Public legal page

Privacy Policy

This policy explains how Spendolo handles personal data for its proof-of-concept product.

Effective date: 5 April 2026Sign inTerms of Service

Working draft for Spendolo's proof-of-concept launch in Europe, including Bulgaria

This page is designed to be usable now, but it still needs a proper legal review before commercial launch. Visible TODO items are left in place on purpose so you know what to replace later.

TODO before launch

  • TODO: Replace the generic controller information with your company name, postal address, and privacy contact email.
  • TODO: List your real processors or subprocessors, including hosting, analytics, email, authentication, and Stripe.
  • TODO: Document any non-EEA data transfers and the safeguards you actually use.
  • TODO: Add final retention periods that match your production systems and support process.
  • TODO: Add versioning and acceptance tracking once backend support exists.

1. Who this policy applies to

This Privacy Policy explains how Spendolo collects and uses personal data when you visit this website, create an account, sign in, manage a subscription, invite team members, or otherwise interact with the service.

It is drafted for an EU-facing software service and is intended to be suitable for an initial launch in Bulgaria. It remains a proof-of-concept draft and should be finalized before commercial launch.

2. Data controller information

For now, Spendolo is publishing this policy without final legal-entity details because the product is still in proof-of-concept mode.

TODO: Replace this section with the full name of the controller, its registered address, registration details, and a dedicated privacy contact email before launch.

3. Personal data Spendolo may collect

Spendolo may collect personal data directly from you, from your sign-in provider, from your organization, or automatically from your use of the service.

  • Account and identity data, such as your name, email address, avatar, and account identifiers.
  • Organization and team data, such as workspace name, invited users, roles, and collaboration settings.
  • Financial and product data that you choose to enter or connect, such as subscriptions, budgets, expense records, purchase history, notes, and merchant information.
  • Payment and purchase data, such as plan selection, billing status, in-app purchases, card brand, last four digits, billing address, transaction references, invoices, and payment-provider metadata.
  • Usage and technical data, such as IP address, browser type, device information, timestamps, logs, and security events.
  • Communication data, such as support messages, feedback, and other correspondence.

4. Why Spendolo uses personal data

  • To create and manage user accounts and authenticate sign-ins.
  • To provide subscriptions, billing, saved payment methods, in-app purchases, team management, and related product features.
  • To maintain security, detect abuse, troubleshoot issues, and protect the service.
  • To communicate about the service, respond to requests, and provide support.
  • To comply with legal obligations, tax rules, accounting obligations, and law-enforcement requests where required.
  • To improve the service through product analytics, testing, and service planning, where that use is lawful and proportionate.

5. GDPR legal bases

When Spendolo processes personal data of people in the EU or EEA, including Bulgaria, it expects to rely on one or more of the following legal bases depending on the context.

  • Contract: processing needed to provide the service you request, including account access, billing, in-app purchases, and customer support.
  • Legitimate interests: processing needed to secure, maintain, and improve the service, provided those interests are not overridden by your rights and freedoms.
  • Legal obligation: processing needed to comply with tax, accounting, fraud-prevention, or other mandatory rules.
  • Consent: processing that depends on consent, where consent is required by law and can be withdrawn later.

6. Your rights

Depending on your location and the applicable law, you may have rights to access, correct, erase, restrict, or object to the processing of your personal data, and to request data portability.

If you believe your rights have been infringed, you may lodge a complaint with the competent supervisory authority. In Bulgaria, that authority is the Commission for Personal Data Protection.

TODO: Add the correct contact route for rights requests before launch.

7. Changes to this policy

Spendolo may update this Privacy Policy from time to time as the service, legal requirements, or data practices change.

Material changes should be communicated through the website, the product, email, or another reasonable channel before or when the updated version takes effect.

Public legal pages

Terms of ServicePrivacy Policy