Privacy policy

1. Data protection at a glance

General information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is all data with which you can be personally identified. Detailed information can be found in the privacy policy below.

Data collection on this website

Who is responsible? Data processing on this website is carried out by the website operator. You can find the operator's contact details in the Imprint.

How do we collect your data? Some data is collected when you provide it to us (e.g. via a form). Other data is collected automatically by our IT systems when you visit the website (e.g. browser, operating system, time of access).

What do we use your data for? Part of the data is collected to ensure error-free, secure provision of the website. Other data may be used to analyze user behavior.

Your rights You have the right to obtain information on the origin, recipients and purpose of your stored personal data free of charge at any time and to request correction or deletion. You can also request restriction of processing and lodge a complaint with a supervisory authority.

2. Access to and storage of information in terminal equipment

By using our website, information (e.g., IP address) may be accessed or information (e.g., cookies) may be stored on your device. Where strictly necessary for technical provision, this is based on Section 25 (2) No. 2 TTDSG. For other purposes, access/storage occurs only with your consent under Section 25 (1) TTDSG in conjunction with Art. 6(1)(a) GDPR; consent can be withdrawn at any time.

3. Processors and hosting

We use carefully selected external service providers ("processors") to operate this website and the heyFinance app. Personal data collected on this website or in the app is processed on these providers' servers. (e.g., IP addresses, contact requests, meta/communication data, names, page views and other data generated via the website).

These "processors" are used for the performance of a contract with potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of a secure, fast and efficient provision of our online offer (Art. 6(1)(f) GDPR). The "processors" process your data only to the extent necessary to fulfill its performance obligations and follows our instructions.

  • Vercel – frontend hosting
  • Render – backend hosting
  • Supabase – managed database
  • Resend – transactional email
  • Stripe – payment processing (collects name, email, billing address, and payment card details to process subscription payments)

These providers process your data only to the extent necessary to fulfil their services and in accordance with our instructions. We have concluded data processing agreements (DPAs) with them. If data is transferred outside the EU/EEA, Standard Contractual Clauses (SCCs) and appropriate safeguards are applied.

Stripe's role: When you subscribe to heyFinance, Stripe processes your payment information directly. We do not store your full payment card details on our servers. Stripe is PCI-DSS compliant and processes payments securely. For more information, see Stripe's Privacy Policy at https://stripe.com/privacy.

4. General notes and mandatory information

Data protection

We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. Please note that data transmission on the Internet (e.g., when communicating by e-mail) may have security gaps.

Note on the controller

The controller for data processing on this website is the website operator. See the Imprint for contact details.

Revocation of your consent to data processing

Many data processing operations are possible only with your express consent. You may revoke consent at any time with effect for the future. The lawfulness of processing carried out before revocation remains unaffected.

Data retention after trial and cancellation

If you do not subscribe after your free trial ends, your account and associated data will be automatically deleted after 30 days. If you cancel a paid subscription, your data will be retained for 90 days to allow you to reactivate your account, after which it will be permanently deleted. You may request immediate deletion at any time directly through your account settings or by contacting us.

Right to object to processing in special cases and to direct marketing (Art. 21 GDPR)

If processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object at any time on grounds relating to your particular situation; this also applies to profiling. If your personal data is processed for direct marketing, you have the right to object at any time to such processing.

Right to lodge a complaint with the supervisory authority

In the event of a breach of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, without prejudice to other remedies. The competent authority for our location is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

Right to data portability

You have the right to receive data that we process automatically on the basis of your consent or in performance of a contract in a commonly used, machine-readable format, or to have it transmitted to another controller where technically feasible.

SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL or TLS encryption. An encrypted connection can be recognized by the lock symbol in your browser and the "https://" address line.

User accounts and verification

To create and use a heyFinance account, we process your email address and a password chosen by you. In order to activate your account, you must verify your email address via a confirmation link. Until verification is completed, login may be restricted and we may send reminder emails or temporarily block access. Unverified accounts may be deleted after a reasonable period.

Financial data provided by users

heyFinance is a financial management tool. Users may manually enter or upload personal financial data (e.g., budgets, expenses, debts, account balances, transactions). This data is processed solely for the purpose of providing the agreed functionality (Art. 6(1)(b) GDPR). We do not import financial data from external banks or services unless explicitly provided by the user. The Provider does not offer financial or investment advice.

Information, deletion, correction

Within the scope of legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients and the purpose of data processing and, if applicable, a right to correction or deletion of this data.

