Privacy Policy

Last updated: 17/07/2026

This Privacy Policy is maintained by Coinly and explains how we handle personal data on coinlyfinance.com (the "Service"). It supplements our Terms of Service, Cookie Policy, Data Processing Addendum, and Acceptable Use Policy.

1. Who we are (Controller)

Coinly is the data controller for personal data processed about account holders. For data you enter about other people (e.g. shared-asset members, suppliers, household members), you are the controller and Coinly acts as your processor under the DPA. Contact: privacy@coinlyfinance.com.

2. Scope

This policy covers the Coinly web app, mobile/PWA experience, marketing site, support channels, and APIs. It does not cover third-party services you choose to connect (e.g. your bank, Google Drive, Microsoft OneDrive) beyond what we receive from them.

3. Personal data we collect

  • Account data: email, display name, password hash, auth tokens, optional MFA secrets and recovery codes.
  • Financial data you enter: assets, accounts, transactions, categories, suppliers, budgets, reconciliations, warranties, notes, attachments.
  • Bank-sync data (PSD2): when you link a bank via Enable Banking, GoCardless Bank Account Data, or Salt Edge, we receive account identifiers, balances, and transactions for accounts you authorise.
  • Receipts & documents: images and PDFs you upload, plus AI-extracted metadata (merchant, date, total, line items, suggested category).
  • Cloud-backup data: if you connect Google Drive or Microsoft OneDrive, OAuth tokens (encrypted at rest) and the backup files written into your own Drive.
  • Support content: chat messages, feedback, screenshots, and attachments you send us.
  • Technical & security data: IP address, user agent, approximate country (from request headers), device and session identifiers, page visits, CSP violation reports, and administrative audit logs.
  • Billing data: handled by our payment processor; we receive subscription status and the last four digits of your card. We do not store full card numbers.
  • Cookies & local storage: see our Cookie Policy.

We do not knowingly collect special-category data (e.g. health, biometrics) and ask that you do not upload it. If you do, you consent to our processing it solely to provide the Service.

4. How we use your data & legal bases (GDPR Art. 6)

  • Provide the Service — process transactions, generate reports, sync banks, run backups, render attachments. Legal basis: contract (Art. 6(1)(b)).
  • Optional AI features you trigger — receipt OCR, category suggestions, lifestyle categorisation, in-app chat. Content is sent to our AI Gateway and upstream model providers only when you initiate the feature. Legal basis: contract / consent.
  • Security, fraud and abuse prevention — rate limiting, MFA, audit logging, CSP reporting, HIBP password screening. Legal basis: legitimate interests and legal obligation.
  • Service communications — security alerts, billing receipts, policy updates. Legal basis: contract / legal obligation.
  • Product updates & marketing — only with your opt-in; unsubscribe anytime. Legal basis: consent (Art. 6(1)(a)).
  • Legal compliance — tax, accounting, lawful requests. Legal basis: legal obligation.

We do not use your financial data to train third-party AI models, and we do not sell personal data.

5. Sub-processors & sharing

We share personal data only with sub-processors bound by written confidentiality and data-processing terms:

  • Hosting, database, storage: Supabase and Cloudflare (EU/US regions).
  • AI processing: Lovable AI Gateway and upstream providers (e.g. Google, OpenAI) — only when you trigger an AI feature.
  • Bank connectivity (PSD2): Enable Banking, GoCardless Bank Account Data, Salt Edge — only for accounts you link.
  • Cloud backup: Google Drive, Microsoft OneDrive — only when you connect them; files are written to your own Drive.
  • Email delivery: our transactional email provider, for verification, security and account email.
  • Payments: our payment processor, for subscription billing.
  • Authorities: where required by valid legal process.

Shared-asset members you invite can see data inside that asset according to their role.

6. International transfers

Where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses (and the UK Addendum where applicable) or another lawful transfer mechanism. A list of sub-processor regions is available on request.

7. Retention

  • Account & financial data: kept while your account is active.
  • On account deletion: personal data is deleted or anonymised within 30 days, except records we must keep by law (e.g. invoices, fraud and tax records — typically up to 7 years).
  • Security logs and audit trails: up to 24 months.
  • Soft-deleted items in the app are purged on a rolling schedule.
  • Backups in your own Google Drive / OneDrive are under your control; we do not delete them on your behalf.

8. Your rights

Subject to local law (GDPR, UK GDPR, CCPA/CPRA and others) you may have the right to:

  • Access a copy of your personal data.
  • Rectify inaccurate data.
  • Erase data ("right to be forgotten").
  • Restrict or object to processing, including profiling.
  • Port your data in a machine-readable format.
  • Withdraw consent at any time (without affecting prior lawful processing).
  • Lodge a complaint with your supervisory authority (e.g. the UK ICO or your EU DPA).
  • California residents (CCPA/CPRA): the rights to know, delete, correct, and opt out of "sharing" for cross-context behavioural advertising — we do not sell or share personal data in that sense.

You can export your data and delete your account from Settings → Data, or email privacy@coinlyfinance.com. We respond within 30 days.

9. Automated decisions

AI features produce suggestions (e.g. categories, merchants) that you can accept, edit, or ignore. We do not make decisions with legal or similarly significant effects about you using solely automated processing.

10. Security

Technical and organisational measures include TLS in transit, encryption at rest, row-level security scoped to your account or asset membership, encrypted storage of third-party OAuth tokens, optional MFA, leaked-password screening (HIBP), CSP reporting, IP and user-agent audit logging, least-privilege access to production, and dependency scanning. No system is completely secure; if a breach affects you, we will notify you in line with applicable law (within 72 hours where GDPR Art. 33 applies).

11. Children

Coinly is not directed to children under 16. We do not knowingly collect their data; if you believe a child has provided us data, contact us and we will delete it.

12. Changes

We may update this policy. Material changes will be notified by email or in-app, and the "Last updated" date above will change. Continued use after the effective date constitutes acceptance.

13. Contact

Privacy & data requests: privacy@coinlyfinance.com
Security disclosures: security@coinlyfinance.com
Abuse reports: abuse@coinlyfinance.com