Privacy Policy
Last updated: 19 April 2026
1. Introduction
This Privacy Policy explains what personal data Kippu collects, why we collect it, how we use it, and the rights you have over it. We’ve written it in plain language. Where a technical or legal term matters, we explain what it means.
If anything here is unclear, email privacy@kippu.co.
2. Who is responsible for your data
The data controller — the entity that decides how and why your data is processed — is Sigitur, operator of Kippu.
Sigitur does not have a formal Data Protection Officer (we’re small enough that GDPR doesn’t require one). The privacy contact is Luis Tenorio, reachable at privacy@kippu.co.
3. What we collect, and why
We try to collect the minimum data needed to run Kippu. Here’s the complete list:
Account data (required):
- Email address — used to sign you in, send service emails, and contact you about your account
- Name — shown in the app and used to personalize emails
- Date of birth — used to verify you meet the 16+ minimum age at signup and on profile updates; stored so we don’t need to ask repeatedly
- Password hash — we use bcrypt, a modern password-hashing algorithm. We never store or see your plaintext password.
- OAuth identifier (if you sign in with Google or another provider) — used to authenticate you
Financial data you enter:
- Wallets, transactions, categories, budgets, and any notes or attachments you add
- This is your data. We process it to give you the app’s features back — balances, summaries, charts. We don’t analyze it for any other purpose.
Payment data:
- Handled by Stripe. We never see or store your card numbers. Stripe shares with us only what we need to show you your subscription in Kippu: subscription status, billing history metadata, and partial card details (last four digits, card brand).
Technical data:
- IP address — logged by our web server for security and troubleshooting; retained for up to 30 days, then deleted
- Session identifier — a random value stored in a cookie that lets you stay logged in
- Device and browser information — general info the browser sends (user agent, screen size) that we sometimes log for debugging
Product usage data (first-party only):
- Feature and screen events — which features are used and which screens are viewed, so we can tell what’s working and what isn’t. Associated with your account so we can distinguish a pattern from a fluke, never linked to any third party.
- Error reports — when something breaks in the app, we log what broke and where, so we can fix it.
- Aggregate counts — summary numbers like “how many accounts have at least one recurring transaction,” produced from the events above.
This data lives on our own servers, runs through our own software, and is used only to improve Kippu. It is never sent to Google, Meta, Mixpanel, or any other third-party analytics or advertising company. We do not record individual sessions, replay your interactions, or build behavioral profiles for marketing or advertising purposes.
Support communications:
- If you email us, we keep the thread so we can help you and refer back to it if you reach out again. Retained for up to two years after last contact.
4. What we don’t collect or do
We think it’s worth being explicit about what Kippu doesn’t do, because these absences are part of why we exist:
- No Google Analytics, Facebook Pixel, or third-party analytics of any kind. Kippu ships with zero third-party trackers. The usage data described in Section 3 is first-party only — it never leaves our own servers.
- No advertising networks. We don’t run ads and we don’t send your data to ad platforms.
- No profiling for advertising or marketing. We don’t build profiles of users to target ads, sell segments, or market to you based on your behavior — internally or externally.
- No selling or sharing your data. Not to data brokers, not to marketers, not to anyone. This is a standing commitment, not a policy we reserve the right to change.
- No training AI models on your data. Your financial data is not used to train or fine-tune any machine learning model.
The open- and click-tracking that Mailgun would normally add to transactional emails is disabled on our account.
5. Legal bases for processing (GDPR)
Under the GDPR, we rely on the following legal bases:
- Contract performance — for account data, financial data you enter, and payment processing. We can’t deliver the service without this.
- Legitimate interests — for security logging, fraud prevention, and first-party product usage data. Our interest is running a safe service and improving the product; we’ve balanced it against your rights and we use minimal data, never shared with third parties for analytics or advertising.
- Legal obligation — for retaining billing records required by tax law.
- Consent — if we ever send non-essential marketing communications (we currently don’t). You can withdraw consent at any time.
6. Who we share data with (subprocessors)
We use a small number of service providers to run Kippu. Each one processes only the data needed for their specific function. Here’s the complete list:
| Provider | What they do | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States (global infrastructure) |
| Mailgun Technologies, Inc. | Transactional email | United States |
| DigitalOcean, LLC | Application hosting | Servers in Singapore (SGP) |
| Amazon Web Services, Inc. (S3) | Encrypted backup storage | United States |
Our first-party product analytics run on our own DigitalOcean infrastructure, already listed above. If we ever add a dedicated analytics vendor, we’ll update this list and notify you by email at least 30 days in advance.
