Privacy Policy
Last updated: 2026-05-06
1. Introduction
Kronvis("the Service") is a personal finance tracking application. This privacy policy explains, in line with the EU General Data Protection Regulation (GDPR, Regulation 2016/679), who is responsible for your data, what we process, why, on what legal basis, and what rights you have.
Your data is never sold, shared with third parties, or used for advertising. It is used solely to power the features of the Service.
2. Data Controller
The data controller responsible for personal data processed by the Service is:
- Name: Scott Jacobs (sole trader / enskild firma)
- Address: Bäverdammsgränd 174, Bandhagen, Stockholm, 12463
- Email: [email protected]
3. Data We Collect
Account Information
- Name and email address (account identification, login, and account-related communication)
- Password (stored only as a bcrypt hash; the plaintext password is never stored or visible to us)
- Optional TOTP secret and backup codes if you enable two-factor authentication
Financial Data You Enter
- Financial account names, types, and balances you record
- Income sources, amounts, and frequencies
- Expense categories and estimated amounts
- Transactions (amounts, dates, descriptions, categorisation)
- Receipt images you upload
Technical Data
- IP address (used in-memory for rate limiting; not retained long-term)
- Session and CSRF tokens (authentication; cookie-based)
- UI preference cookies (`locale`, `theme`)
- Server logs of errors and security-relevant events
4. Purposes and Legal Basis
We process personal data only for the following purposes, and only on the legal bases listed:
| Purpose | Categories | Legal basis (GDPR Art. 6) |
|---|---|---|
| Providing the financial tracking, forecasting, and history features you sign up for | Account info, financial data | (b) Performance of a contract |
| Authentication, password reset, email verification | Account info, technical data | (b) Performance of a contract |
| Security, abuse prevention, rate limiting, fraud detection | Technical data, server logs | (f) Legitimate interests (operating a secure service) |
| Responding to your support, contact, or data-subject requests | Account info, message content | (b) / (c) Contract / legal obligation |
| Future optional integrations (e.g. Open Banking) | Bank account/transaction data | (a) Consent — explicit opt-in only |
5. Sub-Processors
We use the following sub-processors to operate the Service. Each is bound by a written data processing agreement and processes data only on our documented instructions:
| Provider | Purpose | Country | Transfer safeguard |
|---|---|---|---|
| Railway Corp. | Application hosting and PostgreSQL database | United States | EU SCCs (2021/914) |
| Resend, Inc. | Transactional email (verification, password reset) | United States | EU SCCs (2021/914) |
| Cloudflare, Inc. | DNS, edge TLS, DDoS protection (when proxied) | United States | EU SCCs (2021/914) |
6. International Transfers
Some of our sub-processors are located in the United States. Where we transfer personal data outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (Implementing Decision 2021/914) plus, where appropriate, supplementary technical measures (encryption at rest with per-user keys, encrypted transport). We have performed a transfer impact assessment for each provider and are satisfied that the transfers provide an essentially equivalent level of protection.
7. Retention
We retain personal data only as long as necessary for the purpose it was collected:
| Category | Retention |
|---|---|
| Active account data (income, expenses, transactions, receipts) | For the lifetime of your account |
| Inactive accounts (no login) | Warning email at 24 months, deletion at 30 months |
| Demo accounts | Auto-deleted 24 hours after creation |
| Password reset tokens | 1 hour, then expired and removed |
| Encrypted database backups | 30 days, then overwritten |
| Account on user-initiated deletion | Removed immediately; backups age out within 30 days |
8. Security Measures
- Encryption at rest: Sensitive fields (names, email, account names, transaction descriptions, receipts) are encrypted with AES-256-GCM using a per-user data encryption key.
- Password hashing: bcrypt at cost factor 12.
- Optional 2FA: TOTP-based two-factor authentication.
- Session security: JWT-based sessions, CSRF protection, route-level authorisation, and rate limiting.
- Transport: TLS 1.2+ for all connections.
9. Your Rights
Under GDPR, you have the right to:
- Accessyour data (Settings > Export Data, or email us)
- Rectify inaccurate data (edit it in the app)
- Eraseyour data (Settings > Delete Account, or email us)
- Portability — export in a machine-readable JSON format
- Restrict or object to specific processing
- Withdraw consent for any consent-based processing at any time
To exercise these rights, email [email protected]. We respond within 30 days.
10. Right to Lodge a Complaint
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Swedish data protection authority, Integritetsskyddsmyndigheten (IMY), or with the supervisory authority in your EU/EEA country of residence.
11. Cookies
We set only cookies that are strictly necessary to provide the Service: an authentication session cookie, a CSRF token, a `locale` preference cookie, and a `theme` preference cookie. Under the Swedish ePrivacy implementation (LEK 6 kap. 18 §) and EU guidance, strictly necessary cookies do not require consent. We do not use analytics, advertising, tracking pixels, or any third-party cookies.
12. Children
The Service is not intended for individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will delete it.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated through the Service. The "last updated" date at the top of this page reflects the most recent revision.
14. Contact
For privacy questions or data-subject requests, email [email protected].