Skip to content

Privacy Policy

Version: v2.1
Effective date: 2026-04-13
Last updated: 2026-04-12

This Privacy Policy explains how ARKAD Wallet ("we", "us", "our") collects, uses, stores, and protects personal data when you use our mobile application (the "Service").

1. Data Controllers

ARKAD Wallet is operated by:

  • Maksim Pegov, residing in Poland, and
  • Artur Szczypta, residing in Poland

The above-listed individuals act as joint data controllers within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

For privacy-related inquiries, contact: legal@arkadwallet.com

2. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account and Identity Data

  • Email address
  • Password (processed and securely handled by Supabase authentication services)
  • Name (if provided)
  • Authentication provider
  • Date of birth
  • Preferred currency code
  • Account creation date
  • Last login date

2.2 Financial Data (User-Provided)

All financial data is manually entered by users.

We store: - Account name, type, balance, currency, creation date
- Goals (name, description, status, deadline, target amount, linked account)
- Categories (name, deletion flag)
- Budget allocations (month, allocated amount, spent amount)
- Transactions (amount, description, date and time, associated account)

We do not connect to bank accounts and do not automatically import financial data.

2.3 Onboarding Data (Transient Processing)

During onboarding, we may ask questions such as financial status (e.g., whether you have debts or rent/own a home).
This data is processed temporarily for in-app logic and suggestions and is not stored in our databases.

2.4 Voice Input Data

Users may record voice input to create transactions.

  • Voice recordings are transmitted to Mistral AI for transcription.
  • Raw audio is not stored by us after processing.
  • Transcribed text may be used to create transaction records.
  • Transaction descriptions may be sent to Mistral AI for categorization.

We have a Data Processing Agreement (DPA) in place with Mistral AI.

2.5 Technical and Log Data

We automatically collect certain technical data when you use the Service:

  • IP address
  • Device type and metadata transmitted in HTTP requests
  • Server logs (via Nginx)
  • Crash reports and diagnostic data (via Sentry)

2.6 Analytics Data

We use Sentry for crash reporting and performance monitoring.

Analytics data is used to improve the Service and does not intentionally include sensitive financial content. Sentry data is stored within the European Union.

2.7 Payment and Subscription Data

Payments are processed directly by Apple App Store and Google Play, which act as independent data controllers for billing and payment data. We do not store or process payment card details. Their processing of payment data is governed by their own privacy policies.

Subscription entitlement status (whether you have an active ARKAD Wallet Pro subscription) is tracked via RevenueCat. RevenueCat receives your app user identifier, subscription status, purchase receipt data, and device and platform information for this purpose. RevenueCat does not receive payment card details. See Section 5 for details on RevenueCat as a data processor.

2.8 Email Communication Data

We use Resend (a US-based email service provider) to send emails to users. We send two categories of emails:

Service emails (sent without separate consent, as necessary for the performance of the contract or to comply with legal obligations):

  • Account verification and password reset emails
  • Security notifications (e.g., unusual login activity)
  • Notifications about changes to these Terms of Use or this Privacy Policy
  • Account deletion confirmations
  • Subscription and billing-related notifications

Optional communications (sent only with your explicit prior consent):

  • Product updates and feature announcements
  • Feedback and survey requests
  • Tips and guidance on using the Service

You may withdraw your consent to optional communications at any time by using the unsubscribe link included in every such email or by contacting us at legal@arkadwallet.com. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal, nor does it affect the sending of service emails necessary for the operation of your account.

When sending emails, we share with Resend:

  • Recipient email address
  • Email content
  • Communication preference status

We have entered into a Data Processing Agreement (DPA) with Resend. Where data is transferred outside the EU/EEA, appropriate safeguards such as Standard Contractual Clauses are in place in accordance with GDPR.

We process personal data on the following legal bases under GDPR:

  • Performance of a contract (Art. 6(1)(b)) – to provide the Service, including subscription management, entitlement verification, and sending service emails necessary for the operation of your account
  • Legitimate interests (Art. 6(1)(f)) – to improve functionality, security, and stability
  • Legal obligations (Art. 6(1)(c)) – where required by law
  • Consent (Art. 6(1)(a)) – for optional email communications such as product updates, feature announcements, and feedback requests, in accordance with Art. 398 of the Polish Electronic Communications Law (Prawo komunikacji elektronicznej, PKE) and Article 13 of Directive 2002/58/EC (ePrivacy Directive)

We do not send marketing or promotional emails. Optional communications (product updates, feedback requests) are sent only to users who have given explicit, separate, freely given consent during registration or later through their account settings. Consent may be withdrawn at any time without affecting your access to the Service.

