Legal

Privacy Policy

Your financial data is deeply personal. Here's exactly what we collect, why we need it, and how we keep it safe.

Last updated: April 26, 2026

1. Who We Are

Stashd: Budget & Savings ("Stashd", "we", "us", or "our") is a mobile application developed and operated by Sander Kleijnen, trading as Outpace. We are based in the Netherlands and subject to European Union data protection law, including the General Data Protection Regulation ("GDPR").

This Privacy Policy describes how we collect, use, store, and protect your personal data when you use the Stashd iOS app ("App") or visit our website.

Sander Kleijnen

Outpace — Developer of Stashd

Email: sander@outpace.cloud

Website: outpace.cloud

Country: Netherlands

2. Data We Collect

We collect only the data that is strictly necessary to deliver and improve the Stashd service.

Account Data

  • Email address — used to create and authenticate your account.
  • Display name — used to personalise your in-app profile.
  • User ID — a unique identifier assigned by our authentication provider (Supabase).

Financial Data

  • Expense entries — amounts, categories, dates, and optional notes that you manually enter into the App.
  • Budget settings — spending limits and savings goals you configure.
iWe never connect to your bank accounts, payment cards, or any external financial institution. All financial data in Stashd is entered manually by you.

Usage Data

  • App interaction data — which features you use, usage frequency, and in-app events (e.g. creating an expense, completing a challenge). Used in aggregate to improve the product.
  • Device information — OS version, app version, and device type, used for debugging and compatibility.
  • Crash reports — anonymous technical logs to help identify and fix errors.

Payment Data

Subscriptions and in-app purchases are processed entirely by Apple through the App Store and managed via RevenueCat. We do not collect, store, or access your payment card details or Apple ID. RevenueCat provides us with subscription status only (active / expired).

Data We Do NOT Collect

  • We do not collect location data.
  • We do not access your contacts or camera (unless you explicitly grant photo access to set a profile picture).
  • We do not collect biometric data.
  • We do not knowingly collect data from children under 13.
  • We do not use advertising trackers or share data with ad networks.

3. How We Use Your Data

We only use your data for the purposes listed below. We do not use it for advertising, behavioural profiling, or automated decision-making that produces legal or similarly significant effects on you.

PurposeLegal Basis (GDPR Art. 6)
Provide and operate the AppPerformance of contract (Art. 6(1)(b))
Authenticate your account and keep it securePerformance of contract (Art. 6(1)(b))
Personalise your experience (name, profile)Performance of contract (Art. 6(1)(b))
Process subscription status via RevenueCatPerformance of contract (Art. 6(1)(b))
Improve the App through aggregated analyticsLegitimate interest (Art. 6(1)(f))
Diagnose and fix bugs via crash reportsLegitimate interest (Art. 6(1)(f))
Send essential service communicationsLegitimate interest / Performance of contract
Comply with legal obligationsLegal obligation (Art. 6(1)(c))

4. Data Storage & Security

Your data is stored on Supabase infrastructure — PostgreSQL databases hosted on AWS data centres. Supabase maintains SOC 2 Type II compliance and supports GDPR data processing agreements.

We apply the following security measures:

  • All data in transit is encrypted via TLS 1.2+.
  • Data at rest is encrypted using AES-256.
  • Access to production databases is restricted by role-based permissions.
  • Supabase Row-Level Security (RLS) policies ensure users can only access their own data.

While we take commercially reasonable steps to protect your data, no system is completely secure. We cannot guarantee absolute security.

5. Third-Party Services

We work with the following sub-processors. Each has been selected to minimise data exposure and is bound by appropriate data processing agreements.

ServicePurposeData Shared
SupabaseDatabase, authentication & backendEmail, user ID, financial data, usage data
RevenueCatSubscription & in-app purchase managementUser ID, subscription status
Apple App StoreApp distribution & payment processingGoverned by Apple's Privacy Policy
Expo / React NativeApp runtime frameworkNo personal data shared directly

We do not sell, rent, or trade your personal data to any third party for commercial purposes.

6. Data Retention

  • Account data is retained for as long as your account remains active.
  • Financial data (expenses, budgets) is kept for the lifetime of your account. You can delete individual entries or all your data at any time from within the App.
  • Aggregate usage / analytics data is retained for up to 24 months.

When you delete your account, all personal data associated with it is permanently deleted within 30 days. Anonymised, aggregate analytics data may be retained longer.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

RightWhat It Means
Right of accessRequest a copy of the personal data we hold about you.
Right to rectificationRequest correction of inaccurate or incomplete data.
Right to erasureRequest deletion of your personal data ("right to be forgotten").
Right to restrictionRequest that we limit how we process your data in certain circumstances.
Right to data portabilityReceive your data in a structured, machine-readable format.
Right to objectObject to processing based on legitimate interests.
Right to withdraw consentWhere processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at sander@outpace.cloud. We will respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) at autoriteitpersoonsgegevens.nl.

8. Children's Privacy

Stashd is not directed at children under the age of 13 and we do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will delete it promptly.

If you believe a child under 13 has provided us with personal data, please contact us immediately at sander@outpace.cloud.

9. International Data Transfers

Your data is primarily stored within the EU/EEA. In cases where sub-processors process data outside the EEA (for example, AWS regions used by Supabase, or RevenueCat infrastructure), such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of protection.

10. Cookies & Tracking Technologies

The Stashd mobile app does not use cookies.

Our website may use essential session cookies for basic functionality. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you via the App or by email at least 14 days before the changes take effect.

The "Last updated" date at the top of this page indicates when this policy was last revised. Your continued use of the App after the effective date constitutes acceptance of the revised policy.

12. Contact Us

If you have questions, requests, or concerns about this Privacy Policy or how we handle your data, please reach out:

Sander Kleijnen

Outpace — Developer of Stashd

Email: sander@outpace.cloud

Website: outpace.cloud

Country: Netherlands