Walli

Privacy Policy

How we handle your personal data and the rights you have under the GDPR. Last updated: 4 July 2026.

Who is responsible (data controller)

The controller of your personal data is the operator of Walli: [legal entity name, registered address and contact email — to be completed]. For any privacy matter reach us at [privacy contact email]. We have not appointed a Data Protection Officer [update if one is appointed].

Data we process

• Account data: email address and display name. • Age bracket: your date of birth (to tell adults from minors and apply the right safeguards). • Approximate location: your country, derived from your IP address. • Financial data you enter or import: accounts, transactions, categories, budgets, envelopes, loans, groups and related notes — and receipt images you choose to scan. • Group data: within a group, your name/email and shared expenses are visible to other members. • Technical & usage data: device/browser information, log data and identifiers used to run and secure the service. We do not intentionally collect special-category data; please don't enter it in free-text fields.

Why we process it

• To provide and operate the app and its features (accounts, reports, groups, reminders, AI assistant). • To secure the service, prevent abuse and fix problems. • To communicate with you about your account (sign-in, password reset, optional summaries). • To improve Walli. • To show, in aggregate form only, sponsor banners that fund the service.

Legal bases (GDPR Art. 6)

• Performance of the contract — to provide the app you asked for. • Legitimate interests — security, abuse prevention, product improvement and aggregate (non-identifying) sponsor metrics. • Consent — where required, e.g. optional email summaries, web-push notifications or other non-essential processing; you can withdraw it at any time. • Legal obligations — where the law requires. For minors, processing relies on the applicable digital-consent / parental-consent rules.

AI processing

If you use the AI features, the relevant data from your account (and, for receipt scanning, the image) is sent to our AI provider, Google (Gemini API), acting as our processor, to generate the assistant's replies, report insights or extracted receipt fields. This is automated processing, but it does not make decisions with legal or similarly significant effects — it is advisory. Per Google's API terms, this data is not used to train Google's models. The AI features are optional; if you prefer, don't use them.

Who we share data with (processors)

We do not sell your data. We use carefully selected providers that process data on our behalf under data-processing agreements: • Supabase — database and authentication. • Cloudflare — hosting, content delivery and file storage. • Google (Gemini API) — the optional AI features. • Resend — sending transactional emails. We may also disclose data where required by law or to protect rights and safety.

International transfers

Some providers (for example Google) may process data outside the European Economic Area, including in the United States. Where that happens, transfers are protected by appropriate GDPR safeguards, such as the European Commission's Standard Contractual Clauses and/or an adequacy mechanism (e.g. the EU–US Data Privacy Framework).

Shared / group data

Group features are collaborative by design: when you join or are added to a group, your display name/email and the expenses, splits and settlements you record there are visible to the other members. Only join or invite people you trust with that information. Leaving or deleting a group is handled in the app.

Cookies & local storage

We use only strictly-necessary cookies and similar storage to run the app — for authentication/session, your language preference, and request-tracing identifiers used for security and troubleshooting. We do not use third-party advertising or analytics tracking cookies, so no cookie-consent banner is required for these essential technologies.

Sponsors

Sponsors receive only aggregate statistics (for example, the number of active users per country and age bracket) and never your personal or financial data. Sponsor banners are not personalised using your financial data, and there is no cross-site tracking.

Affiliate links

When you click an affiliate or partner link you leave Walli for a third-party site governed by its own privacy policy. We do not share your personal or financial data with affiliate partners; at most an anonymous referral identifier may be passed so a sign-up can be credited. Any click statistics we keep are aggregate and never tied to your identity.

Children's data

The digital age of consent varies by country (13–16 under the GDPR; 14 in Italy). Below that age, the app must be used with a parent's or guardian's consent, and we take reasonable steps consistent with that. We minimise minors' data, do not profile them for advertising, and restrict monetisation to age-appropriate sponsors. If you believe we hold a child's data without proper consent, contact us and we will delete it.

How we protect your data

We apply appropriate technical and organisational measures: encryption in transit (HTTPS) and at rest, per-user access controls and row-level isolation so users can reach only their own data, backend-only service credentials, and least-privilege secrets. No system is perfectly secure, but we work to protect your information and to address issues promptly.

How long we keep it

We keep your data while your account is active. When you delete your account (or ask us to), we delete your personal data from the live systems without undue delay; residual copies in encrypted backups are overwritten on the ordinary backup cycle. We may retain limited information longer where the law requires or to defend legal claims.

Your rights (GDPR)

You can access your data, rectify it, erase it, restrict or object to processing, and obtain data portability (you can export your transactions to CSV in the app at any time). Where processing is based on consent, you can withdraw it at any time without affecting prior processing. To exercise any right, contact us. You also have the right to lodge a complaint with your data-protection authority — in Italy, the Garante per la protezione dei dati personali.

Changes to this policy

We may update this Privacy Policy; we will post the new version here, update the date above, and flag material changes in the app.

Language

This policy is provided in several languages for your convenience. The English version is the reference text; if a translation conflicts with it, the English version prevails, except where mandatory law requires the version in your language.

Contact

For privacy questions or to exercise your rights, contact the operator of Walli at [privacy contact email — to be completed].

Back to home