Privacy Policy

1. Information We Collect

1.1 Account Information (Minimal)

When you create an account, we collect only what is absolutely necessary:

• Email address: For authentication and account recovery
• User ID: A unique identifier generated automatically (UUID)
• Email verification status: Whether you've confirmed your email
• Account creation date: When you registered

We do NOT collect: Your name, address, phone number, date of birth, government ID, employment information, or any other personally identifiable information beyond email.

1.2 Financial Data (Encrypted Locally - We Cannot See This)

Your financial data is stored exclusively on your device using end-to-end encryption (AES-256-CBC with 100,000-iteration PBKDF2 key derivation):

• Transactions (income, expenses, transfers)
• Account balances (bank accounts, credit cards, investment accounts)
• Investment holdings (stocks, mutual funds, cost basis, unrealized gains)
• Financial goals and budgets
• Recurring transaction reminders
• Spending categories
• Notes and transaction descriptions
• Achievement progress and gamification data

This data never leaves your device unencrypted. We cannot access it, view it, or be compelled to hand it over to authorities because we do not possess it.

1.3 Reference Data (Public Information)

We provide reference data to help you track investments and convert currencies. This data includes:

• Currency exchange rates: From public APIs, cached on our servers for 7 days
• Stock prices and symbols: From Alpha Vantage API, cached for performance
• Stock symbols requested: We log which stock symbols you query (e.g., "AAPL", "MSFT") to fetch prices, but not quantities or purchase prices

Important: While we log which stock symbols you request prices for, we do not know how many shares you own, when you bought them, or what you paid. Your actual holdings remain encrypted on your device.

1.4 Subscription & Payment Information

If you subscribe to Pro tier or make a donation:

• Stripe Customer ID: Anonymous identifier for billing
• Subscription tier: Free, Pro Monthly, or Pro Annual
• Subscription status: Active, Grace Period, Canceled, Expired
• Payment amounts: Dollar amounts only (no card details - handled by Stripe)
• Subscription dates: Start date, renewal date, cancellation date

We do NOT store: Credit card numbers, CVV, billing addresses, or any payment credentials. These are handled exclusively by Stripe (PCI DSS Level 1 certified).

1.5 Usage Analytics (Anonymous)

On our landing page only (lekkalu.app), we collect anonymous usage data via self-hosted Plausible Analytics:

• Page views and navigation patterns (no cookies)
• Referral sources (where visitors came from)
• Device type and browser (aggregated)
• Geographic country (not precise location)

The PWA app itself (app.lekkalu.app) does NOT use analytics. We cannot see your app usage, feature usage, or financial behavior.

1.6 Technical & Security Data

For security and service operation, we may log:

• IP addresses: For rate limiting and abuse prevention (not linked to financial data)
• Login timestamps: When you accessed your account
• Device fingerprint: Browser type, OS (for multi-device logout detection)
• Firebase Cloud Messaging (FCM) tokens: For push notifications (opt-in)
• Error logs: Crash reports and bugs (no financial data included)

2. How We Use Your Information

We use the limited information we collect for the following purposes, in compliance with PIPEDA's Principle 2: Identifying Purposes:

2.1 Service Provision

• Authentication: Verify your identity when you log in
• Account recovery: Send password reset emails
• Reference data: Provide currency rates and stock prices
• Subscription management: Process Pro tier upgrades and renewals

2.2 Communication

• Email verification: Confirm your email address
• Security alerts: Notify you of suspicious activity
• Service updates: Inform you of policy changes or major features (rare)

2.3 Security & Abuse Prevention

• Fraud detection: Detect and prevent abuse, spam, or illegal activities
• Rate limiting: Prevent API abuse and DDoS attacks
• Multi-device logout: Detect when you delete your account on another device

2.4 Service Improvement

• Bug fixes: Identify and resolve technical issues
• Performance optimization: Improve speed and reliability
• Feature development: Understand which features are used (landing page analytics only)

2.5 What We DO NOT Do

We will NEVER:

• Sell your data to third parties
• Show you targeted advertising
• Share your email with marketers or data brokers
• Access your financial data (we can't - it's encrypted locally)
• Track your behavior across other websites
• Use your data for AI training or machine learning
• Use automated decision-making or profiling (GDPR Article 22)

3. Zero-Knowledge Architecture

Lekkalu is designed with privacy as the foundation. Here's the technical implementation:

3.1 Encryption Key Derivation (PBKDF2)

When you create an account, your password is used to generate an encryption key:

• Algorithm: PBKDF2-SHA256
• Iterations: 100,000 (OWASP 2023 recommendation)
• Salt: 128-bit random salt (unique per user, stored locally)
• Key length: 256 bits

Formula: Encryption Key = PBKDF2(Password + User ID, 100,000 iterations)

This key never leaves your device and is never transmitted to our servers.

