Who we are
Neatly Money is a personal finance tracking application operated by Igor Stepanov, an individual entrepreneur (entrepreneur individuel — micro-entreprise) registered in France under SIRET 103 095 501 00013, with a registered address at 4 Allée des Chevreuils, 91330 Yerres, France ("we", "us", "our", or the "Publisher").
We act as the data controller for the personal data we process about you in connection with your use of the Neatly Money application available at neatly.money (the "Service"). For any privacy-related question or request, please contact us at privacy@neatly.money.
We have not appointed a Data Protection Officer (DPO) because the scale and nature of our processing do not require one under Article 37 of the General Data Protection Regulation ("GDPR").
What personal data we collect
We collect and process the following categories of personal data when you use the Service:
Account data — your email address, a hashed form of the password you choose, and (if you choose to provide them) optional profile details such as your display name, theme preference, and preferred display language. If you sign in using Google, we also receive your Google account email address and (if available) your name and profile picture.
Financial data — the personal-finance information you enter into the Service, including the names and types of your accounts, transactions, categories, budgets, and balances. This data is provided by you and is not collected from any third party. We do not connect to your bank, and we do not import your bank statements.
Technical data — strictly limited to what is necessary to operate the Service securely. This includes your IP address (used only for security and abuse-detection purposes, not for analytics), and the essential cookies described in our Cookie Policy. We do not use any analytics, advertising, or tracking cookies.
Is providing data mandatory?
Providing your email address and a password (or signing in with Google) is required to create and use a Neatly Money account. The legal basis for processing this data is the performance of the contract between you and us (Article 6(1)(b) GDPR). If you do not provide this information, we cannot create or maintain your account.
All other personal data is optional. You can use the Service without providing a display name, without choosing a non-default theme, and without changing your preferred language. You may also choose what financial information to enter into the Service.
Why we collect your data and on what legal basis (Article 6 GDPR)
We process your personal data on the following legal bases:
- Performance of a contract (Article 6(1)(b) GDPR) — to create and maintain your account, store and display the financial information you enter, deliver the core features of the Service, and respond to your support requests.
- Our legitimate interests (Article 6(1)(f) GDPR) — to keep the Service secure, detect and prevent abuse and fraud, debug technical errors, and improve the reliability of the Service. We balance these interests against your rights and freedoms; you may object to this processing as described below.
- Compliance with a legal obligation (Article 6(1)(c) GDPR) — to respond to lawful requests from competent authorities and to comply with our obligations under applicable French and EU law.
- Your consent (Article 6(1)(a) GDPR) — for any future processing that requires consent (for example, if we later introduce optional features such as marketing emails or non-essential analytics). At present, we do not rely on consent because we do not perform any such optional processing.
How long we keep your data
We keep your personal data for as long as your account is active. If you delete your account, we keep your data for a 30-day grace period during which you may contact us to restore it. After this grace period, we permanently delete your data from our active systems.
Encrypted backups of our database may retain a copy of your data for up to approximately 90 days after deletion, after which they rotate out and the data is no longer recoverable. Backups are used only for disaster recovery and are not accessed for any other purpose.
We may retain a minimal record (such as the fact that an account with a given email address existed and was deleted) for a limited time when required to comply with a legal obligation, defend a legal claim, or prevent fraud and abuse.
Who we share your data with (sub-processors)
We do not sell your personal data, and we do not share it with third parties for their own marketing or advertising purposes.
