Privacy Policy

Effective date: April 1, 2026

1. General Principles

We are committed to transparent and secure data processing. As a company established in the European Union, we process all Personal Data in accordance with EU privacy standards and laws (GDPR). In this Privacy Policy, we provide you with information about what Personal Data we process and for what purpose, what your rights are, and where you can contact us in case of any questions or concerns regarding the processing of your Personal Data.

Your privacy is important to us. We process Personal Data only if we have your Consent or if we are authorized to do so on the basis of other legitimate reasons, in particular if:

• (a) processing is necessary for the performance of the Agreement on the provision of the Service and for entering into a contract with you;
• (b) processing is necessary for compliance with a legal obligation to which we are subject (e.g., AML Act, accounting);
• (c) processing is necessary for the purposes of the legitimate interests pursued by us as the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of you as the data subject.

We do not process any special categories of Personal Data (sensitive data), i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, nor genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

If you are under 15 years of age, you are not eligible for using our Applications or Services.

2. Definition of Terms

Unless the definition of a term with an initial capital letter is provided below, its interpretation can be found in our Business Terms.

3. What Data We Process About You and How We Obtain It

For better clarity, we have divided the types of Data we process into the following table:

Data Category	Specific Processed Data	Method of Acquisition and Notes
Registration and Account	E-mail address, password (in encrypted form).	Necessary for account creation and unique identification of the User.
User Profile (Optional)	Name, surname, date of birth, gender, profile photo.	Data that you voluntarily enter yourself. You can also use a pseudonym. Used for Service personalization.
Third-Party Login (SSO)	E-mail, name, profile picture.	Obtained from Google, Facebook, or Apple if you choose to log in through them. The scope depends on your privacy settings with these services.
Payments and Subscription	Transaction ID, Subscription type, purchase date, validity.	We do not process or store payment card numbers. Payments are handled directly by Apple App Store, Google Play, or a payment gateway.
Application Content (Your Data)	Information on income and expenses, amounts, currencies, categories, labels, notes, photos of receipts, budgets.	Data that you enter into the Application yourself or that are synchronized (e.g., in ShareCost). We store them on servers for synchronization and backup.
Bank Data (AIS)	Account balances, transaction history (date, amount, counterparty, description).	Obtained only with your explicit Consent directly from your bank via a secure interface (API). Data is "read-only".
Mobile Sensor Data	See the detailed breakdown below in the Permissions and Data Collection section.	Only if you enable it in your phone.
Technical and Analytical Data	IP address, device type, OS version, application crash logs, usage statistics.	Automatically collected to ensure security, fix bugs, and improve the Application (e.g., via Google Analytics, Sentry).

3.1. Permissions and Data Collection

To use various functionalities within our Services, we will ask you to grant the following permissions so that we can provide the functionality:

• (a) Track your location – Geodata allow us to provide you with a better Service. Unless you agree otherwise, we process this information to provide certain functions in our Wallet, such as the Smart Assistant or heat maps, to better help you track your expenses.
• (b) Read identity – Helps us find accounts on the device and read your own business card (contact) so that we can offer easier login services.
• (c) See contacts – Helps us find accounts on the device and read your contacts so that we can provide you with better services with the Debts and Sharing functions.
• (d) Read and modify Photos/Media/Files – Allows reading content such as images of receipts or evidence of your expenses.
• (e) Read, modify or delete your content in storage – Allows us to store your content on your device.
• (f) Use Camera – Allows us to take photos of your receipts and add your own audiovisual content.
• (g) View Wi-Fi connection – Allows us to switch from offline to online mode to synchronize your content.
• (h) Read notifications (Android only) – A function on your Android device that allows us to process information from system notifications of financial and payment applications that you explicitly select. This function is entirely optional and requires you to grant the Application specific permission via the Android Notification Listener Service.
• (i) Information via iOS Shortcuts and Automations (Optional function) – If you are an iOS user, you can automate transaction entry by creating personal automations in the Apple "Shortcuts" application. This optional function allows you to configure a workflow that sends specific information from other applications directly to your Wallet or Board application.

The above permissions are voluntary (opt-in) and you can change your settings at any time in your mobile device settings in the section Settings – Applications – Permissions.