If we add any new subprocessor, we’ll update this list and notify you by email at least 30 days in advance.
7. Cookies
Kippu sets two cookies, both strictly necessary:
kippu-session— a session identifier that keeps you logged in. Expires after 120 minutes of inactivity.HttpOnly,SameSite=Lax,Securein production.XSRF-TOKEN— a security token that prevents cross-site request forgery. Required for forms to work safely.
We don’t set analytics, advertising, or tracking cookies of any kind, which is why we don’t show a cookie consent banner — there’s nothing to consent to beyond what’s strictly necessary for the service to function.
When you pay, Stripe’s hosted checkout page (not ours) sets its own cookies for fraud prevention. We don’t control those; Stripe’s cookie notice explains them.
8. International data transfers
Our servers are in Singapore. If you’re in the European Economic Area, United Kingdom, or another region with data protection laws, your data is transferred outside your region when you use Kippu.
We rely on Standard Contractual Clauses with our subprocessors where required. Singapore’s Personal Data Protection Act (PDPA) also provides meaningful safeguards.
9. How long we keep your data
- Live account data — retained for as long as your account exists. Deleted within 30 days of account closure.
- Encrypted backups — rotated out within 90 days. Deleted data may persist in an encrypted backup for up to 90 days after you close your account, then is permanently destroyed.
- Billing and tax records — retained for the period required by tax law (typically up to seven years for US records), then deleted.
- Server logs (IP addresses) — up to 30 days, then deleted.
- Product usage data — individual events retained for up to 12 months, then deleted. Aggregate counts derived from those events may be kept longer, but they are not linked back to any individual account.
- Support emails — up to two years after our last exchange.
10. Your rights
Under the GDPR and similar laws, you have the following rights:
- Access — ask us what data we hold about you
- Rectification — correct inaccurate data; most fields you can edit yourself in your account
- Erasure (“right to be forgotten”) — ask us to delete your data; see the Retention section for how this works with backups and legal records
- Restriction — ask us to stop processing while we resolve a dispute
- Portability — receive your data in a structured, machine-readable format (you can do this yourself via the export feature; we provide CSV + JSON)
- Objection — object to processing based on legitimate interests, including our product usage logging
- Withdraw consent — where we rely on consent, you can withdraw it any time
If you’re in the EEA or UK, you also have the right to complain to your national data protection authority.
11. How to exercise your rights
Email privacy@kippu.co with your request. We respond within 30 days — usually sooner. For identity verification, we’ll typically need the request to come from the email address on your account.
There’s no charge for a reasonable request. If a request is clearly excessive or repetitive, we may decline or charge a reasonable fee; we’ll explain why if we do.
12. Children
Kippu is not for children under 16. We require a date of birth at signup, and reject accounts that don’t meet the age requirement. Our profile update flow re-applies the same check.
If you believe a child under 16 has created an account, email privacy@kippu.co and we’ll delete it. We don’t knowingly collect data from children under 16, and if we discover we have, we remove it.
If you’re 16 or 17, we ask that you have your parent or guardian’s permission before signing up, as our Terms require.
13. Security
We take practical, reasonable measures to protect your data:
- All traffic is served over HTTPS (TLS 1.2 or higher)
- Passwords are hashed using bcrypt — we never store them in plaintext
- Backups are encrypted at rest
- Database credentials, API keys, and secrets are stored in environment configuration, not in code
- We limit access to production systems to a small number of people with a legitimate need
- We keep our dependencies up to date
No system is perfectly secure, but we take this seriously and work to keep current with good practice.
14. Data breach notification
If we discover a data breach that’s likely to pose a meaningful risk to you, we will:
- Notify you by email without undue delay
- Notify the relevant supervisory authority within 72 hours where GDPR applies
- Explain what happened, what data was affected, what we’re doing about it, and what you should do
15. Changes to this policy
If we make material changes — for example, adding a new subprocessor or changing how we use data — we’ll email you at least 30 days before the changes take effect. Smaller clarifications are made with just a “Last updated” date change.
16. Contact
Privacy questions or requests: privacy@kippu.co