PENNYSIGHT

GDPR / PRIVACY

Privacy Policy

Effective from: 2026-03-19

This privacy policy describes how Pennysight processes personal data in connection with the use of the mobile application and the accompanying AI analysis feature available through an online account.

This document has been prepared in accordance with GDPR requirements and Apple's requirements for publicly available privacy information for applications published in the App Store.

1. Data controller

The data controller is Michał Wilk Software Solutions, NIP 9581750781, REGON 540717659, based in Gdynia (81-260), Pomeranian Voivodeship, Poland.

For privacy-related inquiries, exercising your GDPR rights, or account support, please contact us at: contact@micwilk.com.

The controller has not appointed a data protection officer.

2. Scope of data

Pennysight is a mobile application for personal finance management. Typically, user data such as the local expense database and app settings are stored on the user's device.

Data processed on the server includes information needed for the AI analysis feature and online account: first name or profile name, email address, password hash, email verification status, session identifiers, IP address, user agent, limited expense data submitted for analysis, saved analysis summaries, subscription status, analysis usage limits, and Apple transaction identifiers needed for in-app purchase verification.

We do not use advertisements, advertising identifiers, marketing profiling, or analytics tools that track user behavior within the app.

3. Purposes and legal bases of processing

We process data primarily for the purpose of creating and maintaining an account, logging in, sending verification and password reset emails, performing AI analysis, managing subscriptions and analysis usage limits, verifying Apple In-App Purchases, and deleting an account at the user's request.

The legal basis for processing is Article 6(1)(b) GDPR where processing is necessary for the performance of the service agreement, Article 6(1)(c) GDPR for legal obligations, and Article 6(1)(f) GDPR for security, fraud prevention, defense against claims, and maintaining service stability.

AI analysis is auxiliary and informational in nature. It is not used for automated decision-making producing legal effects or similarly significantly affecting the user.

4. Data recipients

Data may be entrusted to infrastructure and tool providers necessary for the operation of the service, in particular the hosting and database provider, the transactional email provider Resend, the AI model provider OpenRouter, and Apple for payments and App Store purchase verification.

Apple is an independent data controller for data related to App Store payments. Billing details, card processing, and refunds are handled in accordance with Apple's policies.

We do not sell personal data or share it with data brokers.

5. Transfers outside the EEA

Some technology providers may process data outside the European Economic Area. In such cases, the controller relies on appropriate transfer mechanisms, such as the European Commission's standard contractual clauses or another basis provided by the GDPR.

6. Retention period

Account data, saved analysis summaries, data needed for subscription and analysis usage limits, and limited expense data submitted for analysis are stored until the account is deleted by the user or the controller.

Deleting the account from within the app causes irreversible deletion of data stored in the application's main databases, including analysis history, account data, subscription records, and purchase identifiers stored by the service.

Temporary technical data such as sessions, verification tokens, and password reset tokens are stored until expiration or loss of usefulness. A limited copy of data may temporarily remain in infrastructure provider backups until overwritten according to that provider's policy.

7. Cookies and similar technologies

The service does not use analytics, advertising, or marketing cookies.

The web portion may use essential technical cookies or session tokens if necessary for login, session maintenance, security, and proper account operation.

8. User rights

You have the right to request access to your data, rectification, erasure, restriction of processing, data portability, and to object to processing based on the controller's legitimate interest.

If you believe your data is being processed unlawfully, you also have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO).

Requests regarding the exercise of your rights can be sent to: contact@micwilk.com.

9. Children and minors

The service is designed primarily for adults. Minors may use the application only to the extent permitted by law and under the supervision or with the consent of a parent or guardian, where required.

10. Policy changes

This privacy policy may be updated in the event of changes to functionality, providers, or legal requirements. The current version will be published at this address along with the effective date.