1. Data Controller
Hagr is operated by Ólafur Jóhannsson, Sweden (contact: privacy@hagr.app). As the data controller, we determine the purposes and means of processing your personal data and are responsible for compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). This policy is available in English and Swedish.
2. What we collect and why
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Account data | Email address | Creating and managing your account | Contract (Art. 6(1)(b)) |
| Financial data | Transactions, budgets, net worth entries, recurring items, travel budgets | Providing the core budgeting service | Contract (Art. 6(1)(b)) |
| AI Advisor data | Selected financial data you choose to share with the advisor | Generating AI-powered financial insights | Consent (Art. 6(1)(a)) — you control which data the AI can access in Settings |
| Uploaded documents | Bank statements, receipts, CSV/Excel files you upload to the AI Advisor | Extracting transactions from documents via AI parsing | Consent (Art. 6(1)(a)) — only processed if AI data consent is enabled |
| Subscription data | Subscription status, billing period, billing currency | Managing your paid subscription | Contract (Art. 6(1)(b)) |
| Location (country only) | Country code derived from your IP address (e.g. 'FR', 'SE') — provided by Vercel's edge network on each request and not stored | Showing prices in your local currency on the pricing page and selecting the matching Stripe price at checkout | Legitimate interests (Art. 6(1)(f)) — providing accurate localised pricing without forcing a manual region picker. Only the two-letter country code is processed; the IP address itself is not stored by us. |
3. Data storage and security
Your data is stored in a Supabase PostgreSQL database hosted in the EU (Frankfurt, Germany). Data is encrypted at rest and in transit using TLS. Session cookies are secured with HttpOnly and Secure flags. Row-level security (RLS) ensures your data is only accessible to your account. We do not use your financial data for advertising or profiling.
4. International transfers — AI Advisor
When you use the AI Advisor, the financial data you have consented to share is sent to OpenAI's API, operated by OpenAI, LLC in the United States. This transfer is covered by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, as included in OpenAI's Data Processing Agreement. OpenAI does not use API-submitted data to train its models under its DPA. OpenAI retains API request data for up to 30 days for abuse monitoring, after which it is deleted. If you upload a document (bank statement, receipt, CSV, or Excel file), the full text or image content of that document is sent to OpenAI for transaction extraction — this may include account numbers, merchant names, and full transaction history present in the document. Document uploads are voluntary and only processed when AI data consent is enabled. You can withdraw your consent at any time in Settings → AI Advisor.
5. Third-party processors
We share your data only with the following processors, each under a Data Processing Agreement: (a) Supabase — database and authentication, EU-hosted; (b) Vercel — hosting and infrastructure, EU region; (c) Stripe — payment processing (card details never reach our servers); (d) OpenAI — AI Advisor only, with your consent (see Section 4); (e) Google LLC — authentication only, when you sign in using Google OAuth (only your email address and Google account ID are shared). We do not sell your data.
6. Cookies
We use only strictly necessary session cookies to maintain your authenticated session. These cookies are set with HttpOnly, Secure, and SameSite=Lax attributes and do not require your consent under the ePrivacy Directive. We do not use tracking, analytics, or advertising cookies.
7. Data retention
Your data is retained for as long as your account is active. If you delete your account, all personal data is permanently and immediately deleted from our systems. Stripe may retain payment records for up to 7 years for legal and tax compliance. OpenAI retains uploaded document data for up to 30 days per their DPA.
8. Your rights under GDPR
As a data subject in the EU/EEA you have the right to: (a) access your personal data (Art. 15); (b) correct inaccurate data directly in the app (Art. 16); (c) delete your account and all data instantly via Settings → Danger Zone (Art. 17); (d) request restriction of processing — contact privacy@hagr.app (Art. 18); (e) export all your data as JSON or transactions as CSV via Settings → Export Data (Art. 20); (f) object to processing based on legitimate interest (Art. 21); (g) withdraw AI data consent at any time in Settings without affecting prior processing. We aim to respond to requests within 30 days.
9. Right to lodge a complaint
You have the right to lodge a complaint with the Swedish supervisory authority: Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, Sweden — imy.se — +46 8 657 61 00. You may also contact the supervisory authority in your country of residence.
10. Data breach notification
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Art. 34 GDPR.
11. Automated decision-making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
12. Changes to this policy
We will notify you of material changes via email or in-app notification at least 30 days before changes take effect. The current version is always at hagr.app/privacy.
13. Contact
For privacy questions or to exercise your GDPR rights, contact privacy@hagr.app. We aim to respond within 30 days.