Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

2. Data We Collect

We collect the following categories of personal data:

3. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Article 6:

• Performance of a contract (Art. 6(1)(b)) — to create and manage your account, store your financial records, and provide the core features of the Service.
• Legitimate interests (Art. 6(1)(f)) — to monitor security, prevent fraud, improve the Service, and analyse usage patterns. These interests do not override your fundamental rights and freedoms.
• Legal obligation (Art. 6(1)(c)) — where processing is required to comply with applicable law, such as retaining transaction records for accounting purposes.
• Consent (Art. 6(1)(a)) — where we ask for your consent for a specific purpose, such as optional marketing communications. You may withdraw consent at any time.

4. How We Use Your Data

• To authenticate you and maintain your account.
• To store, display, and process the financial records you enter.
• To send transactional emails (account confirmation, password reset, billing).
• To monitor and ensure the security of the Service.
• To diagnose technical issues and improve performance.
• To respond to your support requests and feedback submissions.
• To comply with legal obligations.

We do not sell your personal data. We do not use your financial records for advertising or share them with third parties for their own commercial purposes.

5. Data Sharing and Sub-processors

We share data only with trusted sub-processors who help us operate the Service, and only to the extent necessary:

We may also disclose personal data if required to do so by law or in response to a valid request from a public authority.

6. International Transfers

We store and process your data within the European Economic Area (EEA). Where any sub-processor transfers data outside the EEA, we ensure appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) adopted by the European Commission.

7. Data Retention

We retain your data for as long as your account is active. Specifically:

• Account and financial data — retained for the duration of your account, then deleted within 30 days of account closure.
• Usage and log data — retained for up to 90 days for security and diagnostics.
• Backup copies — may persist for up to an additional 30 days in encrypted backup systems before being purged.

We may retain certain data longer where required by applicable law (e.g. accounting obligations under the Norwegian Bookkeeping Act).

8. Your Rights Under GDPR

As a data subject you have the following rights, which you can exercise at any time by contacting us at support@budgety.no:

• Right of access — obtain a copy of the personal data we hold about you (Art. 15).
• Right to rectification — have inaccurate or incomplete data corrected (Art. 16).
• Right to erasure — request deletion of your data ("right to be forgotten") where there is no overriding legal basis to retain it (Art. 17).
• Right to restriction — request that we limit processing of your data in certain circumstances (Art. 18).
• Right to data portability — receive your data in a structured, machine-readable format (Art. 20).
• Right to object — object to processing based on legitimate interests (Art. 21).
• Rights related to automated decision-making — we do not use automated decision-making or profiling that produces legal or similarly significant effects.

We will respond to verified requests within 30 days. We may request proof of identity before processing your request.

9. Cookies and Local Storage

The Service uses strictly necessary cookies and browser local storage to maintain your authenticated session. We do not use advertising or tracking cookies. A cookie consent banner is therefore not required for the core Service.

If we introduce non-essential cookies (e.g. analytics), we will update this policy and obtain your consent where required.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS), encryption at rest, access controls, and regular security reviews.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by GDPR Article 33–34.

11. Children

The Service is not directed at persons under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or an in-app notice before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact and Complaints

For questions or requests regarding this Privacy Policy or our data practices, please contact our support team at: support@budgety.no

If you are not satisfied with our response, you have the right to lodge a complaint with the Norwegian Data Protection Authority:

If you reside in another EEA member state, you may also contact the supervisory authority in your country of residence.