1. Data Controller

LDev AB is the data controller responsible for your personal data.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (for Magic Link authentication)
• Apple account information (name, email if you use Apple Sign-In)
• Google account information (name, email, profile picture if you use Google Sign-In)
• Authentication tokens (securely stored and encrypted)

2.2 Bank Connection Data

When you connect your bank accounts via Enable Banking:

• Bank account details (account name, IBAN, account type, balance)
• Transaction history (date, amount, description, merchant name, category)
• Bank connection metadata (requisition ID, agreement status, last sync timestamp)

2.3 Subscription Enforcement Metadata

To enforce subscription limits and bank-access rules, we may process:

• Subscription lifecycle event metadata (for example purchase, cancellation, expiration, refund, or product change)
• Entitlement status and product/tier identifier
• Internal app user identifier(s) required for entitlement mapping
• Access-control event metadata (for example revocation attempts and results)

Your bank sends this data to EKO through Enable Banking with your explicit permission. We do NOT receive or store your bank login credentials. No one at LDev AB has access to your actual bank accounts or login credentials.

3. How We Share Your Information

We do NOT sell your personal data.

3.1 Third-Party Service Providers

• Enable Banking (Finland, EU) - Secure bank account connections
• OpenAI (United States) - AI-powered transaction categorization (anonymized data only)
• AWS (Ireland, EU) - Cloud infrastructure hosting

3.2 Important Data Selling and Retention Disclosure

We Do NOT Sell Your Data:

• LDev AB does not sell, rent, or trade your personal data
• Enable Banking does not sell your banking data
• OpenAI does not sell your transaction data
• AWS does not sell your data

Data Retention by Third Parties: All third-party service providers retain data only as long as necessary to provide their specific services and in accordance with their contractual obligations to LDev AB.

3.3 Legal Basis for Processing

We process personal data in accordance with Article 6 of the GDPR on the following legal bases:

• Performance of a contract (Article 6(1)(b)) – to provide the App's core functionality
• User consent (Article 6(1)(a)) – for connecting bank accounts and optional features
• Legal obligations (Article 6(1)(c)) – where required by applicable law
• Legitimate interests (Article 6(1)(f)) – including security, fraud prevention, and service reliability

Where processing is based on consent, you may withdraw your consent at any time through the App settings or by contacting us.

3.4 International Data Transfers

Some service providers (such as OpenAI) are located outside the EU/EEA. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

3.5 Automated Access Control Actions

Where required to enforce active entitlement and plan limits, we may automatically revoke unnecessary connected-bank sessions (for example after expiration, refund, or downgrade events). Cancellation events are generally handled at period end according to store billing rules.

4. Your Rights Under GDPR

As an EU/EEA resident, you have the following rights:

• Right to Access - Request a copy of your personal data
• Right to Rectification - Correct inaccurate or incomplete data
• Right to Erasure - Request deletion of your data by deleting your account
• Right to Data Portability - Request a machine-readable copy of your data
• Right to Object - Object to processing based on legitimate interests
• Right to Lodge a Complaint - File a complaint with your local data protection authority

To exercise your rights, contact us at: Support@LDevAB.com

5. Data Security

We implement industry-standard security measures:

• Encryption in transit (HTTPS) and at rest
• Secure login with Apple Sign-In, Google Sign-In, or Magic Link
• Automatic logout after 5 minutes of inactivity
• Secure token-based authentication

6. Account Deletion

When you delete your account:

• Account credentials and session tokens are deleted immediately
• All financial data is permanently and completely deleted within 30 days
• We do not retain any of your personal data after account deletion

7. Retention for Webhook and Access-Control Metadata

For security, reliability, and compliance (including idempotency and audit trails), webhook and access-control metadata may be retained for a limited period.