Privacy Policy for WallyMe

Effective Date: March 10, 2026
Last Updated: March 10, 2026

Introduction

WallyMe ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "App"). Please read this policy carefully.

By using WallyMe, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the App.

---

1. Information We Collect

1.1 Personal Information

We collect the following personal information when you create an account:

• Email address (for authentication purposes)
• Password (encrypted and stored securely via Supabase Auth)
• User ID (automatically generated)
• Social login data (if you sign in with Apple or Google: name and email provided by the identity provider)

1.2 Financial Data

We collect financial information that you voluntarily provide to track your expenses and income:

• Transaction details: amount, description, category, date/time
• Custom categories and subcategories you create
• Learned keywords for automatic transaction categorization
• Budget settings and monthly limits
• Credit card information: card name, brand, cut-off dates, payment dates, credit limit, currency (NO card numbers or CVV)
• Currency and country preferences
• Recurring transaction rules

1.3 Usage Data

We may collect information about how you interact with the App:

• Device information: device type, operating system version
• App usage: features used, timestamps
• Error logs: crash reports for debugging purposes
• IP address: used for country detection to set default currency (not stored)

1.4 AI Categorization Data

We use xAI Grok to categorize transactions based on your input:

• Transaction descriptions are sent to Grok API for automatic categorization
• Learned keywords are stored to improve future categorizations
• AI processing is ephemeral and does not retain your data after categorization
• AI usage is limited to 200 categorizations per day per user

1.5 Voice Input Data

If you use voice input to record transactions:

• Speech recognition is processed on-device using iOS/Android native APIs
• Audio data is NOT sent to our servers or any third party
• Only the resulting text transcription is used to create transactions

1.6 Subscription Data

WallyMe requires a subscription after the free trial period:

• Subscription status: trial, active, expired
• Purchase receipts: Validated through Apple/Google APIs
• Expiry dates: To manage subscription renewals
• Payment information: Handled exclusively by Apple/Google (we never see your credit card details)

---

2. How We Use Your Information

2.1 Core Functionality

• Account management: authentication, user identification
• Transaction management: create, read, update, delete transactions
• AI categorization: automatic categorization of expenses/income using Grok AI
• Budget tracking: monitor spending against monthly budgets
• Credit card management: track payment due dates and cut-off dates
• Multi-currency support: currency conversion and exchange rates
• Offline sync: store transactions locally and sync when online

2.2 Service Improvement

• Error monitoring: diagnose and fix bugs
• Feature optimization: improve AI accuracy and user experience
• Analytics: understand usage patterns to enhance the App (aggregated, anonymized data only)

2.3 Communication

• Service updates: notify you of important changes, new features, or security updates
• Customer support: respond to your inquiries and provide assistance

---

3. Data Storage and Security

3.1 Where We Store Your Data

• Database: PostgreSQL hosted on Supabase (secure cloud infrastructure)
• Authentication: Supabase Auth with JWT tokens
• Backend API: Hosted on secure VPS with SSL encryption (https://api.wallyme.com)
• Local storage: Preferences and offline data stored securely on your device (sensitive data in iOS Keychain / Android Keystore)

3.2 Security Measures

We implement industry-standard security measures to protect your data:

• Encryption in transit: HTTPS/TLS for all API communications
• Encryption at rest: Database encryption via Supabase
• Password hashing: Passwords are hashed using bcrypt before storage
• JWT authentication: Secure token-based authentication
• Rate limiting: Protection against brute-force attacks
• Input validation: SQL injection and XSS protection
• Row Level Security: Database policies ensuring users can only access their own data
• Secure storage: Credit card metadata and tokens stored in hardware-encrypted storage (SecureStore)

3.3 Data Retention

• Active accounts: Data is retained as long as your account is active
• Inactive accounts: Data may be deleted after 24 months of inactivity (we will notify you before deletion)
• Deleted accounts: Upon account deletion, your data is permanently removed within 30 days

---

4. Third-Party Services

4.1 Supabase (Authentication & Database)

• Purpose: User authentication and data storage
• Data shared: Email, password (hashed), user ID, financial data
• Privacy Policy: https://supabase.com/privacy

4.2 xAI Grok (AI Categorization)

• Purpose: Automatic transaction categorization using AI
• Data shared: Transaction descriptions only (e.g., "uber 50", "starbucks 89")
• Data retention: Ephemeral processing only, no long-term storage by Grok
• Privacy Policy: https://x.ai/legal/privacy-policy

4.3 Apple App Store / Google Play Store (Subscriptions)

• Purpose: Process subscription payments
• Data shared: Purchase receipts, subscription status
• Payment processing: Handled entirely by Apple/Google (we never see payment details)
• Privacy Policies:
  • Apple: https://www.apple.com/legal/privacy/
  • Google: https://policies.google.com/privacy

4.4 Apple Sign-In / Google Sign-In (Social Login)

• Purpose: Alternative authentication method
• Data shared: Email and name provided by the identity provider
• Note: Apple's "Hide My Email" feature is supported

---

5. Your Data Rights

You have the following rights regarding your personal data:

• Access: You can view all your data within the App
• Correction: You can edit your transactions, categories, keywords, budgets, and preferences at any time
• Deletion: You can delete individual transactions or request full account deletion by contacting us at support@wallyme.com
• Data Export: You can request a copy of your data in JSON format
• Opt-Out: You can opt out of AI categorization by using manual categorization only

---

6. Children's Privacy

WallyMe is not intended for users under the age of 13. We do not knowingly collect personal information from children. If we discover that a child has provided us with personal information, we will delete it immediately.

---

7. Changes to This Policy

We reserve the right to modify this Privacy Policy at any time. Changes will be communicated through the App or via email. Continued use of the App after changes constitutes acceptance of the updated policy.

---

8. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:

Email: support@wallyme.com
Website: https://wallyme.com

---

9. Legal Compliance

GDPR (European Union)

If you are located in the EU, you have additional rights under GDPR:

• Right to access, rectification, erasure, restriction, and portability of your data
• Right to object to processing and withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

CCPA (California, USA)

If you are a California resident, you have rights under CCPA:

• Right to know what personal information is collected
• Right to request deletion of personal information
• Right to opt out of the sale of personal information (we do not sell your data)

---

Thank you for trusting WallyMe with your financial data. We are committed to protecting your privacy and providing a secure, transparent experience.