When you use the Application to track your finances, your transaction Data is stored on our servers (in the case of an active internet connection), including income, expenses, categories, amounts, currency, labels, account type, date, time, and other details provided by the User. If your device is offline, this Data is stored only locally on your device and will be transferred to our servers only after the internet connection is restored.

3.2. AI and OCR Processing of Documents

If you choose to use the function for scanning receipts or other financial documents, we use Optical Character Recognition (OCR) technologies and Artificial Intelligence (AI) models provided by OpenAI for their analysis and text extraction (e.g., amount, date, merchant).

Your privacy is important to us, so we assure you that:

• (a) No model training: The Data you submit for analysis (receipt images) is not used for training, learning, or improving the public AI models of the provider (OpenAI) or any other third parties.
• (b) Purpose limitation: Data is processed exclusively for the purpose of extracting information for your needs in the Application.
• (c) Security: Data transfer takes place encrypted and in accordance with our high security standards.

4. How We Use Your Personal Data

Your Data is used to:

• (a) Provide the Service: So that the Application works, synchronizes Data, and displays overviews to you.
• (b) Communicate: Sending operational information, changes in Terms, or responding to your support queries.
• (c) Improve services: Analyzing how you use the Application (through tools like Google Analytics, Mixpanel, Sentry) so that we can fix bugs and develop new functions.
• (d) Marketing: If you have granted us Consent (e.g., by subscribing to a newsletter), we may send you offers or tips. You can withdraw this Consent at any time.

5. Recipients of Your Personal Data (Third Parties)

We share your Data only to the extent necessary with verified partners who ensure the technical operation of the Services (hosting, databases, analysis, AIS Service).

If you use the "Group Sharing" function in the Application or are a member of a group in the ShareCost application, your Data will be seen by other Users to whom you have granted access.

Partners and third-party applications (API): If you choose to connect your account with a third-party application or service using our API (e.g., B2B partners), you acknowledge that this partner becomes an Independent Controller of your transferred data. The processing of this data is governed by the partner's own privacy policy, for which BudgetBakers bears no responsibility.

6. Data Retention and Deletion

We keep Personal Data for as long as you actively use your account. If you do not log in to the Application for more than 6 months, we reserve the right to deactivate your account and delete all Data.

You have the right to request account deletion at any time (the right to be forgotten). You can delete your account directly in the Application settings or by contacting support. Your Data will be permanently deleted from our primary production servers within 1 month of your request.

Please note that for the purpose of ensuring security and continuity of services (in case of failure), we keep data backups. Your Data is deleted from production servers but may remain for the necessary period in encrypted backups, which are cyclically overwritten and to which access is restricted.

Some Data (e.g., for AML purposes in the AIS Service or tax documents) must be kept for the period stipulated by law even after account deletion.

7. Security

We follow strict security procedures in the storage and disclosure of your Personal Data. Our systems are regularly tested according to the OWASP methodology, and we are certified according to the ISO 27001 standard.

The data centers we use (e.g., AWS) meet the highest standards of physical security, including biometric scanning for access, video surveillance, and 24/7 security. We use separate database systems for storing user profiles and the financial Data itself.

All communication between your device and our servers is encrypted using the SSL protocol. Your Data is stored primarily on servers in the European Union or the USA with providers who meet high data protection standards.

8. Your Rights Related to Personal Data Processing (GDPR)

8.1. Right of Access to Your Data

You have the right to request confirmation as to whether we are processing your Personal Data, and if so, you have the right to access that Data and the following information:

• (a) the purposes of the processing;
• (b) the categories of Personal Data concerned;
• (c) the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organizations;
• (d) the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
• (e) the existence of the right to request from us rectification or erasure of Personal Data or restriction of processing concerning the data subject or to object to such processing;
• (f) the right to lodge a complaint with a supervisory authority;
• (g) all available information as to the source of the Personal Data, if not obtained from you;
• (h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

If your Data are transferred to a third country or to an international organization outside the European Union, you have the right to be informed of the appropriate safeguards relating to the transfer.

If you request it, we will provide you with a copy of the Personal Data undergoing processing. For any further copies you request, we may charge a reasonable fee based on administrative costs. If you make the request by electronic means, the information shall be provided in a commonly used electronic form, unless you request otherwise. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

8.2. Right to Rectification

You have the right to have us rectify inaccurate Personal Data concerning you without undue delay. Taking into account the purposes of processing, you have the right to have incomplete Personal Data completed, including by providing a supplementary statement.

