Privacy Policy

Last updated: January 13, 2026

Introduction

Thank you for choosing to be part of our community at KeepKonto. We are a privately held digital service committed to protecting your personal information and your right to privacy. If you have any questions or concerns about this privacy policy or our practices with regard to your personal information, please contact us at .

This privacy policy describes how we collect, use, store, and share your information when you use our financial tracking application available at our website. In this privacy policy, "Website" or "Services" refers to KeepKonto and all related services.

Please read this privacy policy carefully, as it will help you understand what we do with the information that we collect. If there are any terms in this privacy policy that you do not agree with, please discontinue use of our Services immediately.

Privacy-First Approach and Data Minimization

KeepKonto is built with a strong commitment to user privacy and data minimization. Our goal is to allow users to manage their finances without being identified and without providing unnecessary personal information.

Personal Data We Do NOT Collect

We do not request, collect, or process the following types of personal data:

First name or last name
Physical or postal address
Date of birth
Phone number
Government-issued identifiers
Banking credentials or payment card details
Any information that directly identifies a user as a real-world individual

We do not know who our users are, and we have no intention of identifying them.

Anonymous Use of Financial Data

KeepKonto allows users to manage personal financial information, including but not limited to:

Tracking expenses and income
Calculating daily, monthly, and yearly totals
Viewing summaries and financial insights

All financial data entered into the Service is user-generated, self-managed, and not linked to real-world identity. This data is processed only to provide the core functionality of the Service. It is not used for advertising, profiling, behavioral tracking, or any form of marketing analysis.

Email Address Collection and Purpose

The only personal data required to use KeepKonto is an email address.

The email address is collected and processed exclusively for the following purposes:

User authentication and account access
Allowing users to return to their account
Secure synchronization of user data across multiple devices
Essential service-related communications (such as security or system notices)

Email addresses are NOT used for:

Advertising or promotional campaigns
Marketing communications
Sale or sharing with third parties

No Intention to Identify Users

KeepKonto is intentionally designed to operate without identifying users.

We do not attempt to:

Link financial data to real-world identities
Enrich user data with external sources
Perform identity profiling or tracking

Users remain fully in control of the information they choose to enter into the Service.

1. What Information Do We Collect?

Personal Information You Provide to Us

We collect personal information that you voluntarily provide to us when you register for an account, use the Website, or otherwise contact us.

The personal information we collect includes:

Email address (required for account creation and authentication)
Password (encrypted and securely stored by our authentication provider)
Financial data including expenses, income, accounts, and categories you create
Transaction details including amounts, dates, descriptions, payment methods, and notes
Account balances and currency preferences

Important: We do not support Yahoo email addresses for registration due to technical limitations with email delivery.

Information Automatically Collected

We automatically collect certain information when you visit, use, or navigate the Website. This information does not reveal your specific identity but may include device and usage information:

IP address and general location data
Browser type and version
Device characteristics and operating system
Log and usage data (pages visited, features used, time spent, referring URLs, access times and dates)
Device identifiers and cookies

This information is primarily needed to maintain the security and operation of our Website, and for our internal analytics and reporting purposes.

2. How Do We Process Your Information?

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

To facilitate account creation and authentication: We use your email address and password to create and secure your account through Supabase Auth
To deliver and facilitate delivery of services: Process and store your financial data to provide expense tracking, income management, and financial insights
To respond to user inquiries and offer support: Contact you regarding your account or technical issues
To send administrative information: Security alerts, password reset emails, and account notifications
To protect our Services: Monitor for suspicious activity, prevent fraud, and enforce our Terms of Service
To analyze usage patterns: Understand how users interact with our application to improve user experience
To comply with legal obligations: Respond to legal requests and prevent harm

3. What Legal Bases Do We Rely On to Process Your Information?

If you are located in the EU or UK:

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on to process your personal information. We may rely on the following legal bases:

Consent: We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time.
Performance of a Contract: We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services.
Legal Obligations: We may process your information where we are legally required to do so to comply with applicable law.
Vital Interests: We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party.
Legitimate Interests: We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms.

4. When and With Whom Do We Share Your Personal Information?

We may share your personal information in the following situations:

Service Providers: We share your information with third-party vendors, service providers, and contractors who perform services for us (such as hosting, authentication, and analytics)
Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition
Legal Obligations: We may disclose your information where we are legally required to do so to comply with applicable law, governmental requests, or legal process
Vital Interests and Legal Rights: We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, or situations involving potential threats

We do not sell, rent, or share your personal information with third parties for their own marketing purposes.

5. Third-Party Services

5.1 Supabase (Authentication and Database)

We use Supabase, an open-source Firebase alternative, for authentication services and database hosting. Supabase processes your email address and encrypted password for account creation and authentication.

Authentication Method: Email and password authentication with email verification. When you sign up, we send you a confirmation email with a verification link. Your session is maintained securely using HTTP-only cookies managed by Supabase Auth.

Data Storage: All your financial data (expenses, income, accounts, transactions) is stored on Supabase's secure infrastructure with encryption at rest and in transit. Row Level Security (RLS) policies ensure that you can only access your own data.

For more information about Supabase's security and privacy practices, visit Supabase Privacy Policy.

