Effective Date: 1 June 2025

Welcome to Endute! We are committed to protecting your privacy and handling your personal data in an open and transparent manner. This Privacy Policy explains how Endute ("we," "us," or "our") collects, uses, shares, and protects your personal data when you use our web-based personal finance application and related services (collectively, the "Services").

1. Who We Are

Endute is a comprehensive personal finance platform designed to empower individuals to manage their budgets, track transactions (both manually entered and imported via Open Banking), oversee investments and tangible assets, plan towards financial goals, and generate insightful financial reports.

For any privacy-specific questions or concerns, you can reach us at:

Email:privacy@endute.com

2. What Personal Data We Collect

We collect and process various categories of personal data to provide and improve our Services:

a. Account & Profile Information:

Identifiers: Your name (as given to us by you), email address, chosen username.

Authentication Credentials: Password (which is securely hashed and never stored in plaintext by us).

Profile Settings: Your chosen base reporting currency, display name, country.

Security Settings: Multi-Factor Authentication (MFA) status (enabled/disabled), MFA method (e.g., TOTP), encrypted TOTP backup codes, and information about trusted devices used for MFA (e.g., user agent, IP address, token expiry).

Communication Preferences: Your preferences for receiving marketing communications.

Onboarding Status: Whether you have completed the initial onboarding process.

Email Verification Status: Whether your email address has been verified, and any pending email address changes.

b. Financial Data (Entered by You or Imported with Your Consent):

Account Details: Information about your financial accounts, including account names, user-assigned account types (e.g., Checking, Savings, Investment, Loan, Credit Card, Cash), account currency, opening balances, and opening balance dates.

Transaction Data: Details of your financial transactions, including dates, descriptions, amounts, categories, payees, status, currency, and any associated notes or references. This includes split transaction details.

Scheduled Transactions: Information about recurring transactions you set up, including frequency, next due dates, amounts, and linked accounts/categories/payees.

Budgeting Data: Your budget allocations for various categories and your preferences for which categories appear in your budget view.

Investment Data: Details of securities you track, which can be linked to symbols or be custom-defined assets (including custom names, symbols, and currencies); Security transaction details (buy, sell, add, remove), including quantity, price per share, fees, and dates; Manually entered prices for custom securities.

Tangible Asset Data: Information about tangible assets you track, such as property or vehicles, including name, description, currency, acquisition details, and manually entered value entries over time.

Financial Goals Data: Details of financial goals you set, including name, target amounts, target dates, current saved amounts, and contributions.

Open Banking Data (with your explicit consent): If you choose to connect your bank accounts, we will receive account details (e.g., account identifier, truncated name, currency, bank name) and transaction history for the accounts you select. We do not receive or store your bank login credentials.

Spending Habit Data: System-calculated or user-overridden ratios for how spending in certain categories is typically split between cash-like and credit card accounts.

c. Subscription & Billing Information:

Your subscription plan type (e.g., trial, paid plan), status (e.g., active, trialling, expired), and plan/trial start and expiry dates.

Stripe Customer ID and Stripe Subscription ID, which are generated by Stripe and stored by us to manage your subscription.

Note: Your full payment method details (e.g., credit card number) are processed and stored directly by Stripe, our payment processor, which is PCI-DSS compliant. We do not directly collect or store this sensitive payment information.

d. Technical & Usage Data:

IP Address: We collect your IP address during onboarding to suggest a default currency and potentially for security logging and fraud prevention.

Device and Browser Information: Standard information your browser sends, such as browser type, operating system, and device type, may be collected for service functionality, security, and aggregated analytics.

Cookies and Session Tokens: We use cookies and session tokens for essential functions like maintaining your login session, managing security features (e.g., CSRF protection), and remembering trusted devices for MFA. Please see Section 11 (Cookies) for more details.

API Interaction Logs: We may log requests to our API for troubleshooting, security analysis, and performance monitoring. These logs may include IP addresses.

Anonymized Usage Analytics: We may collect anonymized and aggregated data about how you interact with our Services (e.g., features used, page views) to understand usage patterns, improve service performance, and enhance user experience. This data does not personally identify you.

e. Communication Data:

If you contact us for support or provide feedback, we will collect the content of your communications and any information you provide.

3. How We Collect Your Data

We collect personal data in the following ways:

Directly from You:

When you register for an Endute account and complete your profile.

When you manually input financial data (accounts, transactions, budgets, goals, assets, etc.).

When you configure your account settings, including notification preferences and MFA.

When you contact our support team or provide feedback.