3.2 Local Encryption (AES-256-CBC)

All financial data is encrypted before storage:

• Algorithm: AES-256-CBC (Advanced Encryption Standard)
• Initialization Vector (IV): Randomly generated for each record
• Padding: PKCS#7
• Storage location: IndexedDB (browser local storage)

Data is decrypted only when you're logged in and only in your browser's memory. It is immediately re-encrypted when stored.

3.3 No Server Storage of Financial Data

Your financial data never touches our servers:

• Transactions, balances, goals: Stay on your device
• Backup/export: Encrypted .lekkalu files (AES-256-CBC with SHA-256 checksum)
• Multi-device sync: Not currently available (planned for future release with end-to-end encryption)

3.4 What This Means for You

We cannot:

• See your transactions, account balances, or financial goals
• Recover your data if you forget your password
• Be forced to hand over your data to authorities (we don't have it)
• Be hacked for your financial information (it's not on our servers)
• Sell or share your financial data (we never possess it)

You must:

• Remember your password (we cannot recover it)
• Export backups regularly (we cannot restore data)
• Understand that data is device-specific (clearing browser data deletes it)

4. Data Storage & Local Storage Technologies

4.1 Where Your Data Lives

4.2 Local Storage Technologies (Cookie Law Compliance)

In compliance with the ePrivacy Directive and GDPR, we disclose our use of browser storage technologies:

4.2.1 IndexedDB (Strictly Necessary)

• Purpose: Store encrypted financial data locally
• Size: Up to 2GB per user (varies by browser)
• Consent required: NO (strictly necessary for service operation)
• Persistence: Until you delete your account or clear browser data

4.2.2 localStorage (Strictly Necessary + Preferences)

• Purpose: Store user preferences (theme, currency, language) and authentication tokens
• Data stored: Theme preference (dark/light), currency preference, last login timestamp, Zustand store snapshots
• Consent required: NO for authentication (strictly necessary); preferences assumed by continued use
• Persistence: Permanent until manually cleared

4.2.3 sessionStorage (Strictly Necessary)

• Purpose: Temporary session data (encryption key caching, form state)
• Consent required: NO (strictly necessary)
• Persistence: Deleted when browser tab is closed

4.2.4 Cookies (Minimal)

• Supabase authentication cookies: HttpOnly, Secure, SameSite=Lax (strictly necessary)
• No tracking cookies: We do not use advertising or analytics cookies in the app

Note: Under GDPR Article 5(3) and ePrivacy Directive Recital 66, strictly necessary storage (essential for service delivery) does not require consent. All our localStorage/IndexedDB usage falls under this exemption.

5. Third-Party Services

We use the following third-party services. Each is a data processor under GDPR Article 28:

5.1 Supabase (Authentication & Database)

• Purpose: User authentication, reference data storage (currency rates, stock prices)
• Data shared: Email, user ID, authentication tokens, subscription status
• Data NOT shared: Financial transactions, account balances, investment holdings
• Location: United States (SOC 2 Type 2 certified)
• Data Processing Agreement: supabase.com/legal/dpa
• Privacy policy: supabase.com/privacy

5.2 Stripe (Payment Processing)

• Purpose: Process Pro subscriptions and donations
• Data shared: Email, donation/subscription amount, Stripe customer ID
• Data NOT shared: Financial transactions, account balances
• Location: Global (PCI DSS Level 1 certified)
• Privacy policy: stripe.com/privacy

5.3 Alpha Vantage (Stock Price Data - Primary)

• Purpose: Fetch live stock prices for Pro users
• Data shared: Stock symbols only (e.g., "AAPL", "MSFT") - NOT quantities or holdings
• Data NOT shared: User identity, portfolio values, purchase prices
• Location: United States
• Privacy policy: alphavantage.co/privacy

5.4 Stooq (Stock & Currency Data - Fallback)

• Purpose: Fallback source for stock prices and currency exchange rates when primary APIs are unavailable
• Data shared: Stock symbols and currency pairs (e.g., "USD/EUR") - NOT quantities or holdings
• Data NOT shared: User identity, portfolio values, transaction amounts
• Location: Poland
• Privacy policy: stooq.com

