← Back to home

Privacy Policy

Last updated: April 26, 2026

Kostenx (“we”, “us”, “our”) provides a personal-finance web application that helps you track expenses, set budgets, and manage bank accounts. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it.

1. Who we are

The data controller for the personal data processed via Kostenx is Kostenx GmbH (placeholder — to be replaced with the registered company name and address).

2. Data we collect

2.1 Account data

  • Email address, name, and a hashed password (we never store your password in plaintext)
  • Profile preferences such as currency and timezone
  • OAuth identifier if you sign in with Google

2.2 Financial data you enter

  • Expense and income records (amount, date, category, optional notes)
  • Bank account names and opening balances you choose to record
  • Budget targets you set

2.3 Technical data

  • IP address (used for security rate limiting and to detect abuse)
  • Browser/device information sent in standard HTTP headers
  • Timestamps of significant account actions (login, password change, plan change) for audit purposes

3. Lawful basis for processing (GDPR)

  • Contract — to provide the service you signed up for (storing and displaying your expenses, processing your subscription payment).
  • Legal obligation — to retain certain financial records for tax/accounting purposes where applicable.
  • Legitimate interests — to keep the service secure (rate limiting, fraud prevention) and to improve it (anonymized aggregate usage).
  • Consent — for non-essential analytics cookies (see our Cookie Policy). You can withdraw consent at any time.

4. How long we keep your data

Account and financial data is retained for as long as your account is active. If you delete your account, all personal data is permanently removed within 30 days, except where we are legally required to retain certain records (e.g. invoices for tax purposes, typically 7 to 10 years depending on jurisdiction). Audit logs are retained for 12 months.

5. Who we share data with

We share personal data only with the following processors:

  • Stripe, Inc. — payment processing. Stripe is PCI DSS Level 1 certified. We never see or store your full card details.
  • MongoDB Atlas — managed database hosting. Data is stored in the region you select (EU or US).
  • Vercel, Inc. — application hosting and global edge delivery.
  • Google LLC — only if you choose to sign in with Google (we receive your email and basic profile).

We do not sell your personal data. We do not share it with advertising networks.

6. International transfers

If you select EU data residency, your data is stored in EU-based data centers. If you select US residency, it is stored in US data centers. Where data necessarily crosses borders (e.g. for payment processing through Stripe), transfers are protected by the EU-US Data Privacy Framework or equivalent Standard Contractual Clauses.

7. Your rights

Under GDPR (and similar laws in other jurisdictions) you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (“right to be forgotten”)
  • Export your data in a portable format (CSV)
  • Object to certain processing
  • Withdraw consent at any time
  • Lodge a complaint with your local data-protection authority

To exercise any of these rights, email privacy@kostenx.com. We respond within 30 days.

8. California residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of any “sale” of personal information (we do not sell). Contact privacy@kostenx.com.

9. Security

Personal data is encrypted at rest (AES-256) and in transit (TLS 1.3). Passwords are hashed with bcrypt. We follow OWASP best practices and run regular security reviews. No system is perfectly secure — if you believe your account has been compromised, please email security@kostenx.com.

10. Children

Kostenx is not directed to children under 16. We do not knowingly collect personal data from anyone under 16.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email and on the dashboard at least 30 days before they take effect.

12. Contact

Questions? Email privacy@kostenx.com.

← Back to home