Privacy Policy

dasfas.xyz is a personal finance application. You can reach us at hello@dasfas.xyz for any privacy-related questions.

Under the GDPR, we act as the data controller for personal data processed through dasfas.xyz.

Account data

When you register, we collect your username and — if you use Google Sign-In — your email address. This is required to create and authenticate your account (legal basis: contract).

Financial data

Transactions, accounts, categories, budgets, and any other financial records you create or import are stored on our server. This data is yours and is processed solely to provide the service (legal basis: contract).

Bank API tokens

If you connect Wise or Monobank, your API token is stored encrypted at rest using authenticated encryption (libsodium secretbox). The plaintext token is never written to disk unencrypted (legal basis: contract).

Technical and security data

We log IP addresses for rate limiting on the login and registration endpoints. These are not retained beyond their operational purpose (legal basis: legitimate interest — protecting users from brute-force attacks).

Service improvement

We use anonymized, aggregated patterns from how transactions are categorized across our user base to improve categorization accuracy for all users — particularly new users with no transaction history. The resulting data contains only merchant name patterns and category counts. No user identifiers, transaction amounts, or dates are stored in this index. This processing is based on our legitimate interest in improving the service (Art. 6(1)(f) GDPR). You have the right to object to this processing under Art. 21 GDPR by contacting us at hello@dasfas.xyz.

Analytics

We use PostHog to understand how the app is used. This includes page views, click events, and session recordings. All form inputs are masked — PostHog never sees your financial data or credentials. Analytics data is processed under legitimate interest. You can opt out by contacting us.

Your financial data — transactions, account balances, bank credentials — is sensitive. We treat it accordingly:

• — Sensitive fields (card numbers, IBAN, bank API tokens) are encrypted at rest
• — All traffic is encrypted in transit via HTTPS
• — Each user's data is strictly isolated — no user can access another user's data
• — We do not sell, share, or use your financial data for advertising

We share data with the following third parties, only as required to provide the service:

We do not use advertising networks, tracking pixels, or any other third-party data brokers.

Your account and all associated financial data is retained for as long as your account exists. If you delete your account, all your data is permanently removed within 30 days.

Analytics data (PostHog) is retained for 1 year per PostHog's default policy.

If you are located in the EU or EEA, you have the following rights:

• — Access — request a copy of the data we hold about you
• — Rectification — correct inaccurate data
• — Erasure — request deletion of your account and all associated data
• — Portability — receive your data in a machine-readable format
• — Restriction — ask us to limit how we process your data
• — Object — object to processing based on legitimate interest
• — Withdraw consent — where processing is based on consent

To exercise any of these rights, email us at hello@dasfas.xyz. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

Strictly necessary (no consent required)

A JWT authentication token is stored in your browser's local storage to keep you signed in. This is required for the service to function and does not contain any financial data.

Analytics (requires consent)

PostHog sets a first-party cookie to identify returning sessions and record anonymized usage data. This cookie is only set if you accept analytics when prompted. You can withdraw consent at any time by clicking "Cookie settings" in the footer or by contacting us.

We do not use advertising cookies, third-party tracking pixels, or data brokers.

We may update this policy as the service evolves. Significant changes will be announced via email or an in-app notice. The date at the top of this page reflects the most recent update.

Questions about this policy or requests to exercise your rights:
hello@dasfas.xyz