5.5 Firebase Cloud Messaging (Push Notifications)

• Purpose: Send push notifications for reminders (opt-in only)
• Data shared: FCM device token (anonymous identifier)
• Data NOT shared: Financial data, notification content is generic
• Location: Global (Google infrastructure)
• Privacy policy: firebase.google.com/support/privacy

5.6 Resend (Email Delivery)

• Purpose: Send transactional emails (password reset, email verification)
• Data shared: Email address, verification links
• Location: United States
• Privacy policy: resend.com/legal/privacy-policy

5.7 Cloudflare (Hosting & CDN)

• Purpose: Host landing page, CDN, DDoS protection
• Data shared: IP address, page visits (anonymous)
• Location: Global edge network
• Privacy policy: cloudflare.com/privacypolicy

5.8 Web3Forms (Contact Form)

• Purpose: Contact form submission (landing page only)
• Data shared: Name, email, message (only if you contact us)
• Privacy policy: web3forms.com/privacy

5.9 Plausible Analytics (Landing Page Only)

• Purpose: Anonymous visitor analytics (landing page only, not the app)
• Data shared: Page views, referrers, country (no cookies, no personal data)
• Location: Self-hosted (Canada)
• Privacy policy: plausible.io/privacy

6. Your Rights (PIPEDA & GDPR)

Under Canada's PIPEDA and the EU's GDPR, you have the following rights:

6.1 Right to Access (PIPEDA Principle 9, GDPR Article 15)

You can access all your account data in Settings → Account. We will provide a copy of your data within 30 days of request.

6.2 Right to Correction (PIPEDA Principle 6, GDPR Article 16)

You can update your email address in Settings. Financial data can be edited directly in the app (it's stored locally).

6.3 Right to Deletion (GDPR Article 17 - "Right to be Forgotten")

You can delete your account at any time: Settings → Account → Delete Account. This permanently deletes:

• Email address and user ID from our servers
• Authentication credentials
• Subscription status (if applicable)
• All locally stored financial data from your device

Note: Deletion is permanent and irreversible. We cannot recover your data. Stripe payment records may be retained for legal/tax compliance (7 years).

6.4 Right to Data Portability (PIPEDA 2024 Amendment, GDPR Article 20)

You can export your data in machine-readable formats:

• Encrypted backup: .lekkalu file (AES-256-CBC encrypted JSON)
• CSV export: Unencrypted transactions for spreadsheets
• JSON export: Raw data for migration to other services

As of September 2024, PIPEDA mandates data portability. We fully comply.

6.5 Right to Restriction of Processing (GDPR Article 18)

You can restrict processing by:

• Disabling push notifications (Settings → Notifications)
• Not subscribing to Pro tier (no live price fetching)
• Exporting data and deleting your account

6.6 Right to Object (GDPR Article 21)

You can object to data processing by deleting your account or not using the service. We do not use your data for marketing or profiling.

6.7 Right to Withdraw Consent (PIPEDA Principle 3.5)

You can withdraw consent at any time by:

• Deleting your account (Settings → Account → Delete)
• Emailing us at privacy@lekkalu.app

Consequence of withdrawal: You will lose access to the service and all data will be deleted.

6.8 Right to Lodge a Complaint

You can file a complaint with:

• Canada: Office of the Privacy Commissioner of Canada (priv.gc.ca)
• EU: Your local Data Protection Authority (list of authorities)

7. US State Privacy Rights (CCPA, Virginia, Colorado, Connecticut, Utah)

If you are a resident of California, Virginia, Colorado, Connecticut, or Utah, you have additional rights under state privacy laws:

7.1 California Residents (CCPA/CPRA)

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide specific rights:

Right to Know

You have the right to request disclosure of:

• Categories of personal information collected (see Section 1)
• Sources of personal information (user input, Supabase Auth)
• Business/commercial purpose for collecting (service provision)
• Categories of third parties with whom we share data (see Section 5)
• Specific pieces of personal information (available in Settings)

Right to Delete

You can request deletion of your personal information by deleting your account (Settings → Account → Delete). We will delete your data within 30 days, except where retention is required by law (e.g., Stripe payment records for 7 years).

Right to Opt-Out of Sale/Sharing

Right to Correct Inaccurate Information

You can update your email address in Settings. Financial data can be corrected directly in the app (stored locally on your device).

