Last updated: [DATE]
[COMPANY NAME], [ADDRESS], [COUNTRY] ("we", "us", "our") operates the Zensto budget management application. We are the data controller for personal data processed through this application.
Contact for privacy matters: [PRIVACY EMAIL]
Name, email address, and password hash. Collected to create and manage your account. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
Bank account numbers, transaction records (amounts, dates, descriptions, counterparty information), income estimates. Collected to provide budget management functionality. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
When you import bank transactions (e.g. via Belfius CSV export), we process transaction descriptions, amounts, dates, and counterparty names and account numbers appearing in your transaction history. These third-party counterparties have not directly provided their data to us; we process it under our legitimate interest in providing you with a complete view of your finances (Art. 6(1)(f) GDPR). We do not use counterparty data for any purpose other than displaying your transaction history to you.
If you use shared budgets or group features, your name and certain account information may be visible to other members of your group. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
We use Google Analytics to understand how the application is used (pages visited, session duration). This is only activated with your explicit consent. Legal basis: consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time by clearing your browser's local storage or using the preference in your account settings.
IP address, browser type, and session identifiers are stored to maintain your login session and protect against unauthorised access. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
We retain your personal data for as long as your account is active. When you delete your account, your data is marked for deletion and permanently removed within [X days]. Transaction data may be retained for up to 7 years where required by Belgian accounting law (Art. III.86 WER), during which time it cannot be erased on request. We will inform you of any such limitation when you submit an erasure request.
Session data is retained for a maximum of 120 minutes. Password reset tokens expire within 60 minutes.
[HOSTING PROVIDER], [LOCATION]. Your data is hosted within the European Economic Area. [DATA PROCESSING AGREEMENT IN PLACE.]
[EMAIL PROVIDER] processes your email address to deliver transactional emails (verification, password reset). [DATA PROCESSING AGREEMENT IN PLACE.]
Google LLC (Google Analytics 4) — only if you have consented. Google participates in the EU-US Data Privacy Framework. For more information, see Google's privacy policy.
We do not sell your personal data to third parties.
Under the GDPR, you have the following rights in relation to your personal data:
To exercise any right, contact us at [PRIVACY EMAIL]. We will respond within 30 days. You also have the right to lodge a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit — APD/GBA) at www.dataprotectionauthority.be.
We protect your data using industry-standard measures including encrypted sessions, hashed passwords (bcrypt), and TLS transport encryption. No system is completely secure; in the event of a data breach we will notify you and the supervisory authority as required by law.
We may update this policy from time to time. Material changes will be notified by email or via an in-app notice before they take effect.