Privacy policy

1. Data protection at a glance

General information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is all data with which you can be personally identified. Detailed information can be found in the privacy policy below.

Data collection on this website

Who is responsible?Data processing on this website is carried out by the website operator. You can find the operator's contact details in the Imprint.

How do we collect your data? Some data is collected when you provide it to us (e.g. via a form). Other data is collected automatically by our IT systems when you visit the website (e.g. browser, operating system, time of access).

What do we use your data for? Part of the data is collected to ensure error-free, secure provision of the website. Other data may be used to analyze user behavior.

Your rights You have the right to obtain information on the origin, recipients and purpose of your stored personal data free of charge at any time and to request correction or deletion. You can also request restriction of processing and lodge a complaint with a supervisory authority.

2. Access to and storage of information in terminal equipment

By using our website, information (e.g., IP address) may be accessed or information (e.g., cookies) may be stored on your device. Where strictly necessary for technical provision, this is based on Section 25 (2) No. 2 TDDDG. For other purposes, access/storage occurs only with your consent under Section 25 (1) TDDDG in conjunction with Art. 6(1)(a) GDPR; consent can be withdrawn at any time.

3. Processors and hosting

We use carefully selected external service providers ("processors") to operate this website and the heyFinance app. Personal data collected on this website or in the app is processed on these providers' servers. (e.g., IP addresses, contact requests, meta/communication data, names, page views and other data generated via the website).

These "processors" are used for the performance of a contract with potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of a secure, fast and efficient provision of our online offer (Art. 6(1)(f) GDPR). The "processors" process your data only to the extent necessary to fulfill its performance obligations and follows our instructions.

  • Vercel – frontend hosting
  • Render – backend hosting
  • Supabase – managed database
  • Resend – transactional email
  • Stripe – payment processing for web subscriptions (collects name, email, billing address, and payment card details to process subscription payments)
  • Apple – payment processing for in-app purchases on iOS via Apple In-App Purchase (Apple processes the transaction under its own terms and shares only limited information with us, such as a transaction identifier and, where the user permits, an obfuscated email)
  • OpenAI – AI processing for the optional AI Insights and AI Auto-Categorization features (US-based; see Section 6 for details on what data is sent and your control over these features)

In addition to the processors listed above, we cooperate with Qwist GmbH for the optional bank account sync feature. Qwist is a PSD2-licensed payment institution and acts as an independent data controller for the bank connection process under its own legal and regulatory obligations. See Section 7 for details.

These providers process your data only to the extent necessary to fulfil their services and in accordance with our instructions. We have concluded data processing agreements (DPAs) with them. If data is transferred outside the EU/EEA, Standard Contractual Clauses (SCCs) and appropriate safeguards are applied.

Stripe's role:When you subscribe to heyFinance, Stripe processes your payment information directly. We do not store any payment information on our servers; Stripe holds it under its own terms. Stripe is PCI-DSS compliant and processes payments securely. For more information, see Stripe's Privacy Policy at https://stripe.com/privacy.

4. General notes and mandatory information

Data protection

We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. Please note that data transmission on the Internet (e.g., when communicating by e-mail) may have security gaps.

Note on the controller

The controller for data processing on this website is the website operator. See the Imprint for contact details.

Revocation of your consent to data processing

Many data processing operations are possible only with your express consent. You may revoke consent at any time with effect for the future. The lawfulness of processing carried out before revocation remains unaffected.

Data retention after trial and cancellation

We retain your account data for as long as your account remains active. Inactive trial accounts and cancelled subscriptions may be deleted after an extended period of inactivity. You may request deletion of your account and associated data at any time through your account settings or by contacting us; we will fulfil such requests within 30 days, subject to statutory retention obligations (e.g., 6–10 years for tax and business records). Residual copies in routine backups are removed in accordance with our standard backup rotation.

Right to object to processing in special cases and to direct marketing (Art. 21 GDPR)

If processing is based on Art. 6(1)(e) or (f) GDPR, you have the right to object at any time on grounds relating to your particular situation; this also applies to profiling. If your personal data is processed for direct marketing, you have the right to object at any time to such processing.

Right to lodge a complaint with the supervisory authority

In the event of a breach of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, without prejudice to other remedies. The competent authority for our location is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

Right to data portability

You have the right to receive data that we process automatically on the basis of your consent or in performance of a contract in a commonly used, machine-readable format, or to have it transmitted to another controller where technically feasible.

SSL or TLS encryption

For security reasons and to protect the transmission of confidential content, this site uses SSL or TLS encryption. An encrypted connection can be recognized by the lock symbol in your browser and the "https://" address line.

User accounts and verification

To create and use a heyFinance account, we process your email address and a password chosen by you. In order to activate your account, you must verify your email address via a confirmation link. Until verification is completed, login may be restricted and we may send reminder emails or temporarily block access. Unverified accounts may be deleted after a reasonable period.