Right to Limit Use of Sensitive Personal Information

We do NOT collect sensitive personal information as defined by CCPA (precise geolocation, biometric data for identification, health data, financial account credentials, etc.). Your financial transaction data is encrypted locally on your device and never sent to our servers.

Right to Non-Discrimination

We will NOT discriminate against you for exercising any of your CCPA rights. You will NOT:

• Be denied access to the Service
• Be charged different prices or rates
• Receive a different level or quality of service

California "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do NOT disclose personal information to third parties for direct marketing.

7.2 Virginia, Colorado, Connecticut, Utah Residents

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) have similar rights:

• Right to Access: Request personal data we process (available in Settings)
• Right to Deletion: Delete your account and all associated data
• Right to Correction: Update inaccurate information
• Right to Data Portability: Export your data in machine-readable format (JSON, CSV)
• Right to Opt-Out of Targeted Advertising: We do NOT engage in targeted advertising (no opt-out needed)
• Right to Opt-Out of Sale: We do NOT sell personal data (no opt-out needed)
• Right to Opt-Out of Profiling: We do NOT engage in profiling or automated decision-making (see Section 13)

7.3 How to Exercise Your US State Privacy Rights

To exercise any of the above rights:

• Email us: privacy@lekkalu.app with subject "US Privacy Rights Request"
• In-app: Settings → Account → Privacy Rights
• Response time: We will respond within 45 days (extendable by 45 days if complex)
• Verification: We may request information to verify your identity (email confirmation, account login)

7.4 Authorized Agents (California)

California residents may designate an authorized agent to submit requests on their behalf. The agent must:

• Provide written authorization signed by you
• Verify their own identity
• We may still require you to verify your identity directly

8. Consent & Withdrawal

8.1 How We Obtain Consent (PIPEDA Principle 3)

We obtain your consent in the following ways:

• Account creation: By creating an account, you consent to this Privacy Policy
• Pro subscription: By subscribing, you consent to payment processing via Stripe
• Push notifications: Explicit opt-in when you enable notifications
• Email communication: Transactional emails (no marketing)

8.2 Meaningful Consent (2024 PIPEDA Standard)

Following the 2024 Federal Court ruling on "meaningful consent," we ensure:

• Consent is informed (you understand what you're consenting to)
• Consent is specific (granular for different purposes)
• Consent is voluntary (not coerced or bundled)
• You can withdraw consent at any time

8.3 How to Withdraw Consent

You can withdraw consent by:

• Account deletion: Settings → Account → Delete Account
• Email request: Send a request to privacy@lekkalu.app
• Push notifications: Disable in Settings → Notifications

We will process withdrawal requests within 30 days and confirm via email.

9. Security Measures (PIPEDA Principle 7)

We implement industry-standard security measures:

9.1 Encryption

• At rest: AES-256-CBC for financial data (100,000-iteration PBKDF2 key derivation)
• In transit: TLS 1.3 for all network communications
• Backups: Encrypted .lekkalu files with SHA-256 checksums

9.2 Authentication & Access Control

• Password hashing: bcrypt with salt (Supabase Auth)
• Session tokens: JWT with 15-day expiration
• PIN unlock: Optional convenience feature (not a security replacement)
• Row-level security: Database policies enforce user isolation

9.3 Application Security

• Input sanitization: DOMPurify prevents XSS attacks
• CSRF protection: Same-origin policy enforcement
• Rate limiting: 30 searches/minute, 5 exports/hour
• Content Security Policy (CSP): Restricts script execution

9.4 Infrastructure Security

• Supabase: SOC 2 Type 2 certified, ISO 27001
• Stripe: PCI DSS Level 1 certified
• Cloudflare: DDoS protection, WAF (Web Application Firewall)

9.5 Limitations

No system is 100% secure. We cannot protect against:

• Browser malware: Keyloggers or malicious extensions
• Phishing attacks: Social engineering
• Device theft: If your device is unlocked
• Password reuse: Using the same password elsewhere

9.6 Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

• Email: security@lekkalu.app
• Timeline: We aim to respond within 48 hours
• Disclosure: We will coordinate public disclosure with you

10. Data Portability (PIPEDA 2024, GDPR Article 20)

As of September 2024, PIPEDA mandates data portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

10.1 How to Export Your Data

Go to Settings → Backup & Export. Choose from:

• Encrypted backup (.lekkalu): AES-256-CBC encrypted JSON file with SHA-256 checksum
• CSV export: Transactions in spreadsheet-compatible format
• JSON export: Raw data for migration to other services

10.2 What's Included

Exports include all data you created:

