Privacy Policy
Effective Date: November 9, 2025
1. Introduction
Pennywise ("we," "our," or "us") is committed to protecting your privacy and ensuring transparency in how we handle your personal and financial information. This Privacy Policy describes how we collect, use, store, share, and protect your data when you use our mobile application ("App") and related services ("Services").
By using Pennywise, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.
2. Information We Collect
We collect information that you provide directly to us and information automatically collected when you use our Services:
A. Personal Information
- Account Information: Name, email address, and secure password when you create an account
- Authentication Data: Sign in with Apple credentials (name and email) when you choose this authentication method
- Profile Information: Gender, location, currency preferences, and financial goals you enter during onboarding
B. Financial Information
- Transaction Records: Income, expenses, savings, and investment transactions you manually enter
- Budget Data: Monthly income, spending limits, savings goals, and investment targets
- Financial Goals: 12-month goals, target amounts, and progress tracking
- Financial Plans: AI-generated personalized financial plans based on your inputs
C. Payment Information
- Subscription Details: Payment card information processed securely through Stripe (our PCI-DSS compliant payment processor)
- Transaction History: Subscription status, payment dates, and billing information
D. Usage and Device Information
- App Usage Data: Features accessed, time spent, screen views, and interaction patterns
- Device Information: Device type, operating system version, unique device identifiers, and mobile network information
- Notification Data: Push notification preferences and delivery status via OneSignal
E. Analytics and Performance Data
- Technical Data: Crash reports, error logs, performance metrics, and debugging information
- User Behavior: Onboarding completion status, feature adoption, and usage patterns
3. How We Use Your Information
We process your information for the following purposes based on our legitimate business interests, contract performance, and your consent:
A. Service Delivery
- Provide, maintain, and improve our financial tracking and planning services
- Create and manage your user account and profile
- Generate personalized AI-powered financial plans and insights
- Calculate and display your financial progress and goals
- Synchronize your data across your devices
B. Payment Processing
- Process subscription payments and manage billing
- Prevent fraud and unauthorized transactions
- Issue invoices and maintain payment records
C. Communications
- Send transactional notifications (account changes, subscription updates)
- Deliver push notifications for reminders and financial insights
- Provide customer support and respond to your inquiries
- Send important updates about our Services and Privacy Policy changes
D. Analytics and Improvement
- Analyze usage patterns to improve user experience
- Monitor app performance and identify technical issues
- Develop new features based on user behavior insights
- Conduct internal research and data analysis
E. Legal and Security
- Detect, prevent, and address fraud and security threats
- Comply with legal obligations and regulatory requirements
- Enforce our Terms of Service and protect our legal rights
- Respond to lawful requests from public authorities
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data based on the following legal grounds:
- Contract Performance: Processing necessary to provide our Services under our Terms of Service
- Consent: Processing based on your explicit consent (e.g., push notifications, marketing communications)
- Legitimate Interests: Processing necessary for our legitimate business interests (e.g., improving Services, fraud prevention)
- Legal Obligations: Processing required to comply with applicable laws and regulations
5. Data Storage and Security
We implement industry-standard security measures to protect your personal and financial information:
A. Storage Infrastructure
- Cloud Database: Your data is securely stored using Supabase, a PostgreSQL-based cloud database platform with enterprise-grade security
- Data Centers: Data is stored in secure, SOC 2 Type II certified data centers
- Encryption: All data is encrypted both in transit (TLS 1.3) and at rest (AES-256)
B. Security Measures
- Access Controls: Role-based access control and multi-factor authentication for system access
- Authentication: Secure password hashing and Sign in with Apple integration
- Payment Security: PCI-DSS Level 1 compliant payment processing through Stripe
- Network Security: Firewalls, intrusion detection, and DDoS protection
- Regular Audits: Ongoing security assessments and vulnerability testing
C. Data Isolation
- User Segregation: Your financial data is logically separated from other users
- Access Logs: All data access is logged and monitored for suspicious activity
While we implement robust security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but continuously work to protect your information.
6. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances:
A. Service Providers
We share data with trusted third-party service providers who assist us in operating our Services:
- Supabase (Database Hosting): Stores your account and financial data
- Stripe (Payment Processing): Processes subscription payments securely
- OneSignal (Push Notifications): Delivers app notifications and reminders
- Sentry (Error Tracking): Monitors app crashes, errors, and performance issues
- Apple (Authentication): Processes Sign in with Apple authentication
These service providers are contractually obligated to protect your data and use it only for specified purposes.
