1. Data controller

The controller of your personal data is:

Homewallet Oy

Business ID: 3579757-4

Email: kata@homewallet.io

Some features may be provided together with regulated banking, payment, identity verification, open-banking, or technical partners. Where those partners decide independently how and why they process personal data, they may act as separate controllers under their own privacy notices.

2. What Homewallet does

Homewallet provides tools that help users manage home-related financial information, such as bills, invoices, due dates, payment status, reminders, home-related documents, and financial visibility.

Depending on the features available in your country and account, Homewallet may allow you to:

• upload or scan invoices and bills;

• store and organise home-related documents;

• track payment due dates and payment status;

• receive reminders and notifications;

• connect bank or payment accounts through authorised providers;

• view transactions, account metadata, balances, and payment-related information where you choose to connect such services;

• receive AI-assisted or automated categorisation, extraction, summaries, reminders, or insights;

• contact customer support.

Homewallet is not a bank, unless expressly stated otherwise. If regulated banking, open-banking, payment initiation, account information, identity verification, or payment processing services are provided by a third-party partner, that partner's own terms and privacy notice may also apply.

3. Personal data we collect

We may collect and process the following categories of personal data.

3.1 Account and profile data

This may include your name, email address, phone number, user ID, login credentials, language preference, country, communication preferences, and account settings.

3.2 Identity and verification data

Where required for security, fraud prevention, legal compliance, payment features, bank-account connections, or partner requirements, we may process identity-related data such as date of birth, address, identification information, verification status, and authentication data.

We only collect this type of data where it is necessary for the relevant feature, required by law, or required by a regulated partner.

3.3 Home, bill, invoice, and document data

This may include bills, invoices, receipts, payment references, due dates, payee or merchant details, invoice amounts, home-related documents, service-provider details, contract documents, uploaded files, OCR-extracted text, and metadata relating to those files.

You are responsible for ensuring that the documents you upload are relevant to your use of the Services and that you have the right to upload them.

3.4 Financial and transaction data

This may include payment status, transaction references, payment amounts, account identifiers, IBAN or other payment-account identifiers, merchant information, transaction metadata, balances, payment history, and reconciliation information.

3.5 Bank connection and open-banking data

If you choose to connect a bank account or payment account through an authorised provider, we may receive data made available through that connection, such as account metadata, balances, transaction history, confirmation tokens, account identifiers, and connection status.

We only access this data where you have chosen to connect the account and where the relevant provider, bank, or payment account service makes the data available through the integration.

You can disconnect bank-account connections according to the instructions available in the Services or through the relevant provider. Disconnecting may limit or disable related features.

3.6 Payment data

If you pay for Homewallet or use payment-related features, we or our payment providers may process payment method details, billing details, subscription status, invoices, payment confirmations, failed payment information, and related transaction records.

Homewallet does not store full card details unless expressly stated. Card and payment method information is typically processed by authorised payment providers.

3.7 AI, OCR, automation, and analytics data

Where available, Homewallet may use automated tools, OCR, machine-learning models, or AI-assisted systems to read invoices, extract invoice data, categorise bills, identify due dates, create summaries, suggest reminders, detect errors, improve product performance, or generate insights.

Unless expressly stated otherwise, these features are intended to support user convenience and do not make legally binding decisions, credit decisions, lending decisions, insurance decisions, tax decisions, or other decisions with legal or similarly significant effects.

3.8 Device, technical, and usage data

This may include IP address, device model, operating system, browser type, app version, session logs, authentication logs, crash logs, diagnostic data, security logs, feature usage, and similar technical information.

3.9 Communications and support data

This may include support messages, emails, chat messages, attachments, feedback, survey responses, call notes, and other correspondence with us.

3.10 Marketing and preference data

This may include marketing consents, email engagement, campaign interactions, referral information, communication preferences, and information about whether you have opted in or opted out of marketing.

4. Sources of personal data

We collect personal data from the following sources:

• directly from you when you create an account, use the Services, upload documents, connect accounts, contact support, or change settings;

• from banks, payment-account providers, open-banking providers, or payment partners where you authorise a connection or transaction;

• from identity verification, authentication, fraud prevention, payment, analytics, cloud hosting, customer support, email, and communication providers;

• from your device and browser when you use the Services;

• from publicly available or legally required sources where necessary for fraud prevention, legal compliance, sanctions screening, dispute handling, or security.

5. Purposes and legal bases for processing

We process personal data only where we have a lawful basis.

5.1 Providing the Services

We process personal data to create and manage your account, provide the Homewallet platform, store and organise bills and documents, display payment-related information, send reminders, process support requests, and provide features requested by you.

Legal basis: performance of contract.