• Transactions (all fields: amount, date, category, notes)
• Accounts (name, type, balance, currency)
• Investment holdings (symbol, quantity, cost basis)
• Goals (name, target, current progress)
• Reminders (recurring transactions, due dates)
• Categories (custom categories you created)
• Achievements (progress, unlock dates)

10.3 What's NOT Included

• Password (we never store plaintext passwords)
• Reference data (currency rates, stock prices - publicly available)
• Subscription payment history (available in Stripe Customer Portal)

11. Data Breach Notification (PIPEDA, GDPR Article 33)

11.1 Notification Timeline

In the event of a data breach that poses a risk to your rights and freedoms:

• GDPR: We will notify authorities within 72 hours (48 hours for critical sectors)
• PIPEDA: We will notify the Privacy Commissioner of Canada "as soon as feasible"
• You: We will notify affected users within 72 hours via email

11.2 What We Will Disclose

Breach notifications will include:

• Nature of the breach (what data was affected)
• When the breach occurred (if known)
• Steps we're taking to mitigate harm
• Recommended actions for you (e.g., change password)
• Contact information for inquiries

11.3 Your Financial Data is Protected

Important: Because your financial data is encrypted locally and never transmitted to our servers, a server breach would not expose your transactions, balances, or investment holdings. Only your email address and subscription status could be affected.

12. International Data Transfers (GDPR Chapter V)

Some of our service providers are located outside Canada and the EU. Here's how we ensure your data is protected:

12.1 Data Transfer Mechanisms

• Supabase (US): Standard Contractual Clauses (SCCs) under GDPR Article 46
• Stripe (US): EU-U.S. Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs)
• Firebase (US): EU-U.S. Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs)

12.2 EU-U.S. Data Privacy Framework

For transfers to the United States, we rely on the EU-U.S. Data Privacy Framework (DPF), adopted in July 2023. This framework:

• Replaced the invalidated Privacy Shield framework (invalidated by EU Court in Schrems II, 2020)
• Provides adequacy decision for data transfers to certified U.S. companies
• Includes enhanced protections for EU citizens' data
• Requires annual recertification of participating companies
• Grants EU citizens enforceable rights under U.S. law

Verify certifications: You can check if a company participates in the DPF at dataprivacyframework.gov/list

12.3 Your Explicit Consent

By using Lekkalu, you explicitly consent to:

• Transfer of your email and user ID to Supabase servers in the United States
• Transfer of payment data to Stripe (global infrastructure, DPF-certified)
• Transfer of stock symbol requests to Alpha Vantage (US)
• Transfer of FCM tokens to Firebase (Google Cloud, DPF-certified)

Note: Your financial data (transactions, balances) remains on your device and is never transferred internationally.

13. Automated Decision-Making & AI

13.1 What We Do NOT Do (GDPR Article 22, CCPA/CPRA)

We do NOT engage in:

• Automated decision-making: No automated decisions that significantly affect you (credit scoring, loan approvals, insurance pricing, etc.)
• Profiling: No automated processing to predict your behavior, preferences, financial situation, or creditworthiness
• AI-based recommendations: No AI suggesting investments, financial products, or spending changes
• Predictive analytics: No machine learning models predicting your future income, expenses, or financial outcomes
• Behavioral targeting: No advertising, marketing, or content personalization based on behavioral analysis
• AI training on your data: We NEVER use your financial data to train AI/ML models

13.2 What We DO Use

The only "automated processing" we perform is:

• Mathematical calculations: Totals, averages, percentages, net worth (basic arithmetic based on your input)
• Sorting and filtering: Organizing transactions by date, category, amount (no AI involved)
• Currency conversion: Converting amounts between currencies using public exchange rates (simple multiplication)
• Portfolio valuation: Calculating investment values using current stock prices (quantity × price, no AI)
• Budget tracking: Comparing actual spending to your manually set budgets (simple comparison)

These are deterministic calculations (same input = same output) and do NOT constitute automated decision-making or profiling under GDPR/CCPA.

13.3 Your Right to Object (GDPR Article 22)

Under GDPR, you have the right NOT to be subject to automated decision-making or profiling that produces legal or similarly significant effects. Since we do not engage in such processing, no objection is necessary.

