Privacy Policy
Last updated: 16 February 2026 · Version 2.0
1. Introduction
JoinFunds ("we", "us", "our") is the data controller responsible for your personal data. We are committed to protecting and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy explains what data we collect, why we collect it, how we protect it, and how you can exercise your rights. We have built privacy controls directly into JoinFunds so you can manage your data yourself without needing to contact us.
If you have any questions about this policy, please contact us at privacy@joinfunds.app.
2. What Data We Collect
We collect and process the following categories of personal data when you use JoinFunds (UK GDPR Article 13):
- Account information: your email address and authentication method (Google OAuth or magic link). We never store passwords.
- Banking metadata: bank names, account types, and account labels. We never collect or store your bank credentials, sort codes, or account numbers.
- Transaction data: transaction descriptions, amounts, dates, and currencies as imported from your CSV files
- Financial organisation: spending categories, categorisation rules, budgets, savings goals, and projects you create
- Household information: household membership, partner relationships, and role assignments (owner or partner)
- Exchange rates: currency conversion rates for multi-currency support (GBP, EUR, RON). These are shared system data and not linked to your identity.
- Import metadata: import logs, CSV column mapping configurations, and duplicate detection records
- Consent records: timestamps of when you accepted this privacy policy and any subsequent versions (UK GDPR Article 7)
CSV files never leave your device
CSV files are parsed entirely in your browser using a dedicated web worker. Raw CSV data is never uploaded to our servers. Only the structured transaction data you choose to import is sent to our database.
3. Lawful Basis for Processing
We process your personal data on the following legal bases (UK GDPR Article 6):
- Contract (Article 6(1)(b)): processing is necessary to provide you with the JoinFunds service that you signed up for, including storing your transaction data, managing budgets, and enabling household collaboration
- Legitimate interest (Article 6(1)(f)): enabling UK couples to manage household finances together, improving our service quality, and ensuring platform security
- Consent (Article 6(1)(a)): your explicit acceptance of this privacy policy before accessing the dashboard. You may withdraw consent at any time by deleting your account.
4. How We Use Your Data
We use the data we collect for the following purposes:
- Transaction categorisation using pattern matching against your categorisation rules
- Budget tracking, progress monitoring, and threshold alerts
- Monthly spending reviews and collaborative review workflows with your partner
- Multi-currency conversion between GBP, EUR, and RON using cached exchange rates
- Partner visibility controls, allowing you to set accounts as shared, balance only, or private
- Duplicate detection during transaction imports to prevent double-counting
- Generating spending insights, annual trends, and net worth tracking
- Savings goal tracking with milestone calculations and partner contribution breakdowns
We do not use your data for profiling, automated decision-making, or targeted advertising. Your financial data is used solely to provide you with the budgeting service.
5. Data Sharing and Third Parties
We use a limited number of third-party service providers to operate JoinFunds. Each provider processes data only as necessary to deliver their specific service:
- Supabase — database hosting and authentication (EU region, eu-west-2, London)
- Vercel — application hosting and content delivery
- Resend — transactional emails only (partner invitations, deletion confirmations, magic link authentication)
- ExchangeRate-API — currency conversion rates. No personal data is sent to this service; only currency pair identifiers.
We never sell your data
We never sell, rent, or share your personal data, transaction data, financial information, or spending patterns with any third party for marketing, advertising, or analytics purposes. Full stop.
6. Data Retention
We follow the principle of storage limitation (UK GDPR Article 5(1)(e)). Data is retained only as long as necessary for its purpose:
| Data Type | Retention | Enforcement |
|---|---|---|
| Transactions, budgets, categories | Lifetime of account | User-controlled |
| Expired invitations | 7 days after expiry | Automated daily cleanup |
| Security audit logs | 90 days | Automated daily cleanup |
| Import logs | 1 year | Automated daily cleanup |
| Deleted accounts | 30-day grace period | Automated daily cleanup |
Retention enforcement runs automatically every day via a scheduled cleanup process. No manual intervention is required. After the retention period, data is permanently and irreversibly deleted.