Automatically When You Use Our Services:

Through cookies and session management for authentication and site functionality.

When you use features that process your existing data (e.g., generating reports, forecasts).

We may log technical information like IP addresses for security and operational purposes.

From Third Parties (With Your Authorization):

Open Banking: When you explicitly consent and choose to connect your bank accounts, our third-party provider facilitates the secure connection, and we receive account information and transaction data from your bank via this third-party.

Stripe: When you subscribe to a paid plan, Stripe provides us with your Stripe Customer ID, Subscription ID, and subscription status to manage your access.

Other third-parties: We fetch market data for securities you track using non-identifiable ticker symbols. During onboarding, your IP address is used by this service to suggest a default currency. No personal data is sent to these third-parties from your account.

4. Legal Bases for Processing Your Data

We process your personal data based on the following legal grounds, in compliance with GDPR and UK data protection laws:

Contractual Necessity: To fulfil our contract with you to provide the Endute Services, including:

Creating and maintaining your account.

Processing your financial data to enable budgeting, tracking, reporting, and other core features.

Managing your subscription and processing payments via Stripe.

Consent: Where you have given us explicit consent for specific processing activities, such as:

Connecting your bank accounts via Open Banking.

Enabling Multi-Factor Authentication (you actively set this up).

Receiving marketing communications (if you opt-in).

Using non-essential cookies (if any were to be introduced).

You have the right to withdraw your consent at any time for processing based on consent.

Legitimate Interests: Where necessary for our legitimate interests, provided these interests are not overridden by your rights and interests. This includes:

Ensuring the security and integrity of our platform (e.g., fraud prevention, security monitoring).

Improving and developing our Services (e.g., through anonymized usage analytics, debugging).

Sending essential service-related communications (e.g., updates to terms, critical security notices).

Responding to your support requests and inquiries.

Legal Obligation: To comply with our legal and regulatory obligations, such as:

Maintaining financial records for tax and accounting purposes related to subscriptions.

Responding to lawful requests from authorities.

5. How We Use Your Data

We use your personal data for the following purposes:

To Provide and Maintain Our Services:

Authenticate you and manage your account access.

Enable you to input, track, and manage your financial information (accounts, transactions, budgets, goals, investments, assets).

Calculate and display financial reports, summaries, and forecasts based on your data.

Facilitate Open Banking connections and data import as directed and consented by you.

Fetch market data for securities you track.

Process scheduled transactions.

To Manage Your Subscription:

Process payments and manage your subscription plan through Stripe.

Communicate with you about your subscription status, billing, and renewals.

To Communicate With You:

Send essential service-related announcements (e.g., maintenance, security updates, changes to our terms or policies).

Respond to your support requests and feedback.

Send marketing communications, special offers, or newsletters if you have opted-in to receive them.

To Improve and Secure Our Services:

Monitor and analyze usage trends to improve features, usability, and performance (often using aggregated or anonymized data).

Diagnose and fix technical issues.

Prevent fraud, protect the security of our Services, and enforce our Terms and Conditions.

For Legal and Compliance Purposes:

Comply with applicable laws, regulations, court orders, or other legal processes.

We are committed to your privacy and will NOT:

Sell your personal data to third parties.

Use your specific financial data for targeted advertising by third parties.

Access your online banking login credentials – these are handled directly and securely by a third-party aggregator and your bank during the Open Banking connection process and are never visible to or stored by Endute.

6. Who We Share Your Data With

We do not sell your personal data. We only share your personal data with trusted third-party service providers under strict data processing agreements, where necessary to provide and improve our Services, or as required by law. These include:

Stripe: Payment processing & subscription management - User ID, email, name, subscription details, Stripe Customer ID/Subscription ID. (Payment method details are handled directly by Stripe's secure environment).

Open Banking API provider: Open Banking aggregator - User consent information, chosen bank institution ID. This third-party facilitates your direct interaction with your bank for account linking and data retrieval. Endute receives account details and transaction data as authorized by you via this third-party.

We may also disclose your personal data if required by law, such as to comply with a subpoena, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction, and we will notify you accordingly.

7. International Data Transfers

Our primary servers and database are hosted on servers located within the EEA.

Some of our third-party service providers (as listed in Section 6) may be based outside the UK or European Economic Area (EEA). When your personal data is transferred to these countries, we take steps to ensure that your data is protected to the same standards it would be within the UK/EEA.

For example, Stripe (US-based) and Mailjet (may process data in US/EU) adhere to these transfer mechanisms.