4. Data Retention

  • Account and financial data are stored until the user deletes their account.
  • Upon account deletion, user data is deleted from active systems without undue delay.
  • Server logs may be retained for up to six (6) months for security and diagnostic purposes.
  • Backups may retain data temporarily in accordance with technical backup cycles.
  • RevenueCat may retain purchase receipt and subscription data beyond account deletion for their own legal and audit purposes, in accordance with their Privacy Policy.

5. Data Sharing and Processors

We use the following data processors and independent data controllers:

Data Processors (entities processing personal data on our behalf under GDPR Art. 28):

  • Supabase — authentication and user data storage (AWS EU region). Data Processing Agreement in place.
  • Hetzner — virtual machines, API hosting, PostgreSQL database (Helsinki, Finland). Data Processing Agreement in place.
  • Mistral AI — AI transcription and categorization services. Data Processing Agreement in place.
  • Sentry — error monitoring and diagnostics (data stored in the EU). Data Processing Agreement in place.
  • Resend — transactional email delivery (United States). Data Processing Agreement in place. Transfers governed by Standard Contractual Clauses.
  • RevenueCat — subscription management and entitlement tracking. Data processed: app user identifier, subscription status, purchase receipt data, device and platform information. RevenueCat does not receive payment card details. Data Processing Agreement incorporated by reference into RevenueCat's Terms of Service (effective December 2025). Data is processed in the United States; transfers governed by EU Standard Contractual Clauses.

Independent Data Controllers (entities that control their own processing of user data):

  • Apple App Store and Google Play — payment processing and app distribution. Apple and Google act as independent data controllers for billing and payment data. Their privacy practices are governed by their respective privacy policies. We do not direct or control their processing of payment data.

6. International Transfers

We primarily store and process data within the European Union.

Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards under GDPR Chapter V:

  • Resend processes transactional email data in the United States under EU Standard Contractual Clauses.
  • RevenueCat processes subscription entitlement data in the United States under EU Standard Contractual Clauses.

In all cases, transfers are subject to legally recognized mechanisms ensuring an adequate level of data protection.

7. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • HTTPS encryption for data in transit
  • Strict access control mechanisms ensuring that personal data is accessible only to authorized personnel with a legitimate business need
  • Authentication managed via Supabase
  • Server-level protections and restricted database access

While we take reasonable measures to secure data, no system can guarantee absolute security.

8. Children's Data

The Service is intended for users aged 16 or older.

We rely on user self-declaration of age during registration. We do not knowingly process personal data of children under 16.

9. Your Rights Under GDPR

Subject to applicable law, you have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your data
  • Request restriction of processing
  • Request data portability
  • Object to processing based on legitimate interests
  • Withdraw consent at any time where processing is based on consent — deleting your account serves as withdrawal of all consent-based processing
  • Lodge a complaint with a supervisory authority

Requests may be submitted via email at legal@arkadwallet.com.

The competent supervisory authority in Poland is the President of the Personal Data Protection Office (UODO).

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by sending a notification within the app or to your registered email address before the change takes effect. Continued use of the Service after such notification constitutes acceptance of the revised Policy.

For previous versions, see the Privacy Archive.

Changelog

  • v2.1 (2026-04-13) — Expanded Section 2.8 to distinguish service emails from optional communications (product updates, feedback requests); updated Section 3 to specify legal basis for email communications under GDPR Art. 6(1)(b) and Art. 6(1)(a), with reference to Polish PKE Art. 398 and ePrivacy Directive Art. 13; added consent withdrawal mechanism for optional communications
  • v2.0 (2026-04-13) — Added RevenueCat as data processor for subscription entitlement tracking; updated Section 2.7 (payment and subscription data); restructured Section 5 to distinguish data processors from independent data controllers; updated Section 6 (international transfers) to include RevenueCat's US data storage under Standard Contractual Clauses; updated Section 4 (data retention) to include RevenueCat retention note; added right to withdraw consent in Section 9; updated Section 10 to require active notification of material changes
  • v1.0 (2026-02-13) — Initial version