7. Your Rights — Built Into JoinFunds
Under UK GDPR, you have extensive rights over your personal data. Unlike many services where you need to email support and wait, we have built these rights directly into the product so you can exercise them yourself, instantly.
Right of Access (Article 15) — Self-Service Data Export
Go to Settings → Data Export and download a complete copy of all your personal data as a JSON file. This includes your household details, bank accounts, every transaction, categories, budgets, savings goals, rules, and audit history. No waiting, no email required.
Right to Erasure (Article 17) — Account Deletion
Go to Settings → Delete Account to request permanent deletion of your account and all associated data. A 30-day grace period allows you to change your mind. After 30 days, all data is permanently deleted including your transactions, accounts, budgets, categories, and savings goals. Your partner (if any) is notified and household ownership is transferred automatically.
Right to Data Portability (Article 20) — Structured Export
Your data export is provided as a single JSON file containing all your data in a structured, machine-readable format. This includes your household details, bank accounts, transactions, categories, budgets, savings goals, rules, and audit history.
Right to Rectification (Article 16) — Edit Your Data
You can edit your transactions, categories, budgets, and account details at any time through the app. All changes are logged in an audit trail for transparency.
Right to Object & Restrict Processing (Articles 21 & 18)
To object to processing or request restrictions, please contact us at privacy@joinfunds.app. We will respond within 30 days.
8. How We Protect Your Data
We take the security of your financial data seriously. Our security measures are not just policy — they are enforced technically at every layer:
Database-level isolation
Row Level Security (RLS) policies on every table ensure your data is completely isolated from other households. Even if an application bug exists, the database itself prevents cross-household data access.
Passwordless authentication
We use Google OAuth and magic links exclusively — no passwords to steal, leak, or brute-force. Sessions are short-lived (15 minutes) with automatic refresh token rotation.
Encryption in transit
All connections use TLS encryption. HTTPS is enforced with strict transport security headers (HSTS).
API protection
Rate limiting on all endpoints, CSRF protection, Content Security Policy headers, and input validation using strict schemas on every API route.
Security event logging
Sensitive operations — data exports, account deletions, consent changes, partner invitations — are logged to an immutable security audit trail.
Partner privacy controls
Account visibility levels (shared, balance only, or private) give you granular control over what your partner can see — enforced at the database level, not just the UI.
Client-side file processing
Bank CSV files are parsed in your browser using an isolated web worker. The raw file never touches our servers — only the structured data you approve is imported.
9. Data Protection Impact Assessment
In accordance with UK GDPR Article 35, we have conducted a Data Protection Impact Assessment (DPIA) for the processing of household financial data through our platform. The assessment covers data flows, risk analysis, and mitigation strategies for all personal data processing activities.
A copy of this assessment is available upon request by contacting privacy@joinfunds.app.
10. Breach Notification
In the unlikely event of a personal data breach, we will comply with UK GDPR Article 33 by notifying the Information Commissioner's Office within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly (Article 34) without undue delay, with clear information about what happened, what data was affected, and what steps we are taking.
11. International Data Transfers
Your data is primarily stored in the EU (London region, eu-west-2) via Supabase. Where our service providers process data outside the UK, they do so under appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the UK government. We continuously monitor our providers' compliance with data protection standards.
12. Children's Data
JoinFunds is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
13. Changes to This Policy
We may update this privacy policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you through an in-app consent dialog, and you will need to accept the updated policy before continuing to use JoinFunds.
The version number and date at the top of this page indicate when the policy was most recently revised. Prior versions of this policy are available on request.
14. Your Consent
By accepting this privacy policy through the in-app consent dialog, you confirm that you have read and understood how we collect, use, and protect your data. Your acceptance is recorded with a timestamp in accordance with UK GDPR Article 7 (Conditions for Consent).
You may withdraw your consent at any time by deleting your account through Settings → Delete Account. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
15. Contact Us
For any data protection queries or to exercise your rights, please contact us:
- Email: privacy@joinfunds.app
- In-app: Most rights can be exercised directly from your Settings page
We aim to respond to all data protection requests within 30 days, as required by UK GDPR Article 12.
JoinFunds is registered with the Information Commissioner's Office (ICO). Registration number: C1891815.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113