8. Data Retention

We retain your personal data for as long as your Endute account is active and for a limited period thereafter as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Active Account: Your financial data, profile information, and other data you provide are retained to allow you to use the Services.

Account Deletion:

When you request account deletion (see Section 9), we will initiate a process to permanently delete or anonymize your personal data from our active systems.

Most of your core application data (profile, accounts, transactions, budgets, goals, etc., stored in our primary database) will be deleted or fully anonymized within 60 days from the confirmation of your deletion request. This timeframe allows for safe processing and prevents accidental data loss.

Data processed by third-party services like Stripe will be subject to their retention policies. For example, Stripe may retain certain transaction and customer data for its own legal and compliance obligations. We will instruct Stripe to delete your customer object and cancel subscriptions as part of our deletion process where their API allows.

Anonymized or aggregated data that does not identify you may be retained for analytical and service improvement purposes.

Backup copies of your data may be retained for a limited period in our backup archives for disaster recovery purposes, but will be isolated and not used for operational purposes, and will be deleted in line with our backup rotation schedule.

Legal & Regulatory Requirements: We may retain certain information for longer periods if required by law (e.g., financial records related to our own business transactions with you for subscriptions, tax purposes) or for legitimate business needs such as resolving disputes or enforcing our agreements.

9. Your Data Protection Rights

Under data protection laws such as the GDPR, you have various rights regarding your personal data. Subject to legal limitations, these rights include:

Right to Access: You can request a copy of the personal data we hold about you.

Right to Rectification: You can request that we correct any inaccurate or incomplete personal data. Much of this can be done directly through your account settings.

Right to Erasure (Right to be Forgotten): You can request that we delete your personal data from our systems. (See Section 8 for details on account deletion).

Right to Restrict Processing: You can request that we restrict the processing of your personal data under certain conditions.

Right to Object: You can object to our processing of your personal data based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent: Where we rely on your consent to process personal data, you can withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

Rights related to Automated Decision-Making and Profiling: Endute does not currently engage in automated decision-making that produces legal effects or similarly significantly affects you.

To exercise any of these rights, please contact us using the details provided in Section 14 (Contact Us). We will respond to your request within the timeframes required by applicable law (typically one month). We may need to verify your identity before processing your request.

10. Data Security Measures

We take the security of your personal data very seriously and implement a range of technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. These measures include:

Authentication: Secure password hashing (we never store your password in plaintext).

Multi-Factor Authentication (MFA): Support for Time-based One-Time Passwords (TOTP).

Encryption:

HTTPS (SSL/TLS) for all data transmitted between your browser and our servers.

Encryption at rest for sensitive data, such as encrypted storage for your TOTP backup codes.

Database-level encryption or filesystem encryption on our servers where appropriate.

Access Controls: Role-based access controls and permissions within our systems to limit access to personal data to authorized personnel only.

Infrastructure Security: Hosting on datacentre with industry-standard security practices implemented by our provider.

Data Minimization: We strive to collect only the personal data necessary for the purposes specified in this policy.

Regular Reviews and Updates: We regularly review our security practices and update them as necessary to address new threats and vulnerabilities.

Secure Third-Party Integrations: We carefully vet and integrate with third-party services that have robust security measures for handling sensitive data like payments and bank connections.

While we implement these robust security measures, please remember that no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.

11. Cookies and Similar Technologies

We use cookies and similar technologies (like browser local storage) for essential functionality of our Services.

Strictly Necessary Cookies/Storage: These are essential to provide you with services available through our website and to use some of its features, such as access to secure areas. Without these, the services you have asked for cannot be provided. This includes:

Session cookies to keep you logged in.

Security cookies.

Cookies or local storage to remember your trusted devices for MFA.

No Marketing Cookies: We currently **do not use** cookies for marketing or advertising on the Endute application.

You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you do not accept essential cookies, however, you may not be able to use all aspects of our Services effectively.

12. Children's Data

Endute is not intended for or directed at individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete such information. If you believe that we might have any information from or about a child under 18, please contact us.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, service offerings, legal requirements, or for other operational reasons. If we make material changes, we will notify you by email (sent to the email address specified in your account) or by means of a prominent notice within the Endute application. We encourage you to periodically review this page for the latest information on our privacy practices.

14. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data handling practices, or if you wish to exercise your data protection rights, please contact us at privacy@endute.com.

You also have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data infringes applicable data protection law. For users in the UK, this is the Information Commissioner's Office (ICO). For users outside of the UK, you can contact your local data protection authority.

-----