Financial data provided by users

heyFinance is a financial management tool. Users may manually enter or upload personal financial data (e.g., budgets, expenses, debts, account balances, transactions). This data is processed solely for the purpose of providing the agreed functionality (Art. 6(1)(b) GDPR). We do not import financial data from external banks or services unless explicitly provided by the user. The Provider does not offer financial or investment advice.

Information, deletion, correction

Within the scope of legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients and the purpose of data processing and, if applicable, a right to correction or deletion of this data.

Right to restriction of processing

You have the right to request restriction of processing under the conditions set out in Art. 18 GDPR. If processing is restricted, this data may—apart from storage—only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

Objection to advertising emails

We hereby object to the use of contact data published as part of our legal notice obligation for the purpose of sending unsolicited advertising and information materials.

Payments

Subscriptions purchased on the web are processed via Stripe. When you subscribe through the web, Stripe collects your payment card details, billing address, name, and email address to process recurring payments. We do not store any payment information on our servers; Stripe holds it under its own terms. Stripe handles all payment data securely in compliance with PCI-DSS standards. Legal basis: Art. 6(1)(b) GDPR (performance of contract). For more information, see Stripe's Privacy Policy.

Subscriptions purchased on iOS through the heyFinance mobile app are processed via Apple In-App Purchase. Apple collects and processes your payment information directly under its own terms and privacy policy; we do not receive your payment card details or full Apple ID. Apple shares with us only limited information needed to activate and manage your subscription, such as a transaction identifier and, where you permit it, an obfuscated email address. Legal basis: Art. 6(1)(b) GDPR (performance of contract). For more information, see Apple's Privacy Policy.

5. Data collection on this website

Cookies

Some internet pages use cookies. Cookies do not damage your device and do not contain viruses. They help make our offer more user-friendly, effective and secure. Most cookies we use are "session cookies" and are deleted after your visit. Other cookies remain stored until you delete them. You can configure your browser to inform you about the setting of cookies and to allow cookies only in individual cases, exclude cookies for certain cases or in general, and activate deletion when closing the browser. If cookies are deactivated, the functionality of the website may be restricted.

Cookies required to carry out the electronic communication process or to provide certain functions you request are stored on the basis of Art. 6(1)(f) GDPR. If consent is requested, processing is based on Art. 6(1)(a) GDPR and consent can be revoked at any time.

Server log files

The provider automatically collects and stores information in server log files that your browser transmits to us (browser type/version, operating system, referrer URL, host name, time of request, IP address). This data is not merged with other data sources. Processing is based on Art. 6(1)(f) GDPR in the interest of technically error-free presentation and optimization of the website.

Contact form

If you send us inquiries via a contact form, the details you provide—including contact details—are stored for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent. Processing is based on Art. 6(1)(b) GDPR if related to contract performance or pre-contractual measures; otherwise on our legitimate interest (Art. 6(1)(f) GDPR) or your consent (Art. 6(1)(a) GDPR). We retain such data until you request deletion, revoke consent or the purpose no longer applies. Statutory retention periods (e.g. 6–10 years for business/tax records) remain unaffected.

Request by e-mail or telephone

If you contact us by e-mail or phone, we store and process your inquiry, including personal data (e.g. name, message), to handle your request. Processing follows Art. 6(1)(b) GDPR where applicable, otherwise Art. 6(1)(a) and/or Art. 6(1)(f) GDPR. Retention follows the same rules as above, subject to statutory retention periods (6–10 years for business/tax records).

Processing of data (customer and contract data)

We collect, process and use personal data only insofar as it is necessary for establishing, structuring or changing the legal relationship (inventory data) and usage data only insofar as necessary to enable or charge for the use of the service (Art. 6(1)(b) GDPR). Customer data is deleted after completion of the order or termination of the business relationship. Statutory retention periods (6–10 years for business/tax records) remain unaffected.

6. AI Features and Financial Data Processing

heyFinance offers optional AI-powered features, controlled at the organization level by an authorized account owner. The features are opt-in and are governed by two independent toggles that you can enable or disable at any time from within the app:

  • AI Insights— analyzes your financial activity to generate periodic summaries (such as monthly or quarterly reports), spending trends, and goal-based recommendations. Uses only aggregated, non-identifying financial metrics.
  • AI on transaction-level data— sends a limited subset of each transaction (such as its description, which may contain personal information like a counterparty name in a transfer) to our AI provider. Currently powers AI Auto-Categorization, which suggests categories for your transactions to reduce manual data entry. See section 6.2 for the exact fields transmitted.

The two toggles are independent: enabling one does not enable the other.