5.2 Bank connections and payment-related features

We process relevant financial, account, transaction, and payment information to provide bank-account connections, payment tracking, reconciliation, account views, reminders, and related features where you choose to use them.

Legal basis: performance of contract.

Where required, your separate authorisation or consent may also be collected by the relevant bank, payment provider, or regulated partner.

5.3 Invoice scanning, OCR, AI-assisted features, and automation

We process uploaded documents, extracted data, and related metadata to read invoice details, identify due dates, categorise information, create reminders, provide summaries, detect possible errors, and improve user experience.

Legal basis: performance of contract where the feature is part of the Services; legitimate interests where processing is necessary to improve, secure, or troubleshoot the Services; consent where required by law.

5.4 Customer support and service communications

We process personal data to respond to support requests, provide important service messages, notify you of changes, investigate issues, and maintain records of communications.

Legal basis: performance of contract and legitimate interests.

5.5 Security, fraud prevention, abuse prevention, and service integrity

We process personal data to protect users, prevent misuse, detect fraud, monitor suspicious activity, maintain logs, secure accounts, investigate incidents, and enforce our terms.

Legal basis: legitimate interests and legal obligation where applicable.

5.6 Legal and regulatory compliance

We process personal data to comply with applicable laws, accounting requirements, tax rules, consumer protection obligations, fraud prevention duties, audit requirements, sanctions obligations, regulatory reporting, and lawful requests from authorities.

Legal basis: legal obligation.

5.7 Product improvement and analytics

We process usage, technical, diagnostic, and aggregated information to understand how the Services work, improve features, fix errors, measure performance, and develop new services.

Legal basis: legitimate interests.

Where consent is required for analytics cookies, SDKs, or similar tracking technologies, we rely on consent.

5.8 Marketing

We may send marketing communications where permitted by law. You can opt out of marketing at any time.

Legal basis: consent where required; legitimate interests where direct marketing is permitted without consent under applicable law.

5.9 Aggregated and anonymised data

We may create aggregated or anonymised information for analytics, service development, research, reporting, or commercial insights. Once data is properly anonymised, it is no longer personal data. If data can still identify you, we treat it as personal data.

Legal basis: legitimate interests.

6. Special category data

Homewallet does not intentionally request or require special category personal data, such as health data, religious beliefs, political opinions, biometric data, or similar sensitive data.

However, such information may sometimes appear in documents, invoices, receipts, payment descriptions, or support messages uploaded or provided by you. Where this happens, we process such information only as necessary to provide the Services, protect legal rights, ensure security, comply with law, or delete or restrict the data where appropriate.

Please avoid uploading unnecessary sensitive information.

7. Children

The Services are intended for users aged 18 or older, unless we expressly state otherwise.

We do not knowingly collect personal data from children in breach of applicable law. If we become aware that a child has provided personal data without proper authorisation, we may delete the data and close the account where appropriate.

8. Who we share personal data with

We may share personal data with the following categories of recipients where necessary.

8.1 Banking, payment, and open-banking partners

Where you use bank-account connection, payment initiation, payment tracking, or payment-processing features, relevant personal data may be shared with banks, payment providers, open-banking providers, account information service providers, payment initiation service providers, card processors, or other regulated partners.

These partners may act as independent controllers for their regulated services. Their own terms and privacy notices may apply.

8.2 Technical service providers

We may use service providers for cloud hosting, databases, storage, authentication, analytics, crash reporting, email delivery, customer support, payment infrastructure, security monitoring, OCR, AI-assisted processing, and software development.

These providers process data on our behalf and under our instructions where they act as processors.

8.3 Identity verification, fraud prevention, and security providers

Where necessary, we may share data with identity verification, fraud prevention, compliance, authentication, and security service providers.

8.4 Professional advisers

We may share data with lawyers, accountants, auditors, insurers, consultants, and other professional advisers where necessary for business, legal, accounting, audit, insurance, or dispute purposes.

8.5 Authorities and legal processes

We may disclose personal data to courts, regulators, law enforcement, tax authorities, supervisory authorities, or other public bodies where required by law or necessary to protect our rights, users, or the integrity of the Services.

8.6 Business transactions

If Homewallet is involved in a merger, financing, acquisition, restructuring, sale of assets, investment process, or similar transaction, personal data may be disclosed to relevant buyers, investors, advisers, or successor entities, subject to appropriate confidentiality and security measures.

9. We do not sell identifiable personal data

Homewallet does not sell identifiable user-level personal data.

If we create commercial reports, insights, benchmarks, analytics, or market information, we use aggregated or anonymised information wherever possible. If information remains personal data, we process it in accordance with GDPR and this Privacy Policy.

10. International transfers

We aim to store and process personal data within the European Economic Area where reasonably possible.