Right to restriction of processing

You have the right to request restriction of processing under the conditions set out in Art. 18 GDPR. If processing is restricted, this data may—apart from storage—only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

Objection to advertising emails

We hereby object to the use of contact data published as part of our legal notice obligation for the purpose of sending unsolicited advertising and information materials.

Payments

Subscription payments are processed exclusively via Stripe, a third-party payment processor. When you subscribe, Stripe collects your payment card details, billing address, name, and email address to process recurring payments. We do not store your full payment card details on our servers. Stripe handles all payment data securely in compliance with PCI-DSS standards. Legal basis: Art. 6(1)(b) GDPR (performance of contract). For more information, see Stripe's Privacy Policy.

5. Data collection on this website

Cookies

Some internet pages use cookies. Cookies do not damage your device and do not contain viruses. They help make our offer more user-friendly, effective and secure. Most cookies we use are "session cookies" and are deleted after your visit. Other cookies remain stored until you delete them. You can configure your browser to inform you about the setting of cookies and to allow cookies only in individual cases, exclude cookies for certain cases or in general, and activate deletion when closing the browser. If cookies are deactivated, the functionality of the website may be restricted.

Cookies required to carry out the electronic communication process or to provide certain functions you request are stored on the basis of Art. 6(1)(f) GDPR. If consent is requested, processing is based on Art. 6(1)(a) GDPR and consent can be revoked at any time.

Server log files

The provider automatically collects and stores information in server log files that your browser transmits to us (browser type/version, operating system, referrer URL, host name, time of request, IP address). This data is not merged with other data sources. Processing is based on Art. 6(1)(f) GDPR in the interest of technically error-free presentation and optimization of the website.

Contact form

If you send us inquiries via a contact form, the details you provide—including contact details—are stored for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent. Processing is based on Art. 6(1)(b) GDPR if related to contract performance or pre-contractual measures; otherwise on our legitimate interest (Art. 6(1)(f) GDPR) or your consent (Art. 6(1)(a) GDPR). We retain such data until you request deletion, revoke consent or the purpose no longer applies. Statutory retention periods (e.g. 6–10 years for business/tax records) remain unaffected.

Request by e-mail or telephone

If you contact us by e-mail or phone, we store and process your inquiry, including personal data (e.g. name, message), to handle your request. Processing follows Art. 6(1)(b) GDPR where applicable, otherwise Art. 6(1)(a) and/or Art. 6(1)(f) GDPR. Retention follows the same rules as above, subject to statutory retention periods (6–10 years for business/tax records).

Processing of data (customer and contract data)

We collect, process and use personal data only insofar as it is necessary for establishing, structuring or changing the legal relationship (inventory data) and usage data only insofar as necessary to enable or charge for the use of the service (Art. 6(1)(b) GDPR). Customer data is deleted after completion of the order or termination of the business relationship. Statutory retention periods (6–10 years for business/tax records) remain unaffected.

6. AI Insights and Financial Data Processing

heyFinance offers an optional AI-powered insights feature that analyzes your financial activity and generates monthly summaries, spending trends, and goal-based recommendations. This feature uses only aggregated financial information derived from the data you enter or upload.

6.1 Types of data processed

To generate AI insights, we send only aggregated and non-identifying financial metrics to our AI provider. These aggregated values may include:

  • Monthly income and expense totals
  • Category-level spending summaries
  • Cash flow and savings rate calculations
  • Goal progress, target amounts, and affordability assessments
  • Counts of transactions per category (not the transactions themselves)
  • Month-over-month percentage changes or trends

We do NOT transmit any raw transaction data to the AI provider. This includes:

  • Individual transaction details
  • Vendor names or descriptions
  • Bank account numbers or identifiers
  • Your email, name, or any personal identifiers
  • Any financial login credentials

6.2 Purpose of processing

Aggregated financial metrics are processed exclusively to generate your monthly financial insights, recommendations, and summaries inside the heyFinance app. They are not used for any other purpose.

6.3 Third-party AI providers

We may use a third-party AI provider (e.g., OpenAI) to process aggregated metrics. The provider processes this information solely to generate insights and does not use it to train models or for any independent purpose.

6.4 Legal basis

Processing is based on your explicit consent under Art. 6(1)(a) GDPR, provided when enabling the AI Insights feature or uploading financial data for this purpose. You may withdraw your consent at any time.

6.5 No automated decision-making

AI insights are informational only and are not financial, tax, or investment advice. No automated decisions with legal or significant effects are made based on your data.

6.6 Data retention

Aggregated financial data is retained only as long as necessary to display historical insights and fulfill contractual obligations. You may delete your financial data at any time from within your heyFinance account, after which it will be removed from our systems subject to standard backup procedures.

Last updated: January 2026