Effective Date: 1 March 2026

Last updated: 1 March 2026

Version: 2.0

Jurisdiction: Republic of Lithuania (EU)

Contact: [email protected]

Supervisory Authority: State Data Protection Inspectorate (VDAI), Lithuania — www.ada.lt

#Privacy Policy This Privacy Policy explains how Wedding Budget Planning (‘we’, ‘us’, ‘our’) collects, uses, shares, and protects your personal data when you use our mobile application and website (collectively, the ‘Service’). It also sets out your rights under the EU General Data Protection Regulation (GDPR) and applicable Lithuanian law.

Note: This Policy applies to all users of the Wedding Budget Planning application and website (weddingbudget.ing). Please read it carefully before using the Service. If you do not agree, please discontinue use.

1. Interpretation and Definitions

1.1 Interpretation

Capitalised terms have the meanings defined below. Definitions apply in both singular and plural forms.

1.2 Key Definitions

For the purposes of this Privacy Policy:

• Account — a unique account you create to access the Service.
• Application — the Wedding Budget Planning mobile application.
• Data Controller — Maksim Mishyn. Referred to as ‘we’, ‘us’, or ‘our’.
• GDPR — the EU General Data Protection Regulation (Regulation 2016/679).
• Personal Data — any information relating to an identified or identifiable natural person.
• Processing — any operation performed on Personal Data (collection, storage, use, disclosure, deletion, etc.).
• Service — the Application and the website weddingbudget.ing, collectively.
• User / You — the individual accessing or using the Service.
• Usage Data — data collected automatically about how the Service is used.

2. Data Controller Identity

The Data Controller responsible for your Personal Data is: Maksim Mishyn, Vilnius, Republic of Lithuania

Privacy contact: [email protected]

Website: weddingbudget.ing

We do not currently have a designated Data Protection Officer (DPO). If our processing activities scale to a level that triggers the GDPR DPO requirement (Art. 37), we will appoint one and update this Policy accordingly. In the meantime, all data protection inquiries should be directed to: [email protected].

3. Personal Data We Collect

3.1 Data You Provide Directly

• Registration data: email address, name / names (if provided).
• Authentication data: passwords (stored in hashed form), PIN codes used for passwordless login (not retained after use).
• Budget and financial data: budget categories, subcategories, amounts, notes, and preferences you enter into the Application.
• Communications: messages you send to us (e.g., support emails).

3.2 Data Collected Automatically

• Device data: device type, operating system, device identifiers.
• Usage data: pages visited, features used, session duration, time and date of activity.
• Network data: IP address, browser type and version, mobile network information.
• Crash and error data: error logs, stack traces (collected via Sentry).

3.3 Data from Third Parties

• If you invite a partner/collaborator to your budget, we receive their email address, which we use to send an invitation. That person becomes a data subject under this Policy upon registration.
• Analytics data received from Google Analytics (see Cookie Policy, Part 2, for details).

4. Legal Bases for Processing (GDPR Art. 6)

We process your Personal Data only where we have a lawful basis to do so. The table below maps each processing activity to its legal basis:

• Account registration and authentication — Art. 6(1)(b) — Contract: Necessary to provide the Service you requested.
• Delivering and maintaining the Service — Art. 6(1)(b) — Contract: Core service delivery including sync and collaboration features.
• Transactional communications (security, account updates) — Art. 6(1)(b) — Contract: Necessary for Service operation.
• Marketing and promotional emails — Art. 6(1)(a) — Consent: Only with your explicit opt-in consent, withdrawable at any time.
• Analytics and usage improvement (Google Analytics) — Art. 6(1)(a) — Consent: Only after obtaining cookie consent; you may opt out via cookie settings.
• Crash reporting and error monitoring (Sentry) — Art. 6(1)(f) — Legitimate Interests: Our legitimate interest in maintaining a stable, secure application.
• Legal compliance (law enforcement requests, etc.) — Art. 6(1)(c) — Legal Obligation: Where required by applicable Lithuanian or EU law.
• Business transfers (e.g. merger or acquisition) — Art. 6(1)(f) — Legitimate Interests: Our legitimate interest in business continuity, subject to appropriate safeguards.

5. How We Use Your Personal Data

• To create and manage your account and authenticate your sessions.
• To provide, operate, and improve the Application and its features.
• To enable budget collaboration between you and invited partners.
• To send you transactional emails: account confirmations, PIN codes, invitation emails, and security alerts.
• To send you marketing communications, only if you have opted in. You may opt out at any time via the unsubscribe link in any marketing email or by contacting us.
• To analyse usage trends and improve the Service (subject to your cookie/analytics consent).
• To detect and prevent fraud, misuse, and security incidents.
• To comply with our legal obligations and defend our legal rights.
• To facilitate a business transaction (merger, acquisition, or asset sale) where your data may be transferred as part of that transaction.

6. Sharing and Disclosure of Personal Data

6.1 Service Providers (Data Processors)

We share Personal Data with the following categories of Service Providers who process data on our behalf under data processing agreements (DPAs) compliant with GDPR Art. 28:

• Sentry (Functional Software, Inc.) — Crash reporting & error logging: Device info, error context, user ID (no financial data).
• Google LLC — Analytics (Google Analytics): Anonymised usage data, device info (see Cookie Policy).
• Resend (Plus Five Five, Inc.) — Transactional email delivery: Email address, name (for personalisation only).
• Hetzner Online GmbH — Application hosting & infrastructure: All data stored in hosted environment.

