Skip to content

Privacy Policy

Version: v1.0
Effective date: 2026-02-13 Last updated: 2026-02-13

This Privacy Policy explains how ARKAD Wallet ("we", "us", "our") collects, uses, stores, and protects personal data when you use our mobile application (the "Service").

1. Data Controllers

ARKAD Wallet is operated by:

  • Maksim Pegov, residing in Poland, and
  • Artur Szczypta, residing in Poland

The above-listed individuals act as joint data controllers within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

For privacy-related inquiries, contact: legal@arkadwallet.com

2. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account and Identity Data

  • Email address
  • Password (processed and securely handled by Supabase authentication services)
  • Name (if provided)
  • Authentication provider
  • Date of birth
  • Preferred currency code
  • Account creation date
  • Last login date

2.2 Financial Data (User-Provided)

All financial data is manually entered by users.

We store: - Account name, type, balance, currency, creation date
- Goals (name, description, status, deadline, target amount, linked account)
- Categories (name, deletion flag)
- Budget allocations (month, allocated amount, spent amount)
- Transactions (amount, description, date and time, associated account)

We do not connect to bank accounts and do not automatically import financial data.

2.3 Onboarding Data (Transient Processing)

During onboarding, we may ask questions such as financial status (e.g., whether you have debts or rent/own a home).
This data is processed temporarily for in-app logic and suggestions and is not stored in our databases.

2.4 Voice Input Data

Users may record voice input to create transactions.

  • Voice recordings are transmitted to Mistral AI for transcription.
  • Raw audio is not stored by us after processing.
  • Transcribed text may be used to create transaction records.
  • Transaction descriptions may be sent to Mistral AI for categorization.

We have a Data Processing Agreement (DPA) in place with Mistral AI.

2.5 Technical and Log Data

We automatically collect certain technical data when you use the Service:

  • IP address
  • Device type and metadata transmitted in HTTP requests
  • Server logs (via Nginx)
  • Crash reports and diagnostic data (via Sentry)

2.6 Analytics Data

We use Sentry for crash reporting and performance monitoring.

Analytics data is used to improve the Service and does not intentionally include sensitive financial content. Sentry data is stored within the European Union.

2.7 Payment Data

Payments are processed by Apple App Store and Google Play. We do not store full payment card details. Payment processing is governed by the respective platform’s privacy policies.

2.8 Email Communication Data

We use Resend (a US-based email service provider) to send transactional emails.

When sending emails, we share: - Recipient email address
- Email content (such as account-related notifications or service messages)

We have entered into a Data Processing Agreement (DPA) with Resend. Where data is transferred outside the EU/EEA, appropriate safeguards such as Standard Contractual Clauses are in place in accordance with GDPR.

We process personal data on the following legal bases under GDPR:

  • Performance of a contract (Art. 6(1)(b)) – to provide the Service
  • Legitimate interests (Art. 6(1)(f)) – to improve functionality, security, and stability
  • Legal obligations (Art. 6(1)(c)) – where required by law
  • Consent (Art. 6(1)(a)) – where applicable

We currently do not send marketing emails. If marketing communications are introduced in the future, they will require explicit opt-in consent.

4. Data Retention

  • Account and financial data are stored until the user deletes their account.
  • Upon account deletion, user data is deleted from active systems without undue delay.
  • Server logs may be retained for up to six (6) months for security and diagnostic purposes.
  • Backups may retain data temporarily in accordance with technical backup cycles.

5. Data Sharing and Processors

We use the following data processors:

  • Supabase (authentication and user data storage – AWS EU region)
  • Hetzner (virtual machines, API hosting, PostgreSQL database – Helsinki, Finland)
  • Mistral AI (AI transcription and categorization services)
  • Sentry (error monitoring and diagnostics – data stored in the EU)
  • Resend (transactional email delivery – United States, with GDPR safeguards in place)
  • Apple App Store and Google Play (payment processing and distribution)

We have Data Processing Agreements in place where required.

6. International Transfers

We primarily store and process data within the European Union.

Certain processors, such as Resend, may process data in the United States. In such cases, we rely on appropriate safeguards under GDPR, including Standard Contractual Clauses or other legally recognized transfer mechanisms to ensure an adequate level of data protection.

7. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • HTTPS encryption for data in transit
  • Strict access control mechanisms ensuring that personal data is accessible only to authorized personnel with a legitimate business need
  • Authentication managed via Supabase
  • Server-level protections and restricted database access

While we take reasonable measures to secure data, no system can guarantee absolute security.

8. Children’s Data

The Service is intended for users aged 13 or older.

We rely on user self-declaration of age during registration. We do not knowingly process personal data of children under 13.

9. Your Rights Under GDPR

Subject to applicable law, you have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your data
  • Request restriction of processing
  • Request data portability
  • Object to processing based on legitimate interests
  • Lodge a complaint with a supervisory authority

Requests may be submitted via email at legal@arkadwallet.com.

The competent supervisory authority in Poland is the President of the Personal Data Protection Office (UODO).

10. Changes to This Policy

We may update this Privacy Policy from time to time. Continued use of the Service after updates constitutes acceptance of the revised Policy.

For previous versions, see the Privacy Archive.

Changelog

  • v1.0 - Initial version