Privacy Policy & Legal Notice

Information obligation according to § 5 E-Commerce Act (ECG), § 25 Media Act (MedienG) and Art. 13/14 GDPR:

• Operator: Saman Mojgani
• Location: Vienna, Austria
• Address: Will be added before commercial launch
• Contact: samanmojgani@gmail.com
• Legal form: Private individual (pre-launch phase)

This application is currently in a closed beta testing phase and is not yet commercially available.

The data controller within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG) is:

• Saman Mojgani, Vienna, Austria
• Email: samanmojgani@gmail.com

If you have questions about data protection, please contact us at the email address above.

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR) — to provide the PEQORA service, manage your account, and process transactions you enter
• Consent (Art. 6(1)(a) GDPR) — for optional features like AI-powered financial analysis
• Legitimate interest (Art. 6(1)(f) GDPR) — for security measures, error diagnosis, and service improvement
• Legal obligation (Art. 6(1)(c) GDPR) — to comply with legal requirements such as tax retention obligations

We collect only what is necessary to provide the service:

• Account data: email address, display name (provided during signup)
• Financial data: transactions, budgets, savings goals, and categories you enter
• Onboarding data: monthly income, living situation, household size (used solely for budget recommendations)
• Subscription data: billing plan and Stripe customer ID (no card numbers — Stripe handles those)
• Usage data: basic server logs (IP address, timestamps) for security and debugging

We do not collect or sell advertising data, browsing history, or behavioral profiles. We do not use tracking technologies (no Google Analytics, no Facebook Pixel, no third-party cookies).

• To provide, operate and improve the PEQORA service
• To generate personalized budget recommendations during onboarding
• To send transactional emails (signup confirmation, password reset)
• To process payments via Stripe
• To respond to support requests
• AI analysis (optional, Pro plan only): your financial data summary is sent to the Anthropic API to generate personalized tips — no raw transaction data is shared, only aggregated summaries

We never sell your data to third parties. We never use your financial data for advertising purposes.

Your data is stored in a PostgreSQL database hosted by Supabase (servers in the EU). All data is encrypted at rest and in transit (TLS/SSL). Authentication uses industry-standard bcrypt password hashing. We apply the principle of least privilege — only services that need your data can access it.

We use the following third-party processors to provide our service:

• Supabase Inc. (USA, EU servers) — database hosting and authentication — Privacy Policy: supabase.com/privacy
• Stripe Inc. (USA) — payment processing (we never store card numbers) — Privacy Policy: stripe.com/privacy
• Resend Inc. (USA) — transactional email delivery — Privacy Policy: resend.com/legal/privacy-policy
• Vercel Inc. (USA) — application hosting and edge infrastructure — Privacy Policy: vercel.com/legal/privacy-policy
• Anthropic PBC (USA) — AI analysis and receipt OCR (Pro plan only, aggregated data only) — Privacy Policy: anthropic.com/privacy
• GoCardless Ltd (UK/EU) — Open Banking connections for bank account sync (Business plan only) — Privacy Policy: gocardless.com/privacy

All processors are GDPR-compliant and have signed Standard Contractual Clauses (SCCs) for international data transfer. Data transfer to the USA is based on the EU-US Data Privacy Framework and/or SCCs in accordance with Art. 46 GDPR.

PEQORA does not use automated decision-making or profiling that produces legal effects concerning you. The AI-powered insights feature generates suggestions based on your aggregated financial data but does not make binding decisions. The Financial Health Score is a purely informational indicator calculated from your savings rate, budget adherence, and goal progress — it has no legal or similarly significant effect.

When you use the receipt scanner feature (Pro plan), images of your receipts are temporarily uploaded to our servers and sent to the Anthropic API for text extraction (OCR). The extracted text is used to pre-fill transaction data. Receipt images are stored in your account and can be deleted at any time. We do not use your receipt images for training AI models or any purpose other than providing you with the OCR service.

Some of our processors are based in the USA. The transfer of personal data to the USA is carried out on the basis of the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. We ensure that all processors maintain an adequate level of data protection.

We store your data only as long as necessary:

• Account data: until you delete your account
• Financial data (transactions, budgets, goals): until you delete your account
• Server logs: maximum 30 days
• Payment data at Stripe: according to Stripe's retention policy and legal obligations (up to 7 years for tax purposes)

When you delete your account (Settings → Account), all your data is permanently and irrevocably deleted from our database.

Under GDPR and Austrian DSG, you have the following rights:

• Right of access (Art. 15) — export all your data anytime from Settings → Export
• Right to rectification (Art. 16) — update your profile in Settings → Profile
• Right to erasure (Art. 17) — delete your account and all data from Settings → Account
• Right to data portability (Art. 20) — download your data as CSV or JSON at any time
• Right to restriction of processing (Art. 18) — contact us to restrict processing
• Right to object (Art. 21) — you can object to processing based on legitimate interest at any time
• Right to withdraw consent (Art. 7(3)) — you can withdraw consent at any time (e.g., for AI analysis) without affecting the lawfulness of prior processing

To exercise your rights, contact us at samanmojgani@gmail.com. We will respond within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority:

• Österreichische Datenschutzbehörde (Austrian Data Protection Authority)
• Barichgasse 40-42, 1030 Vienna, Austria
• Phone: +43 1 52 152-0
• Email: dsb@dsb.gv.at
• Website: dsb.gv.at

We use only technically necessary cookies required for authentication and your language/theme preference. We do not use tracking cookies, analytics cookies, or third-party advertising cookies. No cookie consent banner is required as we only use essential cookies (§ 165(3) TKG 2021).

PEQORA is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us personal data, contact us to have it deleted.

We may update this policy from time to time. Registered users will be notified by email for material changes. The "Last updated" date at the top of this page always reflects the current version.