6.2 Budget Collaborators

When you invite another person to collaborate on a budget, their name and activity within that budget will be visible to you and all invited collaborators. You are responsible for ensuring you have the right to share any information about third parties when entering data into the Application.

6.3 Business Transfers

In the event of a merger, acquisition, financing, or sale of all or part of our business, Personal Data held by us may be transferred to the acquiring entity. We will notify you by email or prominent in-app notice before your Personal Data is transferred and becomes subject to a different privacy policy.

6.4 Legal and Regulatory Disclosure

We may disclose your Personal Data where required by Lithuanian or EU law, or in response to a valid request from a court, law enforcement authority, or government regulator. Where legally permitted, we will notify you of such a request before disclosing your data.

6.5 No Sale of Personal Data

We do not sell, rent, or trade your Personal Data to third parties for their own marketing or commercial purposes.

7. International Data Transfers

Your Personal Data may be processed in countries outside the European Economic Area (EEA), including the United States, where some of our Service Providers (e.g. Sentry, Google) are located. Where such transfers occur, we ensure they are subject to appropriate safeguards in accordance with GDPR Chapter V, specifically:

• Standard Contractual Clauses (SCCs) — incorporated into our Data Processing Agreements with processors.
• Adequacy decisions — where the destination country has been recognised by the European Commission as providing adequate protection.

You may request a copy of the relevant transfer safeguards by contacting us at [email protected].

8. Data Retention

We retain your Personal Data only for as long as necessary for the purposes set out in this Policy, or as required by law.

• Account and profile data — Until account deletion, then 30 days before permanent erasure. Rationale: Providing the Service; recovery window.
• Budget and financial data — Until budget deletion or account deletion, then 30 days. Rationale: Core service functionality.
• Usage and analytics data — Up to 26 months (Google Analytics default). Rationale: Usage trend analysis; configurable in GA.
• Crash and error logs (Sentry) — 90 days. Rationale: Debugging and stability monitoring.
• Email marketing consent records — 3 years after consent or last communication. Rationale: Legal proof of consent (GDPR).
• Legal and compliance records — Up to 10 years. Rationale: Lithuanian statutory requirements.

Upon expiry of the applicable retention period, data is securely deleted or anonymised so it can no longer be associated with you.

9. Security of Your Personal Data

We implement commercially reasonable technical and organisational security measures to protect your Personal Data, including:

• HTTPS encryption for all data transmitted between your device and our servers.
• Secure token storage using platform-specific mechanisms: iOS Keychain and Android Keystore.
• Hashed password storage — plaintext passwords are never stored.
• Automated crash reporting and monitoring via Sentry.
• JWT token refresh mechanisms with 30-day session timeouts.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your Personal Data, we cannot guarantee absolute security. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the VDAI within 72 hours and notify you without undue delay, in accordance with GDPR Art. 33–34.

10. Children’s Privacy

The Service is not directed to individuals under the age of 14. We do not knowingly collect Personal Data from children under 14. The age of 14 applies as the digital consent age under Lithuanian law implementing GDPR Art. 8 (which permits member states to lower the EU default of 16 to a minimum of 13).

If you are a parent or guardian and believe your child under 14 has provided us with Personal Data, please contact us at [email protected]. We will take prompt steps to verify and delete such data from our systems.

11. Your GDPR Rights

As a data subject in the EU/EEA, you have the following rights. We respond to all verifiable requests within one (1) month of receipt. In exceptional cases, this may be extended by a further two months, in which case we will notify you within the first month.

• Access (Art. 15) — Obtain a copy of your personal data we hold. How to exercise: Email us at [email protected].
• Rectification (Art. 16) — Correct inaccurate or incomplete data. How to exercise: Account Settings or email us.
• Erasure (Art. 17) — Request deletion of your personal data. How to exercise: Account Settings → Delete Account, or email us.
• Restriction (Art. 18) — Limit how we process your data. How to exercise: Email us with your request.
• Portability (Art. 20) — Receive your data in a machine-readable format. How to exercise: Email us to request a data export.
• Object (Art. 21) — Object to processing based on legitimate interests or direct marketing. How to exercise: Email us or use opt-out links in emails.
• Withdraw Consent — Withdraw consent at any time where processing is consent-based. How to exercise: Account Settings or email us.

To exercise any of these rights, please contact us at [email protected] with the subject line “Data Rights Request”, including your name, the email address associated with your account, and a description of your request. We may need to verify your identity before processing the request.

12. Third-Party Links

The Service may contain links to third-party websites or services. We have no control over and accept no responsibility for the privacy practices or content of those third parties. We encourage you to review the privacy policy of any third-party site you visit.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do so, we will:

• Update the “Effective Date” at the top of this Policy.
• Notify you by email and/or a prominent in-app notice at least 14 days before material changes take effect.
• For significant changes (e.g. new purposes of processing, new categories of data), seek fresh consent where required by law.

Continued use of the Service after the effective date of the revised Policy constitutes your acceptance of the changes.

14. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or your Personal Data:

• Email: [email protected]
• Subject line: “Privacy Enquiry”

We aim to respond to all privacy enquiries within 5 business days.