B. Legal Requirements
We may disclose your information when required by law or in response to:
- Valid legal processes (subpoenas, court orders)
- Government or regulatory requests
- Investigations of fraud or security threats
- Protection of our rights, property, or safety
C. Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such change and provide choices regarding your data.
D. With Your Consent
We may share information when you explicitly authorize us to do so.
7. Your Privacy Rights
Depending on your location, you have the following rights regarding your personal information:
A. General Rights (All Users)
- Access: Request a copy of the personal information we hold about you
- Correction: Update or correct inaccurate information through your account settings
- Deletion: Request deletion of your account and associated data
- Export: Download your financial data in a machine-readable format
- Opt-Out: Unsubscribe from promotional communications at any time
B. GDPR Rights (EEA, UK, Switzerland)
If you are in the European Economic Area, United Kingdom, or Switzerland, you have additional rights:
- Right to Restriction: Request limitation of data processing
- Right to Object: Object to processing based on legitimate interests
- Right to Portability: Receive your data in a structured, commonly used format
- Right to Withdraw Consent: Withdraw previously given consent at any time
- Right to Lodge a Complaint: File a complaint with your local data protection authority
C. CCPA/CPRA Rights (California Residents)
California residents have the right to:
- Know what personal information we collect, use, and share
- Request deletion of your personal information
- Opt-out of the "sale" or "sharing" of personal information (Note: We do not sell personal information)
- Non-discrimination for exercising your privacy rights
- Limit use of sensitive personal information
D. Exercising Your Rights
To exercise any of these rights, please contact us at info@pennywise-app.com. We will respond to your request within 30 days (or as required by applicable law). You may need to verify your identity before we process your request.
8. Data Retention
We retain your personal information for as long as necessary to provide our Services and fulfill the purposes described in this Privacy Policy:
- Active Accounts: Data is retained while your account is active
- Account Deletion: When you delete your account, we will delete or anonymize your personal information within 30 days, except where retention is required for:
- Legal compliance and regulatory obligations
- Dispute resolution and fraud prevention
- Backup systems (automatically purged within 90 days)
- Financial Records: Payment transaction records may be retained longer as required by tax and financial regulations (typically 7 years)
- Analytics Data: Aggregated and anonymized data may be retained indefinitely for statistical purposes
9. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers' servers are located.
These countries may have different data protection laws than your country. However, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all service providers
- Compliance with Privacy Shield principles where applicable
- Encryption and security measures during transit and storage
For EEA users, data transfers comply with GDPR requirements through approved transfer mechanisms.
10. Children's Privacy
Our Services are not intended for individuals under the age of 18. We do not knowingly collect, use, or disclose personal information from children under 18 years of age.
If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information as soon as possible.
If you believe we have collected information from a child under 18, please contact us immediately at info@pennywise-app.com.
11. Cookies and Tracking Technologies
We use minimal tracking technologies in our mobile app:
- Essential Cookies: Required for authentication, security, and core app functionality
- Analytics: Device identifiers and session data to understand app usage and improve performance
- Push Notification Tokens: Device tokens to deliver notifications via OneSignal
We do not use third-party advertising cookies or trackers. You can manage notification preferences in your device settings and within the app.
12. Do Not Sell My Personal Information
We do not sell your personal information to third parties for monetary or other valuable consideration. We do not share your personal information with third parties for their direct marketing purposes.
If our practices change in the future, we will update this Privacy Policy and provide you with the ability to opt-out of such sales or sharing.
13. California Shine the Light
California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. As stated above, we do not share personal information with third parties for their direct marketing purposes.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Services. We will notify you of any material changes by:
- Posting the updated Privacy Policy in the app
- Updating the "Effective Date" at the top of this policy
- Sending an in-app notification or email for significant changes
- Requiring your consent for material changes where required by law
Your continued use of our Services after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
15. Third-Party Services
Our Services integrate with third-party platforms (Stripe, Supabase, OneSignal, Sentry, Sign in with Apple). These third parties have their own privacy policies governing the collection and use of information you provide to them.
We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies:
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Email: info@pennywise-app.com
Website: https://pennywise-app.com
Data Protection Officer (for GDPR inquiries):
Email: privacy@pennywise-app.com
We will respond to your inquiry within 30 days. For urgent privacy matters, please mark your communication as "URGENT PRIVACY REQUEST."
17. Supervisory Authority
If you are located in the European Economic Area, United Kingdom, or Switzerland and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.
For a list of EU data protection authorities, visit: https://edpb.europa.eu/about-edpb/about-edpb/members_en