Privacy Statement

Spendle is owned by SOBERING ICT. Below we explain how we process personal data when you use Spendle.

Sobering ICT (Chamber of Commerce no. 34353119)
VAT number: NL185691043B01
Contact: info@spendle.com
Address: Box A2542 Keurenplein 41, 1069CD Amsterdam, The Netherlands

SOBERING ICT is the data controller for data processing in Spendle. For privacy-related questions you can contact us by email at info@spendle.com.

Personal data that is processed

SOBERING ICT processes personal data when you use Spendle or contact us. This concerns:

• Account data: your email address and (if applicable) license and subscription information.
• Financial data in your administration: transactions, balances and (with a PSD2 connection) account information. This data is processed solely by the app and stored in a way that is unreadable to SOBERING ICT, in encrypted form.
• Attachments in your administration: documents you link to your bookkeeping, also stored only in encrypted form.
• Technical data: your IP address and technical log data needed for security and correct operation of the service.
• Reference to connection data: a reference to the PSD2 access/connection, including status and validity period. We use this to manage the number of active bank connections, to ensure the service works correctly, and to provide support. These references do not contain transaction or balance data.

Storage of your financial data

You can import CSV transaction data into Spendle and you can create a bank connection via PSD2. Spendle processes this data locally in your browser/app and stores it only in encrypted form. SOBERING ICT has no access to the contents of your administration; only you have the administration password/key.

The Spendle application stores your administration as an AES-256 encrypted local working file in your browser’s IndexedDB, encrypted with your administration password. You can save and synchronize the encrypted working file via an online Spendle account. In doing so, your encrypted administration data is sent over a secure HTTPS connection and stored by SOBERING ICT only in encrypted form under your account.

Administration attachments are encrypted locally with AES-256 using a key derived from your administration password, and are stored under your account with AES-256 server-side encryption in an Amazon Web Services S3 bucket, region eu-central-1. AWS acts as a processor for storage purposes.

Why SOBERING ICT needs data

SOBERING ICT processes personal data for the following purposes:

• Creating and managing your Spendle account and providing the service (performance of a contract).
• Providing and validating licenses/subscriptions (performance of a contract).
• Managing PSD2 bank connections (such as tracking active connections and consent status) and providing support (performance of a contract).
• Resetting your password and providing support (performance of a contract and, where necessary, legitimate interest in keeping the service safe and reliable).
• Sending relevant product and service information. Where this concerns marketing, you can easily opt out (legitimate interest or consent, depending on the type of message).

How long SOBERING ICT retains data

SOBERING ICT does not retain personal data longer than necessary for the purposes for which it was collected:

• We retain account and contact data as long as your account is active.
• We retain encrypted administration files and attachments as long as your Spendle account is active.
• After termination of your account, we delete your account data and the server copies of your encrypted administration within 5 days.
• If no (renewed) agreement is concluded, we retain your data for a maximum of one year.

Sharing with others

SOBERING ICT only shares personal data with parties that are necessary to provide Spendle, or to comply with legal obligations. This concerns:

• Hosting and storage: Amazon Web Services (AWS) as processor for encrypted storage.
• PSD2 bank connections: GoCardless to retrieve account information with your consent. GoCardless processes this as an independent account information service under their own terms and privacy statement.

Accessing, correcting or deleting data

You have the right to access, correct, have deleted, or transfer (data portability) your personal data. You can also object to certain processing or ask us to restrict processing. If processing is based on your consent (for example a PSD2 connection), you can withdraw that consent at any time.

You can send a request to info@spendle.com. SOBERING ICT will respond to your request as soon as possible, but no later than within one month. If you are not satisfied with how we handle your data, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Security

SOBERING ICT takes the protection of your data seriously and takes appropriate technical measures to prevent misuse, loss, unauthorized access, unwanted disclosure and unauthorized modification. This includes encryption, access restrictions and logging. If you believe your data is not properly secured or there are indications of misuse, please contact us at info@spendle.com.

PSD2 connection via GoCardless

To connect your bank account via GoCardless, GoCardless retrieves account information with your consent (such as balance and transaction data). GoCardless processes this as an independent account information service under their own terms and privacy statement. See the GoCardless privacy statement.

SOBERING ICT as partner party

SOBERING ICT acts as a partner party for the account information service and facilitates the secure connection. The approval to retrieve account information is valid for 180 days and is stored in your Spendle administration.

With this approval and a valid Spendle account, you can use the Spendle application to retrieve balance and transaction data for the accounts you selected via a secure HTTPS connection. The information is passed to the Spendle application, where your data is stored locally in encrypted form and is only readable by you. SOBERING ICT does not store this retrieved data unencrypted and has no access to its contents. We do retain limited technical connection metadata (such as a reference to the PSD2 access and the status/term of the connection) to manage connections and provide support.

Withdrawing approval

You can withdraw approval for retrieving account and transaction data at any time in Spendle or at the connected bank. After withdrawal, Spendle will no longer retrieve new bank data. Existing encrypted data in your administration remains available until you delete it yourself.