8.3. Right to Erasure (Right to Be Forgotten)

You have the right to request that we erase your Personal Data without undue delay where one of the following grounds applies:

• (a) the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• (b) you withdraw your Consent on which the processing is based, and where there is no other legal ground for the processing;
• (c) you object to automated individual decision-making and there are no overriding legitimate grounds for the processing, or you object to the processing of Personal Data for direct marketing purposes (including profiling);
• (d) the Personal Data have been unlawfully processed;
• (e) the Personal Data have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject;
• (f) the Personal Data have been collected in relation to the offer of information society services to a child under 16 years of age.

This right shall not apply to the extent that processing is necessary:

• (a) for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority;
• (b) for the establishment, exercise or defence of legal claims.

8.4. Data Deletion Policy

You have the right to request the erasure of your Personal Data from our primary production servers. You own your Data. Whenever you wish to remove your Data from our system, you may ask us to delete the account from our production servers. As a result, your Data will be permanently removed from our production servers and further access to your account will be impossible. Furthermore, any connection we have established with your account Information (AIS Service) will be disconnected.

However, for the purpose of ensuring service continuity in case of failure or damage to our production servers, we retain backups of parts of your Data on our production servers. Your aggregated data are stored on these servers for an indefinite period. We reserve the right to use any aggregated or anonymous data derived from or containing your Personal Data.

You are responsible for maintaining the accuracy of the information you provide to us, such as contact details provided during account registration. If your Personal Data changes or if you no longer wish to use our Services, you may correct or remove inaccuracies or adjust information by making changes at any time through the Service. In some cases, however, we cannot delete all the information we hold about you (e.g., due to legal obligations).

8.5. Right to Restriction of Processing

You have the right to request that we restrict processing in any of the following cases:

• (a) you contest the accuracy of the Personal Data, for a period enabling us to verify the accuracy of the Personal Data;
• (b) the processing is unlawful and you oppose the erasure of the Personal Data and request the restriction of their use instead;
• (c) we no longer need the Personal Data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
• (d) you have objected to processing for the purposes of individual automated decision-making and it is being verified whether our legitimate grounds as the controller override those of you as the data subject.

If processing has been restricted, such Personal Data shall, with the exception of storage, only be processed with your Consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. You have the right to be informed by us before the restriction of processing is lifted.

8.6. Right to Data Portability

You have the right to receive the Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller in the event that:

• (a) the processing is based on your Consent or on a contract; and
• (b) the processing is carried out by automated means.

We will provide these data to you in .csv, .xls or .pdf format by e-mail. You may request that we transmit the data directly to another controller, where technically feasible. The exercise of the right to data portability does not mean that you are cancelling the use of our Services or that you are withdrawing Consent for the further processing of your Personal Data. This right shall not adversely affect the rights and freedoms of others. We may refuse your request for portability if it would adversely affect the rights and freedoms of others.

8.7. Right to Object and Automated Individual Decision-Making

We perform profiling solely for direct marketing purposes. We do not analyze any Personal Data provided by you or collected about you during the use of our Wallet for any automated decision-making process, nor do we provide such tools or information to any third party.

In the event that we process your Personal Data for direct marketing purposes, you have the right to object at any time to the processing of Personal Data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the Personal Data shall no longer be processed for such purposes.

As a data controller, we shall no longer process your Personal Data for this purpose unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. You may change your choice by removing Consent in the Application (Settings – Personal Data and Privacy).

As a data subject, you have the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless you have given us your explicit Consent.

Profiling means any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person's behavior, such as shopping preferences, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

8.8. Complaints

If you find or believe that the processing of your Personal Data is carried out in conflict with the protection of your privacy or in conflict with the law, especially if the Personal Data are inaccurate with respect to the purpose of processing, you may ask us for an explanation at support@budgetbakers.com and request that we remedy the situation. In particular, this may involve blocking, performing a correction, supplementation or disposal of Personal Data. If we find that your objection is justified, we will comply with your request.

If you should suffer other than pecuniary damage as a result of the processing of Personal Data, you are entitled to a remedy under the Civil Code. If a breach of obligations imposed by law on the controller or processor occurs during the processing of Personal Data, they shall be jointly and severally liable. By law, in case of a request for blocking, correction, supplementation or disposal of Personal Data, we shall inform other recipients, if any existed, and if it is possible and does not require disproportionate effort.

