Privacy Policy
Effective date: 2026-06-29
GoHoardly is operated by the controller identified below. For privacy questions, data subject requests, or complaints, users may contact the controller at the stated contact e-mail address.
1. Controller
- Name: Hoffmann Károly
- E-mail: [email protected]
2. Data Protection Officer
The current operation of GoHoardly does not require the appointment of a Data Protection Officer, and no Data Protection Officer has been appointed. Privacy matters are handled by the controller at the contact e-mail address above.
3. The Service
GoHoardly is a personal budgeting and financial record-keeping application.
The service:
- does not connect to bank accounts;
- does not process payment card data;
- does not import bank transactions;
- does not provide financial, investment, tax, accounting, or legal advice.
4. Personal Data Processed
Account and authentication data: e-mail address; password hash for e-mail/password registration; Google OAuth identifier and token if Google sign-in is used; Google profile image URL if provided by Google and displayed by the application; nickname or display name.
User settings: pay cycle start day and length; currency; decimal display preference; onboarding status; shopping list tax/VAT settings, where used.
Signup source: if the user arrives through a campaign link (for example an event flyer, sticker, or QR code), a short campaign label indicating where the registration originated is stored with the account for statistical purposes.
Financial and planning data entered by the user: period dates and Flow/Fixed/Extra/Savings limits; closed period summaries and carry-over amounts; expense entries; extra income entries; saving movements; savings goals; custom subcategories; shopping lists and items.
Technical and security data: session cookies and/or authentication tokens stored in localStorage; IP address; request timestamp; basic browser and device technical data; debugging, security, and infrastructure logs.
Support and complaint-handling data: messages sent through a contact form or by e-mail; complaints, replies, and related documents.
The application does not process bank account or payment card data and does not request special categories of personal data.
5. Purposes and Legal Bases
| Data / Processing | Purpose | Legal basis |
|---|---|---|
| E-mail address | Account creation, login, account notices | GDPR Art. 6(1)(b) |
| Password hash | E-mail/password authentication | GDPR Art. 6(1)(b) |
| Nickname / display name | Profile and in-app display | GDPR Art. 6(1)(b) |
| Google OAuth identifier and token | Google-based registration and login | GDPR Art. 6(1)(b) |
| Google profile image URL | Profile display | GDPR Art. 6(1)(b) |
| User settings | Personalised app operation | GDPR Art. 6(1)(b) |
| Expenses, income, periods, savings, goals, shopping lists | Budgeting features, reports and analytics | GDPR Art. 6(1)(b) |
| Signup source label | Marketing statistics: understanding how users found the service | GDPR Art. 6(1)(f), legitimate interest |
| IP address | Security, abuse prevention, infrastructure operation | GDPR Art. 6(1)(f), legitimate interest |
| Technical logs | Debugging, security, service operation | GDPR Art. 6(1)(f) |
| Session cookie / localStorage token | Maintaining login state and authenticating requests | GDPR Art. 6(1)(b); strictly necessary |
| Contact or support message | Customer support and contractual request handling | GDPR Art. 6(1)(b) or 6(1)(f) |
| Consumer complaint | Handling the complaint and proving the response | GDPR Art. 6(1)(c), legal obligation |
| Future analytics or marketing cookies | Analytics or marketing | GDPR Art. 6(1)(a), consent — not currently used |
6. Nature of Data Provision
Providing data necessary for account creation and basic service use is a contractual requirement. If the user does not provide such data, the account cannot be created or the relevant function cannot be used. Providing optional data is not mandatory.
7. Cookies and Browser Storage
GoHoardly uses only cookies, session tokens, and browser-stored data necessary for operation. Detailed information is provided in the separate Cookie Policy. If non-essential cookies are introduced in the future, the Cookie Policy and consent mechanism will be updated before such use.
8. Processors and Third Parties
| Provider | Role | Status |
|---|---|---|
| Supabase | Authentication, database, session handling | In use |
| Vercel | Frontend hosting, CDN, infrastructure logs | In use |
| OAuth login, Google profile data | Only if Google sign-in is selected | |
| Resend | Sending transactional emails (registration confirmation, password reset, email change, support) | In use |
| Cloudflare | DNS/CDN/security proxy | In use |
The controller does not sell personal data.
9. International Transfers
The controller aims to process core user data within the European Economic Area. Some providers may process technical or account-related data outside the EEA. In such cases, transfers may take place only on the basis of appropriate safeguards under the GDPR, such as an adequacy decision, Standard Contractual Clauses, or another lawful transfer mechanism.
10. Retention
| Data category | Retention period |
|---|---|
| Account data and user app data | Until account deletion or inactivity deletion |
| Technical backups after account deletion | Deleted or overwritten no later than 30 days |
| Auth and security logs | 90 days |
| Infrastructure and debugging logs | 180 days |
| Support and contact requests | 5 years from closure |
| Consumer complaints and responses | 5 years (Hungarian Consumer Protection Act, s. 17/A) |
| Authority or legal requests | 5 years from closure, or longer if required by law |
11. Account Deletion
When an account is deleted, active user data is deleted from the production database. Some copies may remain in technical backups for a short period, but are deleted or overwritten no later than 30 days later.
12. Data Export and Portability
The user may request a copy of their personal data. The application currently does not include a self-service export function; export requests may be submitted through the contact e-mail address.
13. Data Subject Rights
The user has the right to: request access to their personal data; request rectification; request erasure; request restriction of processing; object to processing based on legitimate interests; request data portability, where applicable; withdraw consent where processing is based on consent; lodge a complaint with the supervisory authority; and seek judicial remedy.
The controller responds to data subject requests without undue delay and at the latest within 1 month of receipt.
Supervisory authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) — www.naih.hu
14. Personal Data Breaches
The controller maintains a breach register. If a breach is likely to result in a risk to users' rights and freedoms, the controller notifies the competent supervisory authority within 72 hours where feasible. If the breach poses a high risk, affected users are also informed without undue delay.
15. Data Security
The controller applies appropriate technical and organisational measures including: HTTPS; encrypted communication; storing passwords in hashed form; Row Level Security; permission management; access restrictions; logging and security monitoring. Despite these measures, complete security cannot be guaranteed.
16. Children
In Hungary, the service is not available to persons under the age of 16. In other countries, the applicable mandatory digital consent and child protection rules apply.
17. Automated Decision-Making and Profiling
GoHoardly does not use automated decision-making or profiling that produces legal effects or similarly significant effects. Charts, reports, balances, and alerts are generated from data entered by the user and do not constitute risk profiles.
18. Changes to This Policy
The controller may amend this Privacy Policy. In the event of a material change, users will receive appropriate prior notice by e-mail, in-app notice, or notice published on the website.
19. Contact
Hoffmann Károly — [email protected]