Privacy Policy

We process your personal data based on the following legal grounds:

• Art. 6(1)(a) GDPR (Consent): You have given us your consent to process data for one or more specific purposes (e.g., newsletter, marketing cookies).
• Art. 6(1)(b) GDPR (Contract Performance): Processing is necessary for the performance of a contract with you or for pre-contractual measures (e.g., providing your user account).
• Art. 6(1)(c) GDPR (Legal Obligation): Processing is necessary to comply with a legal obligation (e.g., tax retention requirements).
• Art. 6(1)(f) GDPR (Legitimate Interests): Processing is necessary for our legitimate interests (e.g., security, fraud prevention, analytics).

You have the following rights regarding your personal data:

• Right of Access (Art. 15 GDPR): You can request information about your personal data processed by us.
• Right to Rectification (Art. 16 GDPR): You can request the correction of inaccurate data or completion of incomplete data stored by us.
• Right to Erasure (Art. 17 GDPR): You can request the deletion of your data stored by us, unless processing is necessary for exercising the right to freedom of expression, for compliance with a legal obligation, or for reasons of public interest.
• Right to Restriction (Art. 18 GDPR): You can request the restriction of processing of your personal data.
• Right to Data Portability (Art. 20 GDPR): You can receive your data in a structured, commonly used, and machine-readable format or request transmission to another controller.
• Right to Object (Art. 21 GDPR): You can object to the processing of your data if processing is based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3) GDPR): You can withdraw given consent at any time with effect for the future.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. The responsible supervisory authority is:
  
  State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
  Kavalleriestraße 2-4
  40213 Düsseldorf, Germany
  www.ldi.nrw.de

Some of our service providers are based in the USA. The following safeguards apply for data transfers to the USA:

• EU-US Data Privacy Framework: Many US service providers are certified under the EU-US Data Privacy Framework, which ensures an adequate level of data protection.
• Standard Contractual Clauses: With service providers without DPF certification, we have concluded EU Standard Contractual Clauses (SCCs).

Details about individual service providers can be found in the respective sections of this privacy policy.

We implement technical and organizational security measures to protect your data against manipulation, loss, and unauthorized access:

• SSL/TLS encryption for all data transfers
• Encrypted storage of sensitive data
• Regular security updates
• Access control and authorization management
• Regular backups

Our security measures are continuously improved in line with technological developments.

Each time you access our website, information is automatically stored in server log files:

• IP address (anonymized after 14 days)
• Browser type and version
• Operating system used
• Referrer URL (previously visited page)
• Date and time of request
• Hostname of the accessing device

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring operation and security)

Retention Period: 14 days, then anonymization or deletion

Our website uses cookies. These are small text files stored on your device that save certain settings and data.

Necessary Cookies

These cookies are essential for the website to function:

Analytics Cookies (optional)

With your consent, we use analytics cookies to understand and improve website usage. These cookies are only set after you consent in the cookie banner.

Change Cookie Settings

You can change your cookie settings at any time via the "Cookie Settings" link in the website footer or block cookies in your browser settings.

Legal Basis: Art. 6(1)(a) GDPR (consent) for optional cookies, Art. 6(1)(f) GDPR (legitimate interest) for technically necessary cookies

Registration is required to use our app. The following data is collected:

• Email address (required)
• Name (optional, if manually entered)
• Profile picture (optional, with Google sign-in)

Data Stored in User Account

• Your subscriptions and fixed costs
• Notification settings
• Preferences (language, currency, theme)

Purpose: Providing app functionality, storing your data, sending reminders (if enabled)

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

Retention Period: Until deletion of your user account. After deletion, your data will be removed within 30 days unless legal retention requirements apply.

For processing payments for paid subscriptions, we use the payment service provider Stripe.

Stripe, Inc.

354 Oyster Point Boulevard
South San Francisco, CA 94080, USA

Processed Data: Payment data is entered and processed directly at Stripe. We do not receive or store complete credit card data.

