CentmondCentmondBack to home

Legal

Privacy Policy

Last updated · May 20, 2026

Centmond is a personal finance app for iPhone, Mac, and the web. We built it on a simple principle: your money is yours, your data is yours, and the AI that helps you understand both runs on your device, not in someone else's data center. This policy explains exactly what we collect, what we do with it, and what we never do.

The short version

  • AI inference runs entirely on your iPhone or Mac. Transactions, receipts, and chat with the assistant never leave your device.
  • If you turn on sync, your data is encrypted in transit and at rest and stored on EU-hosted infrastructure so it can move between your devices. Access is restricted per-user by database row-level security.
  • We do not sell data. We do not run third-party ad networks. We do not run cross-site trackers. We use one analytics tool (Vercel) that does not set cookies and cannot identify you.
  • Bank connections are optional. When you use them, a regulated third-party AISP (Enable Banking, registered in Finland) handles the bank login and holds your consent. We never see your online banking credentials.

Data controller

The controller responsible for processing your personal data under the EU General Data Protection Regulation (GDPR) is:

Seyedmani Hosseinighahroodi
Centmond (sole proprietor, Einzelunternehmen)
Germany
Email: mani.scs.gh@gmail.com

The full postal address required by §5 TMG is on the Imprint page.

What we collect

Account information

When you sign up we collect the minimum needed to create an account: an email address and an authentication token. If you sign in with Google, we receive the basic profile fields that the sign-in provider returns (email, display name, avatar URL). We do not ask for your legal name, address, or phone number.

Sync data

If you enable sync, Centmond stores your accounts, transactions, budgets, subscriptions, goals, household settings, and assistant memory on our backend so you can pick up where you left off on another device. The data is encrypted before it leaves your device and we hold the encrypted blob, not the contents.

Bank-connection data (only if you opt in)

See the dedicated Bank connections section below.

Diagnostic data (only if you opt in)

With your permission, the app may report anonymous crash logs and performance metrics so we can fix bugs. These reports do not include transaction data, account balances, or any content from your assistant conversations.

What we do not collect

  • Assistant conversations. Every prompt and every answer is processed locally by a Gemma model running on your device. No request reaches any external inference endpoint.
  • Receipt photos. Receipt OCR runs on device using Apple VisionKit. Photos are never uploaded to a server.
  • Device or behavioural profiles. We do not fingerprint your device, build a behavioural profile, or follow you across other sites.
  • Your bank credentials.When you use the bank connection feature, you authenticate directly with your bank through Enable Banking's consent flow. Your username, PIN, and 2FA codes never touch Centmond's servers.

How we use what we collect

  • To authenticate you and protect your account.
  • To sync your encrypted data between the devices where you signed in.
  • To diagnose and fix bugs you opt in to report, and to improve the app from aggregated usage signals.
  • To send service emails such as password resets, security alerts, and material policy changes.

Bank connections

Connecting a bank account inside Centmond is optional. When you choose to connect a bank, we use Enable Banking Oy— a Finnish Account Information Service Provider (AISP) authorised and supervised by the Finnish Financial Supervisory Authority (FIN-FSA) — as the regulated open-banking gateway.

Clicking Connect bankredirects you to your bank's own authentication flow via Enable Banking. Your bank credentials and any 2FA challenge live entirely inside that flow. Enable Banking holds the resulting consent under their AISP licence; Centmond never sees or stores your online-banking credentials.

After a successful connection, Enable Banking passes us:

  • Bank name and country.
  • Account names, IBANs, balances, and currencies.
  • Booked and pending transactions for the period your bank exposes (typically the last 90 days, refreshed daily).

This data is stored under your Centmond account so it appears in your dashboard. You can disconnect a bank at any time from Accounts → Bank connections → Remove; that revokes the Enable Banking session and stops further fetches. Existing transactions stay in your dashboard unless you delete them.

Enable Banking's own privacy policy applies in addition to ours and is available at enablebanking.com/privacy-policy.

Investments price data

If you record a holding in the Investments section, Centmond queries public market-data providers to keep its current price up to date. We only send each provider the public symbol of the asset (e.g. AAPL, BTC) — never your identity, holdings, or any account-level data.

  • Finnhub for stock and ETF quotes, company logos, and symbol search.
  • CoinGecko for crypto prices and coin icons. No API key, no account, plain HTTPS lookup by symbol.
  • Alpha Vantageas a fallback for stock and ETF symbols Finnhub doesn't cover.