If you have concerns regarding the processing of your data and have not received satisfactory information from us, you may lodge a complaint with the Office for Personal Data Protection at http://www.uoou.cz. This is without prejudice to your other rights to file a lawsuit in court and seek civil remedy.

9. Cookies

9.1. What Are Cookies For?

Cookies help identify Application Users and repeat website visitors, remember Users' own preferences, and help Users complete tasks without having to re-enter information when moving from one page to another or during a later visit to the pages. Cookies can also be used to track Users' preferences while browsing the web for the purposes of targeted online advertising and for displaying advertisements relevant to what the User has searched for in the past.

9.2. What Types of Cookies Do We Use?

In order to provide you with better Services, we use cookies when you visit our website www.budgetbakers.com or when you use our Wallet Application. We use various sets of cookies, which are divided as follows:

(a) Essential cookies – These cookies are vital for the proper functioning of the website and cannot be turned off. They include:

• bb-cookie-consent – Stores your cookie Consent preferences (365 days).
• Session cookies – Keep your session active during browsing.

(b) Analytical cookies (with your Consent) – Help us understand how visitors interact with our website:

• _ga – Google Analytics cookie for distinguishing users (2 years).
• _gid – Google Analytics cookie for distinguishing users (24 hours).
• _gat – Google Analytics cookie for limiting request frequency (1 minute).
• _ga_* – Google Analytics 4 cookies for session tracking (2 years).

(c) Marketing cookies (with your Consent) – Used for advertising and remarketing purposes:

• _fbp – Facebook Pixel cookie for tracking and advertising (90 days).
• fr – Facebook Pixel cookie for displaying relevant advertisements (90 days).
• _rdt_uuid – Reddit Pixel cookie for tracking conversions (90 days).

In addition to essential cookies, we use analytical and marketing cookies only if you grant us explicit Consent through the cookie bar on our website. You can manage your preferences at any time in the cookie settings, disable or refuse some or all cookies, or delete cookies already set in your web browser.

Cookies that we use can be divided into the following types:

• (a) Session cookie: Is deleted as soon as you close the browser; it exists only in the temporary memory of your device during website navigation.
• (b) Persistent cookie: Remains on the User's computer/device for a predefined period; it remains in operation even after closing the browser (e.g., it remembers your login credentials and password so that you do not have to enter them every time).
• (c) Third-party cookies: Are installed by third parties with the aim of collecting certain information for performing various research on behavior, demographics, etc.

Persistent cookies and third-party cookies are automatically deleted if you are inactive and do not visit our website or use our Application for a period longer than 6 months. You can also delete these cookies if you change your preferences.

9.3. Cookie Management

You have full control over the cookies we use:

(a) Cookie bar (Consent Banner): Upon your first visit to our website, you will see a banner where you can:

• Accept all cookies.
• Refuse cookies other than essential ones.
• Adjust preferences by categories.

(b) Browser settings: You can control cookies through your browser settings:

• Block all cookies (may affect website functionality).
• Delete existing cookies.
• Set preferences for specific websites.

(c) Cookie Policy page: Visit our dedicated page at www.budgetbakers.com/cookies for detailed information on all cookies we use.

(d) Google Consent Mode: We implement Google Consent Mode v2, which adjusts the behavior of Google tags based on your Consent choices, thereby ensuring compliance with privacy regulations.

9.4. Web Beacons

Web beacons are images (single-pixel gifs) embedded in a website or e-mail for the purpose of measuring and analyzing site usage and activity. Web beacons or similar technologies help us better manage content in our Services by informing us what content is effective, counting Users of the Services, monitoring how Users navigate the Services, counting how many sent e-mails were actually opened, or how many specific articles or links were actually viewed. Information collected using web beacons is not linked to the Personal Data of our Users.

You can learn more about cookies at http://www.allaboutcookies.org, where you can find other useful information about cookies and how to block cookies using various types of browsers. Please note, however, that blocking or deleting cookies used on the website or in the Application may affect the availability and functionality of the website and the provision of the Service through our Application.

10. Contact and Data Protection Officer (DPO)

For privacy questions, contact us at: support@budgetbakers.com

11. Policy Changes

We may change this Policy from time to time. We will inform you of material changes by e-mail or by a notification in the Application. We recommend checking this document regularly.