Stored by Us: Stripe Customer ID, subscription status, billing data (for tax retention)

Stripe Privacy Policy: stripe.com/privacy

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

We send emails for the following purposes:

• Magic Link for sign-in (transactional)
• Payment confirmations and invoices (transactional)
• Cancellation deadline reminders (if enabled)
• Weekly summaries (if enabled)

Legal Basis: Art. 6(1)(b) GDPR (contract performance) for transactional emails, Art. 6(1)(a) GDPR (consent) for optional notifications

You can disable email notifications at any time in your account settings.

Registered users can submit reviews about the service. The following data is processed for reviews:

• Star rating (1-5)
• Comment text (optional)
• First name (for public display)
• Creation and modification date

Publication

After approval by the provider, reviews may be publicly displayed on the website. Upon publication, only the user's first name will be shown alongside the review. Email addresses and other personal data will not be published.

If no name is provided, the review will be displayed as "Verified User".

Legal Basis: Art. 6(1)(a) GDPR (consent by submitting the review)

Retention Period: Reviews are stored until account deletion or upon user request.

Vercel Inc.

440 N Barranca Avenue #4133
Covina, CA 91723, USA

Our website is hosted on Vercel servers. Vercel is certified under the EU-US Data Privacy Framework.

Vercel Privacy Policy: vercel.com/legal/privacy-policy

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest in reliable website operation)

Supabase Inc.

970 Toa Payoh North #07-04
Singapore 318992

All app data (profiles, subscriptions, settings) is stored in a PostgreSQL database at Supabase.

Server Location: Frankfurt am Main, Germany (eu-central-1)

Certifications: SOC 2 Type II

Supabase Privacy Policy: supabase.com/privacy

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

We offer two sign-in methods:

Magic Link (Email)

With Magic Link sign-in, a one-time link is sent to your email address. No passwords are stored.

Google OAuth (optional)

When signing in with Google, basic profile data is transmitted:

• Name
• Email address
• Profile picture URL

This only happens with your explicit consent in the Google sign-in dialog.

Google Privacy Policy: policies.google.com/privacy

Legal Basis: Art. 6(1)(b) GDPR (contract performance)

We do not share your personal data with third parties, except:

• With the above-mentioned service providers as part of service delivery
• When legally required (e.g., government requests)
• For legal enforcement in case of violations of our terms of service

We do not sell your data and do not share it with third parties for advertising purposes.

Our service is intended for persons aged 16 and older. Persons under 16 may only use our service with parental consent.

We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16 without parental consent, we will delete this data immediately.

Account Deletion

When you delete your account, all your data will be removed:

• Your email address and profile data
• All subscriptions and settings
• All budgets and bank accounts
• Your complete activity log
• All reviews and feedback

Backup Retention

Important Note: Automatic system backups from our database provider (Supabase) may contain your data for up to 7 daysafter deletion. After this period, all data is completely and irreversibly deleted. We never access backup data after an account deletion.

Our Commitments

• No Data Sales: We never sell your data to third parties.
• No AI Training: Your data is not used for training AI models.
• No Access After Deletion: We do not access backup data after deletion.
• Transparency: You can export all your data at any time from your settings.

Your GDPR Rights

• Right of Access (Art. 15): You can request information about your stored data at any time.
• Data Portability (Art. 20): You can export your data in a machine-readable format.
• Right to Erasure (Art. 17): You can request the deletion of your data.
• Right to Object (Art. 21): You can object to data processing.

We reserve the right to update this privacy policy to keep it compliant with current legal requirements or to implement changes to our services.

For significant changes, registered users will be notified by email. The current version is always available on this page.

For questions about the collection, processing, or use of your personal data, for requests regarding information, correction, restriction, or deletion of data, as well as withdrawal of given consents, please contact:

Email: info@fixcosts.com

We aim to respond to your request within 30 days.