1. Data Controller

LDev AB is the data controller responsible for your personal data.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (for Magic Link authentication)
• Apple account information (name, email if you use Apple Sign-In)
• Google account information (name, email, profile picture if you use Google Sign-In)
• Authentication tokens (securely stored and encrypted)

2.2 Bank Connection Data

When you connect your bank accounts via Enable Banking:

• Bank account details (account name, IBAN, account type, balance)
• Transaction history (date, amount, description, merchant name, category)
• Bank connection metadata (requisition ID, agreement status, last sync timestamp)

2.3 Subscription Enforcement Metadata

To enforce subscription limits and bank-access rules, we may process:

• Subscription lifecycle event metadata (for example purchase, cancellation, expiration, refund, or product change)
• Entitlement status and product/tier identifier
• Internal app user identifier(s) required for entitlement mapping
• Access-control event metadata (for example revocation attempts and results)

2.4 Product Analytics Metadata

To improve the App and measure onboarding, subscription, bank-connection, and feature usage flows, we may process pseudonymous product analytics metadata such as:

• App install/session identifiers generated by EKO
• Internal app user identifier after login
• App version, platform, event name, event time, onboarding step, flow, and limited non-financial event properties

Product analytics does not include bank login credentials, bank account identifiers, balances, raw bank payloads, transaction descriptions, emails, or authentication tokens.

Your bank sends bank connection data to EKO through Enable Banking with your explicit permission. We do NOT receive or store your bank login credentials. No one at LDev AB has access to your actual bank accounts or login credentials.

3. How We Share Your Information

We do NOT sell your personal data.

3.1 Third-Party Service Providers

• Enable Banking (Finland, EU) - Secure bank account connections
• OpenAI (United States) - AI-powered transaction categorization using pseudonymized/minimized transaction metadata (including merchant/description text and amounts where required for classification)
• AWS (Ireland, EU) - Cloud infrastructure hosting

3.2 Important Data Selling and Retention Disclosure

We Do NOT Sell Your Data:

• LDev AB does not sell, rent, or trade your personal data
• Enable Banking does not sell your banking data
• OpenAI does not sell your transaction data
• AWS does not sell your data

Data Retention by Third Parties: Enable Banking and OpenAI are used as processors for request handling and are configured/contracted not to retain your data on our behalf after processing. AWS stores only the infrastructure and application data required to operate the Service under our retention controls.

3.3 Legal Basis for Processing

We process personal data in accordance with Article 6 of the GDPR on the following legal bases:

• Performance of a contract (Article 6(1)(b)) – to provide the App’s core functionality
• User consent (Article 6(1)(a)) – for connecting bank accounts and optional features
• Legal obligations (Article 6(1)(c)) – where required by applicable law
• Legitimate interests (Article 6(1)(f)) – including security, fraud prevention, and service reliability

Where processing is based on consent, you may withdraw your consent at any time through the App settings or by contacting us.

3.4 International Data Transfers

Some service providers (such as OpenAI) are located outside the EU/EEA. Where personal data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

3.5 Automated Access Control Actions

Where required to enforce active entitlement and plan limits, we may automatically revoke unnecessary connected-bank sessions (for example after expiration, refund, or downgrade events). Cancellation events are generally handled at period end according to store billing rules.

3.6 Product Analytics Use

We use product analytics metadata for legitimate interests including service reliability, product improvement, conversion measurement, and understanding whether users reach first-value moments. Analytics records are retained for up to 13 months unless deleted earlier through account deletion or operational erasure.

4. Your Rights Under GDPR

As an EU/EEA resident, you have the following rights:

• Right to Access - Request a copy of your personal data
• Right to Rectification - Correct inaccurate or incomplete data
• Right to Erasure - Request deletion of your data by deleting your account
• Right to Data Portability - Request a machine-readable copy of your data
• Right to Object - Object to processing based on legitimate interests
• Right to Lodge a Complaint - File a complaint with your local data protection authority

To exercise your rights, contact us at: Support@LDevAB.com

5. Data Security

We implement industry-standard security measures:

• Encryption in transit (HTTPS) and at rest
• Secure login with Apple Sign-In, Google Sign-In, or Magic Link
• Automatic logout after 5 minutes of inactivity
• Secure token-based authentication

6. Account Deletion

When you delete your account:

• Account credentials and session tokens are deleted immediately
• All financial data is permanently and completely deleted within 30 days
• User-linked product analytics identity rows and event rows are deleted where technically linked to your internal user identifier
• Anonymous-only product analytics rows that are not linked to an account expire automatically under the analytics retention policy
• Limited security/access-control metadata may be retained for a bounded period where required for fraud prevention, legal compliance, idempotency, and auditability

7. Retention for Webhook, Access-Control, and Analytics Metadata

For security, reliability, and compliance (including idempotency and audit trails), webhook and access-control metadata (for example event IDs, status, timestamps, and revocation result metadata) may be retained for a limited period. This metadata does not include full bank transaction payloads or bank login credentials.

Pseudonymous product analytics metadata is retained for up to 13 months and is minimized to product-flow measurement fields.