Skip to content

Archived version. This is a historical copy of Privacy Policy v2.0, effective 2026-04-13. The current version is available at Privacy Policy.

Privacy Policy

Version: v2.0
Effective date: 2026-04-13
Last updated: 2026-04-10

This Privacy Policy explains how ARKAD Wallet ("we", "us", "our") collects, uses, stores, and protects personal data when you use our mobile application (the "Service").

1. Data Controllers

ARKAD Wallet is operated by:

  • Maksim Pegov, residing in Poland, and
  • Artur Szczypta, residing in Poland

The above-listed individuals act as joint data controllers within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

For privacy-related inquiries, contact: legal@arkadwallet.com

2. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account and Identity Data

  • Email address
  • Password (processed and securely handled by Supabase authentication services)
  • Name (if provided)
  • Authentication provider
  • Date of birth
  • Preferred currency code
  • Account creation date
  • Last login date

2.2 Financial Data (User-Provided)

All financial data is manually entered by users.

We store: - Account name, type, balance, currency, creation date
- Goals (name, description, status, deadline, target amount, linked account)
- Categories (name, deletion flag)
- Budget allocations (month, allocated amount, spent amount)
- Transactions (amount, description, date and time, associated account)

We do not connect to bank accounts and do not automatically import financial data.

2.3 Onboarding Data (Transient Processing)

During onboarding, we may ask questions such as financial status (e.g., whether you have debts or rent/own a home).
This data is processed temporarily for in-app logic and suggestions and is not stored in our databases.

2.4 Voice Input Data

Users may record voice input to create transactions.

  • Voice recordings are transmitted to Mistral AI for transcription.
  • Raw audio is not stored by us after processing.
  • Transcribed text may be used to create transaction records.
  • Transaction descriptions may be sent to Mistral AI for categorization.

We have a Data Processing Agreement (DPA) in place with Mistral AI.

2.5 Technical and Log Data

We automatically collect certain technical data when you use the Service:

  • IP address
  • Device type and metadata transmitted in HTTP requests
  • Server logs (via Nginx)
  • Crash reports and diagnostic data (via Sentry)

2.6 Analytics Data

We use Sentry for crash reporting and performance monitoring.

Analytics data is used to improve the Service and does not intentionally include sensitive financial content. Sentry data is stored within the European Union.

2.7 Payment and Subscription Data

Payments are processed directly by Apple App Store and Google Play, which act as independent data controllers for billing and payment data. We do not store or process payment card details. Their processing of payment data is governed by their own privacy policies.

Subscription entitlement status (whether you have an active ARKAD Wallet Pro subscription) is tracked via RevenueCat. RevenueCat receives your app user identifier, subscription status, purchase receipt data, and device and platform information for this purpose. RevenueCat does not receive payment card details. See Section 5 for details on RevenueCat as a data processor.

2.8 Email Communication Data

We use Resend (a US-based email service provider) to send transactional emails.

When sending emails, we share: - Recipient email address
- Email content (such as account-related notifications or service messages)

We have entered into a Data Processing Agreement (DPA) with Resend. Where data is transferred outside the EU/EEA, appropriate safeguards such as Standard Contractual Clauses are in place in accordance with GDPR.

We process personal data on the following legal bases under GDPR:

  • Performance of a contract (Art. 6(1)(b)) – to provide the Service, including subscription management and entitlement verification
  • Legitimate interests (Art. 6(1)(f)) – to improve functionality, security, and stability
  • Legal obligations (Art. 6(1)(c)) – where required by law
  • Consent (Art. 6(1)(a)) – where applicable

We currently do not send marketing emails. If marketing communications are introduced in the future, they will require explicit opt-in consent.

4. Data Retention

  • Account and financial data are stored until the user deletes their account.
  • Upon account deletion, user data is deleted from active systems without undue delay.
  • Server logs may be retained for up to six (6) months for security and diagnostic purposes.
  • Backups may retain data temporarily in accordance with technical backup cycles.
  • RevenueCat may retain purchase receipt and subscription data beyond account deletion for their own legal and audit purposes, in accordance with their Privacy Policy.

5. Data Sharing and Processors

We use the following data processors and independent data controllers:

Data Processors (entities processing personal data on our behalf under GDPR Art. 28):

  • Supabase — authentication and user data storage (AWS EU region). Data Processing Agreement in place.
  • Hetzner — virtual machines, API hosting, PostgreSQL database (Helsinki, Finland). Data Processing Agreement in place.
  • Mistral AI — AI transcription and categorization services. Data Processing Agreement in place.
  • Sentry — error monitoring and diagnostics (data stored in the EU). Data Processing Agreement in place.
  • Resend — transactional email delivery (United States). Data Processing Agreement in place. Transfers governed by Standard Contractual Clauses.
  • RevenueCat — subscription management and entitlement tracking. Data processed: app user identifier, subscription status, purchase receipt data, device and platform information. RevenueCat does not receive payment card details. Data Processing Agreement incorporated by reference into RevenueCat's Terms of Service (effective December 2025). Data is processed in the United States; transfers governed by EU Standard Contractual Clauses.

Independent Data Controllers (entities that control their own processing of user data):

  • Apple App Store and Google Play — payment processing and app distribution. Apple and Google act as independent data controllers for billing and payment data. Their privacy practices are governed by their respective privacy policies. We do not direct or control their processing of payment data.

6. International Transfers

We primarily store and process data within the European Union.

Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards under GDPR Chapter V:

  • Resend processes transactional email data in the United States under EU Standard Contractual Clauses.
  • RevenueCat processes subscription entitlement data in the United States under EU Standard Contractual Clauses.

In all cases, transfers are subject to legally recognized mechanisms ensuring an adequate level of data protection.

7. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • HTTPS encryption for data in transit
  • Strict access control mechanisms ensuring that personal data is accessible only to authorized personnel with a legitimate business need
  • Authentication managed via Supabase
  • Server-level protections and restricted database access

While we take reasonable measures to secure data, no system can guarantee absolute security.

8. Children's Data

The Service is intended for users aged 16 or older.

We rely on user self-declaration of age during registration. We do not knowingly process personal data of children under 16.

9. Your Rights Under GDPR

Subject to applicable law, you have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your data
  • Request restriction of processing
  • Request data portability
  • Object to processing based on legitimate interests
  • Withdraw consent at any time where processing is based on consent — deleting your account serves as withdrawal of all consent-based processing
  • Lodge a complaint with a supervisory authority

Requests may be submitted via email at legal@arkadwallet.com.

The competent supervisory authority in Poland is the President of the Personal Data Protection Office (UODO).

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by sending a notification within the app or to your registered email address before the change takes effect. Continued use of the Service after such notification constitutes acceptance of the revised Policy.

For previous versions, see the Privacy Archive.

Changelog

  • v2.0 (2026-04-13) — Added RevenueCat as data processor for subscription entitlement tracking; updated Section 2.7 (payment and subscription data); restructured Section 5 to distinguish data processors from independent data controllers; updated Section 6 (international transfers) to include RevenueCat's US data storage under Standard Contractual Clauses; updated Section 4 (data retention) to include RevenueCat retention note; added right to withdraw consent in Section 9; updated Section 10 to require active notification of material changes
  • v1.0 (2026-02-13) — Initial version