To operate the Service we rely on a small number of carefully selected sub-processors. Each sub-processor processes personal data only on our documented instructions, under a written data-processing agreement, and with appropriate technical and organisational safeguards in place.
| Processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase, Inc. | Authentication (email/password, Google OAuth) and session management | Ireland (eu-west-1) | EU GDPR + Standard Contractual Clauses + EU-US Data Privacy Framework |
| Neon, Inc. | Managed PostgreSQL database hosting (your account, transactions, budgets, and other application data) | Germany (eu-central-1, Frankfurt) | EU GDPR + Standard Contractual Clauses + EU-US Data Privacy Framework |
| Vercel Inc. | Web application hosting and serverless function execution | EU region | Standard Contractual Clauses + EU-US Data Privacy Framework |
| Google Ireland Limited | Google Sign-In (only if you choose to sign in with Google) | Ireland / United States | EU-US Data Privacy Framework |
We will update this list when we add or change a sub-processor. An error-tracking service (Sentry) will be added to this list when we deploy it; until then, no error-tracking provider receives your data.
International transfers of your data
Your personal data is stored within the European Union. Some of our sub-processors are companies incorporated in the United States (Supabase, Neon, Vercel, and Google). These sub-processors keep your data on EU-based infrastructure for our use of their services, and they have committed to lawful international-transfer mechanisms — namely the European Commission Standard Contractual Clauses ("SCCs") and, where applicable, certification under the EU-US Data Privacy Framework.
You may request a copy of these safeguards by writing to privacy@neatly.money.
Your rights
Subject to the conditions set out in the GDPR, you have the following rights regarding your personal data:
- Right of access — to obtain confirmation of whether we process your personal data, and a copy of that data.
- Right to rectification — to ask us to correct inaccurate or incomplete personal data.
- Right to erasure ("right to be forgotten") — to ask us to delete your personal data in the cases set out in Article 17 GDPR.
- Right to data portability — to receive a structured, commonly used and machine-readable copy of the personal data you have provided to us, and to ask us to transmit it to another controller where technically feasible.
- Right to restriction of processing — to ask us to limit the processing of your personal data in the cases set out in Article 18 GDPR.
- Right to object — to object, on grounds relating to your particular situation, to processing that is based on our legitimate interests.
- Right to withdraw consent — where processing is based on your consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
You also have the right to lodge a complaint with the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), or with the supervisory authority of the EU member state where you reside or work. The CNIL complaint form is available online.
How to exercise your rights
To exercise any of the rights described above, please write to us at privacy@neatly.money. We will respond within one month of receiving your request, as required by Article 12(3) GDPR. We may extend this period by up to two further months for complex or numerous requests, in which case we will inform you of the extension and the reasons for it within the first month.
We may need to verify your identity before acting on your request, in particular by asking you to confirm the email address associated with your account.
In a future version of the Service, we plan to add in-app buttons to let you delete your account and export your data directly. Until those buttons are available, please contact us by email and we will handle your request manually.
Automated decision-making
We do not carry out any automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. We do not profile you for advertising purposes, and we do not use your personal data or your financial data to train any machine-learning or artificial-intelligence model.
Children's data
The Service is intended for adults aged 18 or older. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at privacy@neatly.money and we will take appropriate steps to delete it.
Data security
We take the security of your personal data seriously and apply appropriate technical and organisational measures to protect it, including:
- Encryption in transit — all communication between your device and the Service uses HTTPS (TLS).
- Password hashing — passwords are never stored in plain text; they are hashed using industry-standard algorithms managed by our authentication provider.
- Access controls — only the Publisher has administrative access to the production systems, and access is granted on the principle of least privilege.
- Regular dependency updates and security reviews of the application code.
- EU-based infrastructure with the safeguards described in the sections above.
No method of transmission or storage is completely secure. While we work hard to protect your personal data, we cannot guarantee absolute security.
Changes to this Privacy Policy
We may update this page from time to time. The Effective Date at the top of the page reflects the latest version. We encourage you to review this page periodically. Continued use of the Service after the new Effective Date constitutes acceptance of the changes.
Contact, language, and effective date
If you have any question about this Privacy Policy or about how we process your personal data, please contact us at privacy@neatly.money.
This document is issued in English. A French translation is provided for convenience and ease of reading; in case of discrepancy, the English version prevails.
Effective date: April 23, 2026.