Logos returned by these providers are cached alongside your holding so the dashboard can render them without re-fetching. Deleting a holding clears its cached price history and logo on the next sync.

Third parties we share data with

The complete and always-current list of sub-processors, with the data each one receives and where they store it, is on the Sub-processors page. A brief summary:

  • Supabase— authenticated storage and database hosting, EU region, GDPR compliant, SOC 2 Type II.
  • Vercel— hosting for the website and web app, plus cookie-free Web Analytics for aggregate page-view stats.
  • Enable Banking— optional, only when you connect a bank account (Finnish AISP, supervised by FIN-FSA).
  • Finnhub, CoinGecko, Alpha Vantage— optional, only when you use the Investments feature. Only public asset symbols are shared.
  • Hugging Face— one-time download of the public Gemma model files used by the on-device AI in the iOS and macOS apps.
  • Apple— App Store and TestFlight distribution (governed by Apple's own terms).

We do not use third-party advertising networks, third-party analytics platforms, or any cross-site trackers.

Legal basis under GDPR

For users in the European Economic Area, we process personal data on the following legal bases:

  • Contract (Art. 6(1)(b) GDPR)— for account creation, authentication, and providing the service, including sync and the bank-connection feature when you use it.
  • Consent (Art. 6(1)(a) GDPR)— for optional features such as anonymous crash reporting, the bank-connection consent that you grant via Enable Banking, and any non-essential cookies on the website.
  • Legitimate interest (Art. 6(1)(f) GDPR)— for security, fraud prevention, and the minimum operational logging needed to keep the service running.

Cookies and the website

The Centmond website does not set advertising cookies and does not run third-party trackers. Cookies set on the marketing site are strictly necessary for basic site function (for example, remembering you submitted the waitlist form). The signed-in dashboard sets an authentication cookie so we can keep you logged in. These cookies are exempt from consent requirements under §25 (2) Nr. 2 TTDSG and Art. 5 (3) of the ePrivacy Directive.

On top of the legal minimum, we show a cookie consent banner on your first visit. You can accept all categories, reject everything optional, or open the customise view to toggle individual categories. Your choice is stored locally in your browser; you can change it any time via Cookie preferences in the footer.

Currently the only optional category that loads anything is Analytics, which enables Vercel Web Analytics. Vercel Web Analytics is cookie-free, does not track users across sites, and does not collect personal data. If you reject the optional category, no analytics code is loaded.

Data retention

We keep your encrypted sync data for as long as your account is active. When you delete your account, the encrypted blob is removed from our backend within 30 days. Anonymous diagnostic data is kept on a rolling basis (typically 90 days) and then deleted.

Bank-connection consent expires automatically after the period the bank set (commonly 90 days under PSD2). When consent expires, the connection becomes inactive and Enable Banking stops fetching new transactions. Existing transactions stay in your dashboard until you delete them or close your account.

Your rights

From inside the app you can:

  • Export your data at any time (CSV, Excel, PDF).
  • Delete your account, which removes the encrypted sync blob from our backend.
  • Opt out of sync entirely and use Centmond as a local, single-device app.
  • Disconnect any bank from the Accounts page, which revokes the Enable Banking session immediately.

Under the GDPR, users in the EEA have the right to access, rectify, erase, restrict the processing of, port, and object to the processing of their personal data, as well as the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority (for users in Germany, the data protection authority of the federal state where you live). To exercise any of these rights, email mani.scs.gh@gmail.com.

International transfers

Our primary infrastructure (Supabase, Enable Banking) is hosted in the EU. Some sub-processors (Finnhub, Alpha Vantage, Hugging Face, Apple, parts of Vercel) operate from outside the EEA. Where personal data is transferred to such providers, the transfer is covered by Standard Contractual Clauses (SCCs) or an equivalent valid transfer mechanism under Chapter V GDPR.

Children

Centmond is not directed at children under 13, and we do not knowingly collect data from anyone under that age. If you believe a child has provided us with personal information, contact us and we will remove it.

Changes to this policy

If we make material changes, we will update the "last updated" date at the top of this page and, where appropriate, notify you in the app or by email. We will not silently broaden how we use your data.

Contact

For any privacy question, request, or complaint, email mani.scs.gh@gmail.com.

Questions? Email mani.scs.gh@gmail.com.