Penny Duck

Privacy Policy

Last updated: April 13, 2026

Penny Duck ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our service.

This policy is aligned with the General Data Protection Regulation (GDPR) and applicable Polish and EU privacy laws.

1. Data We Collect

We collect the following data when you use Penny Duck:

  • Account data: email address and hashed password
  • Financial data: transactions, account balances, categories, and related notes you enter into the platform
  • Workspace data: workspace membership, roles, and invitations
  • Technical data: IP address, browser type, and access timestamps (for security and troubleshooting)

We do not collect data from third-party sources. All financial data in Penny Duck is entered by you directly.

2. Lawful Basis for Processing

We process your data under the following legal bases (GDPR Article 6):

  • Contract performance: Processing your account and financial data is necessary to provide the Penny Duck service you signed up for.
  • Legitimate interest: We process technical data (IP addresses, access logs) for security, fraud prevention, and service reliability.
  • Consent: Where we process data beyond what is necessary for the service, we will ask for your explicit consent. You may withdraw consent at any time.

3. How We Use Your Data

We use your data to:

  • Provide and maintain the Penny Duck service
  • Authenticate your identity and secure your account
  • Enable collaboration within shared workspaces
  • Send service-related communications (e.g., password resets, security alerts)

We do not:

  • Sell your data to third parties
  • Use your data for advertising
  • Profile you for marketing purposes
  • Use your financial data for any purpose other than providing the service

4. Data Sharing

Within workspaces: When you join a shared workspace, other members of that workspace can see the financial data within it. Only join workspaces with people you trust.

Service providers: We use the following third-party providers to operate the service:

  • Railway (hosting and database infrastructure)

These providers process data on our behalf under data processing agreements and do not have independent access to your data.

We do not share your data with any other third parties unless required by law.

5. Cookies and Authentication

Penny Duck uses httpOnly cookies strictly for authentication (JWT access token and refresh token). These are essential cookies required for the service to function.

We do not use:

  • Tracking cookies
  • Third-party analytics cookies
  • Advertising cookies

No cookie consent banner is needed because we only use strictly necessary cookies.

6. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on Railway. We protect your data with:

  • Row-Level Security (RLS) to isolate data between workspaces
  • Encrypted connections (TLS) for all data in transit
  • Hashed passwords (never stored in plain text)
  • httpOnly, secure cookies to prevent token theft

While we take reasonable measures to protect your data, no system is completely secure. We encourage you to use a strong, unique password.

7. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data and request a copy
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten") by deleting your account
  • Restrict processing in certain circumstances
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Polish Data Protection Authority (Urząd Ochrony Danych Osobowych, UODO) or your local supervisory authority.

8. Data Retention

  • Active accounts: Your data is retained as long as your account exists.
  • Deleted accounts: Upon account deletion, your personal data is removed within 30 days. Some anonymized data may be retained for service improvement.
  • Technical logs: Access logs are retained for up to 90 days for security purposes.

9. Children's Privacy

Penny Duck is not directed at children under 16 years of age. We do not knowingly collect data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

10. International Data Transfers

Your data is stored and processed within the infrastructure provided by Railway. If data is transferred outside the European Economic Area (EEA), it will be subject to appropriate safeguards as required by the GDPR.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the service. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact

If you have questions about this Privacy Policy or how we handle your data, contact us at [email protected].

Data Controller: Penny Duck Contact: [email protected]