Privacy Policy - Saowa

1) Controller and scope

Saowa is currently operated by Daniel Philipps. This policy applies to Saowa accounts, the portal, Saowa Budget, and other Saowa services unless a product has a separate product-specific privacy policy.

2) Data we process

• account and identity data such as email address, profile basics, legal-consent version, recovery state, and security metadata
• service data you create or upload, such as budgets, transactions, categories, shopping lists, support messages, and other content required to operate the service
• billing and subscription data where applicable, including plan, status, customer identifiers, invoice metadata, and payment-provider event references
• security, abuse-prevention, and operational data such as login attempts, short-lived access logs, webhook events, and incident evidence
• aggregate analytics and performance data through self-hosted Plausible and client performance telemetry

3) Why we process data

• to create and secure accounts, authenticate users, and recover access
• to deliver the services users ask for, including syncing and collaboration features
• to process subscriptions, invoices, and fraud or abuse controls
• to monitor reliability, debug incidents, and improve product performance
• to comply with accounting, security, and legal obligations

4) Legal bases

• performance of a contract when Saowa provides the service you asked for
• legitimate interests in securing, operating, and improving the service
• legal obligations where accounting, security, audit, or regulatory retention is required
• consent where a specific feature or legal flow is presented as consent-based

5) Providers and recipients

• Authentik is used for sign-in and identity management
• Stripe is used for paid subscriptions and billing where applicable
• Plausible is used for self-hosted aggregate analytics
• Saowa self-hosted infrastructure stores application data, backups, logs, and operational evidence
• data may also be shared where required by law or necessary to protect the service and its users

6) Retention

• short-lived access and security logs are rotated and deleted on operational schedules
• account, support, and service data are kept while the account or service relationship remains active and afterwards only as needed for security, dispute handling, accounting, backup, or legal obligations
• billing records are kept for the period required by accounting and tax law
• users can request export or deletion where available, but some data may need to be retained to meet legal or security obligations

7) Security

Saowa uses technical and organisational measures such as authentication controls, tenant isolation, row-level security where applicable, short log retention, monitoring, backup routines, and incident response procedures. No service can guarantee perfect security.

8) Personal data breaches

If Saowa becomes aware of a personal data breach that requires notification under applicable law, Saowa will notify the competent supervisory authority and affected users where required.

9) Your rights

• access, correction, deletion, restriction, objection, and data portability where those rights apply
• the right to withdraw consent for processing that is based on consent
• the right to complain to your local supervisory authority, including Datatilsynet in Norway

10) Contact

For privacy, legal, support, export, or deletion requests, use the public Support page.

Support

Processors

If you believe Saowa handles personal data unlawfully, you may also complain to Datatilsynet or your local EEA supervisory authority.