If we ever introduce AI-based features in the future (e.g., spending predictions, investment recommendations), we will:

• Notify you explicitly via email and in-app announcement
• Make such features strictly opt-in (disabled by default)
• Provide transparency about how AI models work
• Allow you to opt-out or request human review at any time
• Update this Privacy Policy with AI-specific disclosures

13.4 Third-Party AI/ML Processing

Our third-party providers (Supabase, Stripe, Firebase, Alpha Vantage) may use AI/ML for their own internal purposes (fraud detection, spam filtering, service optimization), but:

• They do NOT have access to your encrypted financial data (transactions, balances, investments)
• They only process minimal data necessary for service provision (email, user ID, authentication tokens)
• Their use of AI/ML is governed by their own privacy policies (see Section 5)

14. Biometric Data

14.1 What is Biometric Data?

Biometric data refers to personal data resulting from technical processing of an individual's physical, physiological, or behavioral characteristics that uniquely identify them, such as:

• Fingerprints or handprints
• Facial recognition data (facial geometry, facial templates)
• Voice recognition patterns (voiceprints)
• Iris or retina scans
• DNA or genetic information
• Gait analysis or typing patterns
• Heart rate or other health biometrics

14.2 Device Biometric Authentication (Local Only)

Some users may choose to use device-level biometric authentication (fingerprint unlock, Face ID, Windows Hello) to access Lekkalu. Important clarifications:

• Device-managed: Biometric authentication is handled entirely by your device's operating system (iOS, Android, Windows, macOS)
• Never transmitted: Biometric data NEVER leaves your device or reaches Lekkalu servers
• No access: Lekkalu does NOT have access to your biometric data (fingerprints, face scans, etc.)
• No storage: We do NOT store biometric data in IndexedDB or any local storage
• Optional feature: You are not required to use biometric authentication (password/PIN alternatives available)

How it works: When you enable biometric unlock, your device verifies your identity locally and then grants Lekkalu access to your encrypted financial data (stored in IndexedDB). The biometric data itself is managed by Apple, Google, Microsoft, or your device manufacturer under their respective privacy policies.

14.3 Illinois BIPA Compliance

The Illinois Biometric Information Privacy Act (BIPA) is one of the strictest biometric privacy laws. Since Lekkalu does NOT collect, capture, purchase, receive, or otherwise obtain biometric identifiers or biometric information, BIPA does NOT apply.

14.4 Future Biometric Features

If we ever introduce biometric features in the future (e.g., app-level fingerprint authentication managed by Lekkalu rather than the device), we will:

• Obtain your explicit, informed written consent (as required by BIPA and GDPR)
• Disclose the purpose and duration of biometric data storage
• Allow you to opt-out or delete biometric data at any time
• Comply with all applicable biometric privacy laws (BIPA, CCPA, GDPR, Texas Capture or Use of Biometric Identifier Act, Washington HB 1493)
• Update this Privacy Policy with detailed biometric disclosures

15. Children's Privacy (COPPA, GDPR Article 8)

Lekkalu is not intended for children under 13 years old (US) or 16 years old (EU). We do not knowingly collect information from children.

If you are a parent or guardian and believe your child has created an account, please contact us at privacy@lekkalu.app. We will delete the account within 48 hours.

16. Data Retention (PIPEDA Principle 4.5)

16.1 Financial Data (Your Device)

• Retention: Indefinite (until you delete it)
• Location: Your device (IndexedDB)
• Note: Transactions older than 2 years are archived to a separate table for performance, but remain accessible

16.2 Account Data (Our Servers)

• Retention: Until you delete your account
• Includes: Email, user ID, authentication tokens
• Deletion: Permanent within 24 hours of account deletion

16.3 Subscription & Payment Data

• Retention: 7 years (legal/tax compliance)
• Location: Stripe (payment processor)
• Note: Even after account deletion, Stripe retains payment records for regulatory compliance

16.4 Reference Data (Prices, Currencies)

• Retention: 7 days (cache TTL)
• Location: Supabase
• Automatically refreshed: When cache expires

17. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated as follows:

• Email notification: Sent to all registered users
• In-app notification: Prominent banner when you log in
• "Last updated" date: Updated at the top of this page

Continued use of Lekkalu after changes constitutes acceptance of the updated policy. If you do not agree to changes, you may delete your account.

We will archive previous versions of this policy at /privacy-history (coming soon).

18. Contact Us

For privacy-related inquiries, data requests, or complaints:

• Privacy inquiries: privacy@lekkalu.app
• Security vulnerabilities: security@lekkalu.app
• General support: support@lekkalu.app
• Website: lekkalu.app

Response time: We aim to respond to all privacy requests within 30 days (as required by PIPEDA and GDPR).