Privacy Policy
How Wally handles your personal data.
1. Overview
Wally ("we", "us", or "the app") is a personal expense-tracking app for iOS and Android. This policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and the rights you have under the EU General Data Protection Regulation ("GDPR").
If you do not agree with this policy, please do not use Wally.
2. Data we collect
We collect only the data needed to provide the app's core functionality:
- Account data: your email address and a hashed password.
- Profile data: a display name you choose, and your preferred currency.
- Financial data you enter: transaction amounts, categories, optional notes, and dates; monthly budget amount.
- Card metadata: a label you choose (e.g. "Personal") and the last four digits of a payment card you optionally add for visual reference. We never collect, store, or have access to full card numbers, expiration dates, or CVV codes.
- Diagnostic data: anonymous crash reports and performance information from Sentry. We have configured Sentry not to send personally identifying fields (email, user ID, IP address, authentication headers are stripped before upload).
We do not collect: contacts, photos, precise location, advertising identifiers, biometric data, browsing history, or any data outside the app.
Biometric authentication
If you enable Face ID, Touch ID, or fingerprint unlock, that authentication is handled entirely by your device's operating system. The biometric template never leaves your device and is never accessible to Wally.
3. Why we process your data (purposes & legal basis)
| Purpose | Legal basis (GDPR Art. 6) |
| Create and authenticate your account; sync your data across devices. | Performance of a contract (Art. 6(1)(b)). |
| Display your transactions, budgets, cards, categories. | Performance of a contract (Art. 6(1)(b)). |
| Detect and fix crashes and bugs (diagnostic data). | Legitimate interest in maintaining a working product (Art. 6(1)(f)). |
| Respond to support requests you send us. | Legitimate interest in providing support (Art. 6(1)(f)). |
4. Who we share data with (processors)
We do not sell your personal data and we do not share it with advertisers. We use the following third-party service providers ("data processors"), each contractually bound to process data only on our instructions:
- Supabase — hosts our database and authentication. All app data (profile, transactions, cards, budget, categories) is stored here. Supabase is operated by Supabase, Inc. and may store data in EU or US data centres. Data transfers outside the EEA are covered by Standard Contractual Clauses.
- Sentry — receives anonymous crash reports (with personally identifying fields stripped client-side). Operated by Functional Software, Inc. Transfers covered by Standard Contractual Clauses.
- Apple / Google — distribute the app via the App Store and Google Play Store. They may collect their own diagnostic and usage information governed by Apple's and Google's own privacy policies.
5. How long we keep your data
- Account & app data: kept for as long as your account is active. If you delete your account (see Section 7), all account and app data is permanently deleted within 30 days. There is no soft-delete or recovery period — deletion is final.
- Crash reports: retained by Sentry for up to 90 days, then automatically deleted.
- Support emails: retained for up to 12 months after the request is closed, then deleted.
6. Security
We take security seriously:
- All network traffic uses TLS encryption.
- Authentication tokens are stored in your device's secure enclave (iOS Keychain / Android Keystore via Expo SecureStore).
- Database access is protected by row-level security: even at the database layer, your data can only be read by you.
- Passwords are hashed (never stored in plain text) by our authentication provider.
- An optional Face ID / Touch ID / fingerprint lock can be enabled to require biometric authentication before opening the app.
No system is perfectly secure, however. If we ever become aware of a personal-data breach affecting you, we will notify you within 72 hours as required by GDPR Art. 33–34.
7. Your rights under GDPR
You have the following rights regarding your personal data. To exercise any of them, email cokicedinn@gmail.com — we will respond within one month.
- Right of access (Art. 15) — request a copy of all data we hold about you. You can also export your data yourself from Profile → Export data inside the app.
- Right to rectification (Art. 16) — correct inaccurate data. You can edit your name, currency, and entries directly in the app.
- Right to erasure / "right to be forgotten" (Art. 17) — permanently delete your account and all associated data. You can do this yourself: Profile → Danger Zone → Delete account. Deletion is immediate and irreversible.
- Right to data portability (Art. 20) — receive your data in a machine-readable JSON format. The in-app export feature provides this.
- Right to restrict processing (Art. 18) — temporarily limit how we use your data.
- Right to object (Art. 21) — object to processing based on legitimate interest (e.g. crash reports). You can opt out of crash reporting by uninstalling the app, since the app does not currently offer a separate toggle for diagnostic data.
- Right to lodge a complaint (Art. 77) — file a complaint with your national data protection authority if you believe we are mishandling your data.
8. International transfers
Some of our processors (Supabase, Sentry) may transfer or store data outside the European Economic Area, including in the United States. These transfers are protected by Standard Contractual Clauses approved by the European Commission, which require equivalent levels of protection to GDPR.
9. Children
Wally is not directed at children. We do not knowingly collect personal data from anyone under 16. If you are under 16, please do not use the app. If you are a parent or guardian and believe your child has provided us with personal data, email cokicedinn@gmail.com and we will delete it.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via an in-app notice or by email. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the app after a change means you accept the updated policy.
11. Contact
Questions, requests, or complaints regarding this policy or your personal data — email cokicedinn@gmail.com. We aim to respond within seven days.