If personal data is transferred outside the European Economic Area, we use a lawful transfer mechanism, such as an adequacy decision, the European Commission's Standard Contractual Clauses, or another mechanism permitted by applicable law. Where required, we also assess whether supplementary safeguards are needed.

11. Data retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Policy.

Typical retention periods include:

• Account data: for as long as your account is active and for a reasonable period after closure where needed for legal, security, accounting, or dispute purposes.

• Bills, invoices, documents, and home-finance records: for as long as you keep them in the Services, unless a longer retention period is required for legal, accounting, tax, fraud prevention, or dispute purposes.

• Bank connection data: for as long as the bank connection is active and for a limited period after disconnection where needed for reconciliation, security, audit, or legal purposes.

• Payment and billing records: for the statutory accounting, tax, and audit retention periods applicable to Homewallet.

• Support communications: for as long as necessary to handle the request and maintain appropriate business records.

• Security logs: for a limited period necessary to protect the Services, investigate misuse, and comply with legal obligations.

• Marketing data: until you withdraw consent, opt out, or the data is no longer needed for the purpose collected.

When personal data is no longer needed, we delete it, anonymise it, or securely archive it where deletion is not immediately possible.

12. Your GDPR rights

Subject to applicable law, you have the following rights:

• the right to be informed about how your personal data is processed;

• the right to access your personal data and receive a copy;

• the right to correct inaccurate or incomplete data;

• the right to request deletion of your data in certain circumstances;

• the right to restrict processing in certain circumstances;

• the right to object to certain processing, including direct marketing and some legitimate-interest processing;

• the right to receive certain data in a portable format where applicable;

• the right to withdraw consent at any time where processing is based on consent;

• the right not to be subject to decisions based solely on automated processing where such decisions produce legal or similarly significant effects, unless permitted by law;

• the right to lodge a complaint with a supervisory authority.

In Finland, the supervisory authority is the Office of the Data Protection Ombudsman.

To exercise your rights, contact us at:

privacy@homewallet.fi

We may need to verify your identity before responding. We aim to respond to valid requests within one month. Where legally permitted, this period may be extended for complex or numerous requests.

13. Marketing choices

You may unsubscribe from marketing emails by using the unsubscribe link in the email or by contacting us.

Even if you opt out of marketing, we may still send important service, security, legal, or account-related messages.

14. Cookies and similar technologies

Homewallet may use cookies, pixels, SDKs, local storage, and similar technologies to provide the Services, remember preferences, improve performance, analyse usage, and support marketing.

Strictly necessary cookies and technologies may be used without consent where permitted by law.

Where required, we ask for your consent before using non-essential analytics, advertising, or tracking technologies. You can manage your preferences through our cookie banner or settings where available.

A separate Cookie Notice may provide more detailed information about the cookies and similar technologies we use.

15. Security

We use appropriate technical and organisational measures to protect personal data. These may include:

• encryption in transit and, where appropriate, encryption at rest;

• access controls and role-based permissions;

• authentication and account-security measures;

• logging and monitoring;

• vendor security review;

• backups and resilience measures;

• incident response processes;

• staff access restrictions and confidentiality obligations.

No digital service can be guaranteed fully secure. You are responsible for keeping your login credentials confidential and notifying us if you suspect unauthorised access to your account.

16. Personal data breaches

If a personal data breach occurs, we assess the risk and take appropriate action.

Where required by law, we notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach.

Where a breach is likely to result in a high risk to your rights and freedoms, we notify affected users where legally required.

17. Automated processing and AI-assisted features

Homewallet may use automated processing, OCR, machine learning, or AI-assisted tools to support features such as invoice reading, bill categorisation, document extraction, reminder creation, transaction matching, error detection, and financial overview generation.

These tools are intended to assist you and improve the Services. They may sometimes be inaccurate. You should review important information, including payment details, due dates, amounts, recipients, and account information before relying on it.

Unless expressly stated otherwise, Homewallet does not use AI-assisted features to make credit decisions, lending decisions, insurance decisions, tax decisions, legal decisions, or other decisions that produce legal or similarly significant effects for you.

18. Third-party links and services

The Services may contain links or integrations to third-party websites, banks, payment providers, identity providers, or other services.

We are not responsible for the privacy practices of third parties. Their own terms and privacy notices apply to their services.

19. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

The updated version will be posted in the Services or on our website with a new "Last updated" date. Where changes are material, we may notify you by email, in-app message, or other appropriate means.

Your continued use of the Services after the updated Privacy Policy becomes effective means that the updated version applies from that date.

You also have the right to contact the Finnish Office of the Data Protection Ombudsman or another competent supervisory authority.