account preferences
• Profile Data: Account type, profile picture, notification settings

Financial Data

• Transaction Data: Expense amounts, descriptions, dates, merchants
• Category Data: Expense categories, custom tags, classifications
• Tracker Data: Tracker names, types, budget limits, currencies
• Summary Data: Total expenses, monthly summaries, spending patterns

Technical Data

• Usage Data: Features used, API calls, token consumption
• Device Data: IP address, device type, browser information
• Log Data: Access timestamps, error logs, performance metrics
• Communication Data: WhatsApp messages, support tickets, email correspondence

1.2 How We Collect Data

• Direct Input: Information you provide through forms, messages, or uploads
• Automated Collection: Technical data collected through cookies and analytics
• Third-party Services: Data from WhatsApp, payment processors, authentication services

2. Data Processing

2.1 Processing Activities

AI-Powered Analysis

We process your expense data using artificial intelligence to:

• Automatically categorize expenses
• Extract information from natural language descriptions
• Identify spending patterns and trends
• Generate personalized insights and recommendations
• Predict future expenses based on historical data

Aggregation and Analytics

• Calculate daily, weekly, and monthly summaries
• Generate reports and visualizations
• Track budget adherence and goals
• Compare spending across categories and time periods

Communication Processing

• Parse WhatsApp messages for expense information
• Send transaction confirmations and alerts
• Deliver reports and insights
• Provide customer support responses

2.2 Legal Basis for Processing

We process your data based on:

• Contract Performance: To provide services you've signed up for
• Legitimate Interest: To improve services and prevent fraud
• Legal Obligation: To comply with laws and regulations
• Consent: Where you've explicitly agreed to processing

3. Data Storage

3.1 Storage Infrastructure

Your data is stored using:

• Cloud Providers: AWS, Google Cloud Platform (tier-1 data centers)
• Database Systems: MongoDB Atlas with automated backups
• Geographic Distribution: Data stored in [Primary Region] with backups in [Secondary Region]
• Redundancy: Multiple copies maintained for reliability

3.2 Storage Security

• Encryption at Rest: AES-256 encryption for all stored data
• Access Controls: Role-based permissions, least privilege principle
• Network Security: Firewalls, VPCs, private subnets
• Monitoring: 24/7 security monitoring and alerts

3.3 Data Retention

Data Type	Retention Period
Active Account Data	Duration of account + 30 days
Transaction Records	7 years (regulatory requirement)
Support Tickets	3 years after resolution
Analytics Data	26 months (anonymized)
Deleted Account Data	30 days (backup retention)

4. Data Security

4.1 Technical Safeguards

Encryption

• Data at Rest: AES-256 encryption for databases and file storage
• Data in Transit: TLS 1.3 for all network communications
• Password Storage: Bcrypt hashing with salt (never plain text)
• API Keys: Encrypted and rotated regularly

Access Management

• Multi-Factor Authentication: Required for employee access
• Role-Based Access: Minimal necessary permissions
• Access Logging: All data access is logged and monitored
• Regular Audits: Quarterly access reviews

Network Security

• Firewalls: Multi-layer firewall protection
• DDoS Protection: CloudFlare and AWS Shield
• Intrusion Detection: Real-time threat monitoring
• Vulnerability Scanning: Regular security assessments

4.2 Organizational Safeguards

• Security Training: Regular employee security awareness programs
• Background Checks: All employees undergo security screening
• Incident Response: Documented breach response procedures
• Third-party Audits: Annual security audits by independent firms

4.3 Compliance Certifications

• SOC 2 Type II: Security, availability, and confidentiality
• GDPR Compliant: European data protection standards
• CCPA Compliant: California privacy requirements
• PCI DSS: Payment card industry standards

5. Data Sharing

5.1 Third-party Service Providers

We share data with trusted partners who help us operate:

Service	Provider	Data Shared
Cloud Hosting	AWS, Google Cloud	All application data (encrypted)
AI Processing	OpenAI	Expense descriptions (anonymized)
Messaging	Twilio, WhatsApp	Phone number, message content
Analytics	Google Analytics	Usage patterns (anonymized)
Payments	Stripe	Payment information

5.2 Data Processing Agreements

All third-party processors are bound by:

• Contractual data protection obligations
• GDPR-compliant data processing agreements
• Security and confidentiality requirements
• Limited data use restrictions

5.3 No Data Selling

We do NOT sell, rent, or trade your personal or financial data to third parties for marketing purposes.

6. Your Data Rights

6.1 Access and Portability

• View Your Data: Access all personal and financial data through your account
• Export Data: Download data in CSV, Excel, or JSON formats
• Data Copy: Request a complete copy of all stored data

6.2 Correction and Deletion

• Update Information: Edit personal details and expense records anytime
• Correct Errors: Request correction of inaccurate data
• Delete Account: Permanently delete your account and associated data
• Selective Deletion: Remove specific transactions or trackers

6.3 Control and Consent

• Marketing Opt-out: Unsubscribe from promotional emails
• Data Processing: Object to certain data processing activities
• Consent Withdrawal: Revoke previously granted permissions
• Restrict Processing: Limit how we use your data

7. Data Breach Notification

7.1 Our Commitment

In the event of a data breach, we will:

• Notify affected users within 72 hours of discovery
• Report to relevant regulatory authorities as required
• Provide clear information about the breach and impact
• Offer guidance on protective measures
• Investigate root cause and implement preventive measures

7.2 Notification Methods

• Email to registered address
• In-app notification
• Website banner
• Phone call for high-risk situations

8. International Data Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure protection through:

• Standard Contractual Clauses: EU-approved data transfer agreements
• Adequacy Decisions: Transfers to countries with adequate protection
• Privacy Shield: Compliance with applicable frameworks
• Encryption: Data encrypted during international transfers

9. Children's Data

Spentiva is not intended for users under 18. We do not knowingly collect data from children. If we discover we have collected a child's data, we will delete it immediately. Parents who believe their child has provided us with information should contact us at privacy@spentiva.com.

10. Policy Updates

We may update this Data Policy to reflect:

• Changes in data processing practices
• New features or services
• Regulatory requirements
• Security improvements

Material changes will be communicated via:

• Email notification (30 days advance notice)
• In-app notification
• Website announcement

11. Contact Us

For questions about our data practices or to exercise your rights: