PRIVACY POLICY

Last updated March 21, 2026

This Privacy Policy describes how Kontu.io ('we', 'us', or 'our'), operated as a sole trader based in the United Kingdom, collects, uses, stores, and shares your personal data when you use our website at https://www.kontu.io and any related services (collectively, the 'Services').

We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have any questions, you can contact us at [email protected].

Please read this Privacy Policy carefully. By using the Services, you acknowledge that you have read and understood this Privacy Policy.

TABLE OF CONTENTS

1. WHAT DATA WE COLLECT
2. HOW WE COLLECT YOUR DATA
3. WHY WE PROCESS YOUR DATA
4. WHO WE SHARE YOUR DATA WITH
5. INTERNATIONAL DATA TRANSFERS
6. HOW LONG WE KEEP YOUR DATA
7. COOKIES AND TRACKING TECHNOLOGIES
8. YOUR RIGHTS
9. CHILDREN'S PRIVACY
10. CHANGES TO THIS POLICY
11. CONTACT US

1. WHAT DATA WE COLLECT

We collect the following categories of personal data:

Account data

When you create an account, we collect your email address, name, and a securely hashed version of your password. If you sign in using a third-party provider (such as Google or GitHub), we receive your name and email address from that provider.

Payment data

When you subscribe to a paid plan, your payment is processed by our third-party payment processor, Polar.sh. We do not directly collect or store your full credit card number or banking details. Polar.sh may share with us limited information such as your billing name, email address, the last four digits of your card, and transaction history. Please refer to Polar.sh's own privacy policy for details on how they handle your payment data.

Financial planning data

You may input financial information into the Services as part of using the app's planning features (such as income, expenses, budgets, and goals). This data is stored in your account and is used solely to provide the Services to you.

Usage and technical data

When you visit or use the Services, we automatically collect certain technical information, including your IP address, browser type and version, operating system, device type, referring URL, pages viewed, time spent on pages, and other interaction data. This data is collected through cookies and similar tracking technologies (see the 'COOKIES AND TRACKING TECHNOLOGIES' section below).

Communications data

If you contact us via email, we collect your email address and the contents of your message.

2. HOW WE COLLECT YOUR DATA

We collect data in the following ways:

• Directly from you — when you register, subscribe, use the app's features, or contact us.
• Automatically — through cookies, analytics tools, and server logs when you use the Services.
• From third parties — from authentication providers if you use social sign-in, and from Polar.sh in relation to payment transactions.

3. WHY WE PROCESS YOUR DATA

Under the UK GDPR, we must have a lawful basis for processing your personal data. The bases we rely on are:

Performance of a contract (Article 6(1)(b))

We process your account data, financial planning data, and payment data as necessary to provide the Services to you, manage your subscription, and fulfil our contractual obligations.

Legitimate interests (Article 6(1)(f))

We process usage and technical data for our legitimate interests in:

• understanding how the Services are used so we can improve them;
• diagnosing technical issues and maintaining security;
• detecting and preventing fraud or abuse.

Consent (Article 6(1)(a))

Where we send you marketing communications, we will obtain your consent first and you may unsubscribe at any time.

Legal obligation (Article 6(1)(c))

We may process your data where necessary to comply with legal obligations, such as tax reporting requirements or responding to lawful requests from authorities.

4. WHO WE SHARE YOUR DATA WITH

We do not sell your personal data. We share your data only with the following categories of third-party service providers who process data on our behalf:

• Polar.sh — payment processing and billing communications. Receives your payment and billing information to process subscription transactions. Polar.sh also sends you transactional emails related to payments, renewals, and subscription management on our behalf.
• Amazon Web Services (AWS) — cloud hosting and infrastructure. Stores and processes your account data, financial planning data, and technical data on our servers.
• Resend — email delivery. Receives email addresses to deliver service-related emails, such as budget sharing invitations and other notifications.
• PostHog — product analytics. Operates in cookieless mode and collects anonymised usage and interaction data to help us understand how features are used and improve the Services. No personally identifiable tracking cookies are set.

Each of these providers is contractually obligated to process your data only for the purposes we specify and in accordance with applicable data protection law.

We may also disclose your data if required to do so by law, or if we believe in good faith that such action is necessary to comply with a legal obligation, protect our rights or safety, or investigate potential violations of our Terms of Service.

5. INTERNATIONAL DATA TRANSFERS

Our Services are primarily hosted in the United Kingdom via Amazon Web Services. However, some of our third-party service providers (such as PostHog, Polar.sh, and Resend) may process your data in countries outside the United Kingdom, including the United States.

Where your data is transferred outside the UK, we ensure that appropriate safeguards are in place as required by the UK GDPR, such as:

• transfers to countries that the UK government has determined provide an adequate level of data protection;
• the use of standard contractual clauses approved by the Information Commissioner's Office (ICO); or
• other lawful transfer mechanisms under the UK GDPR.

6. HOW LONG WE KEEP YOUR DATA

We retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy:

• Account and financial planning data — retained for as long as your account is active. If you delete your account, we will delete or anonymise this data within 30 days, unless we are required by law to retain it longer.
• Payment and transaction records — retained for up to 7 years after the transaction to comply with UK tax and accounting obligations.
• Usage and technical data — retained for up to 26 months, after which it is automatically deleted or anonymised.
• Communications data — retained for as long as necessary to resolve your enquiry, and for up to 2 years thereafter for record-keeping purposes.

7. COOKIES AND TRACKING TECHNOLOGIES

We use only strictly necessary cookies on the Services. Cookies are small text files placed on your device that help us provide the Services.

Strictly necessary cookies

These cookies are essential for the Services to function and cannot be switched off. They include session cookies for authentication and security. These do not require your consent under the Privacy and Electronic Communications Regulations (PECR).

Analytics

We use PostHog for product analytics. PostHog is configured in cookieless mode, meaning it does not place any cookies on your device and does not track you across sessions. It collects anonymised usage data (such as pages viewed and features used) to help us improve the Services. Because no cookies are set, no cookie consent is required for this purpose.

Managing cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you disable strictly necessary cookies, some parts of the Services may not function properly.

8. YOUR RIGHTS

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access — you can request a copy of the personal data we hold about you.
• Right to rectification — you can ask us to correct inaccurate or incomplete data.
• Right to erasure — you can ask us to delete your personal data in certain circumstances (also known as the 'right to be forgotten').
• Right to restrict processing — you can ask us to limit how we use your data in certain circumstances.
• Right to data portability — you can request that we provide your data in a structured, commonly used, machine-readable format.
• Right to object — you can object to our processing of your data where we rely on legitimate interests.
• Right to withdraw consent — where we rely on your consent to process your data, you can withdraw that consent at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month, as required by law.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority. You can contact the ICO at ico.org.uk or by telephone on 0303 123 1113.

9. CHILDREN'S PRIVACY

The Services are not directed at children under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected] and we will take steps to delete such data.

10. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of any material changes by updating the 'Last updated' date at the top of this page. We encourage you to review this Privacy Policy periodically. Your continued use of the Services after any changes constitutes your acceptance of the updated Privacy Policy.

11. CONTACT US

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us at:

Kontu.io
Data Controller
[email protected]