5.2 Google Analytics

We use Google Analytics to analyze website traffic and understand how visitors interact with our Website. Google Analytics uses cookies to collect anonymized information about your usage patterns. This helps us improve our application and user experience. Google Analytics does not identify individual users or associate your IP address with any other data held by Google. Learn more at Google Privacy Policy.

5.3 Vercel (Hosting and Analytics)

Our application is hosted on Vercel's infrastructure. Vercel may collect technical information such as IP addresses, browser types, and access logs for operational purposes, security, and performance monitoring. Vercel Analytics provides us with anonymized usage metrics and performance data. For more information, see Vercel Privacy Policy.

6. Cookies and Tracking Technologies

Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites work more efficiently, provide a better user experience, and provide information to the owners of the site.

6.1 Essential Cookies

These cookies are necessary for the website to function properly. They enable core functionality such as security, authentication, and accessibility.

Authentication Cookies (Supabase)

Purpose: Maintain your logged-in session and verify your identity
Duration: Session or persistent (based on your login preferences)
Provider: Supabase
Cookie names: sb-[project-ref]-auth-token (contains encrypted session data managed by Supabase Auth)

Cookie Consent

Purpose: Store your cookie preferences
Duration: 1 year
Cookie name: cookie-consent

6.2 Analytics Cookies

These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously.

Google Analytics

Purpose: Track website usage, page views, and user interactions to generate analytics reports
Duration: Up to 2 years
Cookie names: _ga (client ID), _gid (session ID), _gat (throttling requests)
Provider: Google LLC
Data collected: Anonymized usage patterns, page views, session duration, device type
GDPR Compliance: Google Analytics is configured to anonymize IP addresses and respect user privacy preferences. EU users can opt out at any time.

Vercel Analytics

Purpose: Collect anonymized performance and usage metrics
Duration: Session
Provider: Vercel Inc.

6.3 Performance Cookies

These cookies collect information about how you use our website, helping us improve performance and user experience.

Vercel Speed Insights

Purpose: Monitor page load times and performance metrics
Duration: Session
Provider: Vercel Inc.

6.4 Managing Cookies and GDPR Compliance

For EU Users: In compliance with GDPR, we request your consent before placing non-essential cookies (such as analytics cookies) on your device. You can manage your cookie preferences at any time through our cookie banner or browser settings.

Most web browsers allow you to control cookies through their settings. You can:

View what cookies are stored and delete them individually
Block third-party cookies (such as Google Analytics)
Block cookies from specific sites
Block all cookies
Delete all cookies when you close your browser

You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

Note: Blocking or deleting essential cookies (such as authentication cookies) will prevent you from logging in and using Keep Konto. Analytics and performance cookies can be blocked without affecting core functionality.

7. How Do We Keep Your Information Safe?

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process:

All data is encrypted in transit using HTTPS/TLS (Transport Layer Security)
Database encryption at rest through Supabase's secure infrastructure
Secure password hashing using industry-standard algorithms (bcrypt)
Row-Level Security (RLS) policies enforce data isolation - users can only access their own financial data
Email verification required for account creation
Session tokens stored in HTTP-only cookies to prevent XSS attacks
Regular security updates and monitoring of our infrastructure

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

8. How Long Do We Keep Your Information?

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy policy, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

Data Retention: User data is stored only for as long as the account remains active or as necessary to provide the Service. Users may request deletion of their account and associated data at any time. Upon deletion, all related data will be permanently removed from our systems within 30 days, except where retention is required by applicable law.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information. You may delete your account at any time through your account settings, which will result in the permanent deletion of your personal data and all associated financial records.

9. What Are Your Privacy Rights?

If you are located in the EEA, UK, or Switzerland:

You have certain rights under the General Data Protection Regulation (GDPR) regarding your personal information:

Right of Access: You have the right to request copies of your personal information
Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete
Right to Erasure: You have the right to request that we erase your personal data, under certain conditions
Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data, under certain conditions
Right to Object to Processing: You have the right to object to our processing of your personal data, under certain conditions
Right to Data Portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us using the information provided at the end of this policy.

If you are a resident in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: EU Data Protection Authorities.

10. Is Your Information Transferred Internationally?

Our servers are located in the United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information (see "When and With Whom Do We Share Your Personal Information?" above).

If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this privacy policy and applicable law, including the use of Standard Contractual Clauses approved by the European Commission where appropriate.

11. Do Not Track Signals

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy policy.

12. Do We Make Updates to This Policy?

We may update this privacy policy from time to time in order to reflect changes to our practices or for other operational, legal, or regulatory reasons. The updated version will be indicated by an updated "Last updated" date at the top of this privacy policy. If we make material changes to this privacy policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy policy frequently to be informed of how we are protecting your information.

13. How Can You Contact Us About This Policy?

If you have questions or comments about this privacy policy, or if you wish to exercise your privacy rights, please contact us:

Keep Konto

Privacy Inquiries

Email:

14. How Can You Review, Update, or Delete Your Data?

Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, change that information, or delete it in some circumstances.

You can review and update most of your personal information directly through your account settings within the Keep Konto dashboard.

Account and Data Deletion Requests

To request deletion of your account and all associated data (including your email address and any stored information), you must contact us directly via email. This ensures we can verify your identity and process your request securely.

Please send your deletion request to:

We will respond to your request within 30 days and will delete your data within 30 days of your request, unless we are required to retain certain information for legal or regulatory purposes. You will receive confirmation once your account and data have been permanently removed.