6.1 AI Insights — aggregated metrics only

To generate AI Insights, we transmit only aggregated and non-identifying financial metrics to our AI provider. These values may include:

  • Income and expense totals over a given period
  • Category-level spending summaries
  • Cash flow and savings rate calculations
  • Goal progress, target amounts, and affordability assessments
  • Counts of transactions per category
  • Period-over-period percentage changes or trends

For AI Insights, we do not transmit individual transaction lines, vendor names or free-text descriptions, bank account numbers, your email, name, or any login credentials.

6.2 AI Auto-Categorization — data transmitted

When the transaction-level AI toggle is enabled, the following information is sent to our AI provider for each uncategorized transaction so that the provider can suggest the most appropriate category from your existing category list:

  • The transaction description as provided by your bank or CSV import (this may include a merchant or vendor name and free-text memo)
  • The transaction amount
  • The transaction type (e.g., income, expense)
  • The country associated with your organization
  • The list of category names that exist in your heyFinance account

We do not transmit your name, email address, account numbers, IBAN, banking credentials, or any other directly identifying information together with these requests. Transaction descriptions may, however, contain personal information depending on what your bank or CSV file includes (e.g., a counterparty name in a transfer memo). You should consider this before enabling the feature.

6.3 Purpose of processing

AI Insights data is processed exclusively to generate financial insights, recommendations, and summaries within the heyFinance app. AI Auto-Categorization data is processed exclusively to suggest a category for each transaction. Neither feature uses the data for any other purpose.

6.4 Third-party AI providers

We use OpenAI, L.L.C. as our AI subprocessor for both features. OpenAI processes the data only on our documented instructions, does notuse API inputs or outputs to train its models, and retains API content for a limited period (currently up to 30 days) solely for abuse and misuse monitoring, after which it is deleted. OpenAI's servers are located in the United States. Where this involves a transfer of personal data outside the EU/EEA, the transfer is governed by the EU Standard Contractual Clauses and additional safeguards. For more information, see OpenAI's policies.

6.5 Legal basis

Processing for AI Insights and for transaction-level AI features is based on your explicit consent under Art. 6(1)(a) GDPR, given when an authorized account owner enables the corresponding toggle for the organization. The two toggles constitute separate consents. You may withdraw either consent at any time by disabling the corresponding toggle in your account settings; processing carried out before withdrawal remains lawful.

6.6 No automated decision-making; no advice

AI outputs (insights and category suggestions) are informational only. They do not constitute financial, investment, tax, or legal advice and do not produce legal or similarly significant effects within the meaning of Art. 22 GDPR. Suggested categories can always be reviewed and changed by you. You remain responsible for verifying the accuracy of AI outputs before relying on them.

6.7 Opt-out, retention, deletion

You can use heyFinance without either AI feature. Inputs sent to the AI provider are not stored separately on our systems beyond the original transaction or aggregated record they were derived from. Deleting your financial data or your account from heyFinance removes the source data; OpenAI's short-term abuse-monitoring copies are deleted on its retention cycle as described above.

7. Bank Account Sync (Qwist)

heyFinance offers an optional feature to connect an external bank account using Qwist GmbH, a licensed payment institution regulated under PSD2. This feature is entirely optional and must be explicitly activated by you.

7.1 Role of Qwist

Qwist acts as an independent data controller for the bank connection process. When you initiate a bank sync, you are redirected to Qwist's secure widget to authenticate with your bank directly. Qwist collects and processes your banking credentials, account details, balances, and transactions under its own terms and privacy policy. We encourage you to review Qwist's privacy policy before connecting your account.

7.2 Data received by heyFinance

Once the connection is established, Qwist transmits your transaction history and account data to heyFinance. We store this data in your heyFinance account and use it solely to provide the sync feature. We do not receive or store your banking login credentials. Your email address is shared with Qwist as a user identifier to initiate the connection.

7.3 Legal basis

Processing by heyFinance of the data received from Qwist is based on your explicit consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time by disconnecting your bank account via account settings; prior processing remains lawful.

7.4 Revoking access

You can disconnect a synced bank account at any time from within heyFinance. Upon disconnection, we revoke Qwist's access token for your account. Previously imported transactions remain in your heyFinance account unless you delete them manually.

7.5 Availability and end of access

Bank account sync is offered as part of paid plans (and may also be available during the free trial period). If you do not subscribe to a plan that includes bank sync after your trial ends, or if you downgrade to a plan that does not include this feature, your access to the bank sync feature will be discontinued. In that case, we will instruct Qwist to revoke the access token associated with your account and to delete the associated bank connection data held on Qwist's side. Because heyFinance is not itself a licensed payment institution, this revocation and deletion is initiated by us via a support request to Qwist and is not automatic. We aim to complete this within 30 days of your loss of access to the feature. You can also disconnect your bank account at any time directly in your heyFinance account settings, which immediately revokes the token; you may additionally contact Qwist directly to request deletion of any data they hold about you.

Last updated: May 2026