Privacy Policy

Money Palava is operated by Davanji Ltd ("Davanji", "we", "us"). We take your privacy seriously. This policy explains exactly what data we collect, why, and what your rights are. Plain English first; legal terms second.

The short version: your financial data is stored in an encrypted EU database, accessible only to you through your account, and we will never sell it to anyone.

1. What data we collect

We collect the minimum amount of data needed to operate Money Palava:

• Account data (when you sign up): your name, email address and a hashed password.
• Financial data (income, expenses, goals, debts, etc.): stored in an encrypted Postgres database hosted by Supabase in the EU. Protected by row-level security so only you can access your data — enforced at the database level.
• Payment data (when you upgrade): processed by Stripe. We never see or store your card details.
• Usage analytics (anonymised): aggregate visit counts via privacy-preserving analytics. No individual tracking.

2. What we do with your data

• Authenticate you when you sign in.
• Send service emails (account confirmation, password resets, billing receipts).
• Send the Money Palava newsletter only if you opted in.
• Improve the product based on aggregate, anonymised usage patterns.

We never sell your data, share it with advertisers, or use it for ad targeting.

3. Where your data lives

All your data — account information and transactions — is stored on encrypted Supabase servers in the EU (London/Frankfurt). Encrypted at rest with AES-256, in transit with TLS 1.3. You can export everything as CSV at any time and delete your account permanently from Settings, which triggers cascade deletion of all your records.

4. Sub-processors

We use the following sub-processors to operate Money Palava. All process data on our behalf under contractual obligations:

• Supabase (USA / EU) — authentication and database hosting. Supabase privacy policy
• Hostinger (Lithuania / EU) — static file hosting for the website. Hostinger privacy policy
• Stripe (USA, EU representative) — payment processing for paid plans. PCI-DSS Level 1 certified. Stripe privacy policy
• Resend (USA) — transactional email delivery (account emails, weekly digests). Resend privacy policy
• Anthropic (USA) — AI generation for the optional Weekly Check-In digest. Snippets of your financial summary (totals, top categories, goal progress — never raw transaction descriptions) are sent at digest generation time. Anthropic does not train on Money Palava data. Anthropic privacy policy
• Cloudflare jsDelivr — CDN delivery of JavaScript libraries (Chart.js, Supabase SDK).
• Google Analytics (USA) — anonymised aggregate visit analytics. Only loaded if you consent via the cookie banner. Google privacy policy
• Meta (Facebook) (USA) — anonymised aggregate conversion analytics. Only loaded if you consent via the cookie banner. Meta privacy policy

5. Cookies

We use a small number of essential cookies for authentication and preferences (theme, currency). We do not use third-party tracking cookies. See our Cookies policy for details.

6. Your rights (GDPR & UK GDPR)

You have the right to:

• Access all personal data we hold about you.
• Correct any inaccurate data.
• Delete your account and all associated data permanently.
• Export your data in machine-readable format (CSV).
• Object to processing or withdraw consent at any time.

To exercise any of these rights, email privacy@moneypalava.com. We respond within 30 days.

6a. California residents (CCPA / CPRA)

If you reside in California, the California Consumer Privacy Act and California Privacy Rights Act give you additional rights, including the right to know what personal information we collect, the right to request deletion, the right to opt out of any "sale" or "share" of personal information, and the right not to be discriminated against for exercising these rights. We do not sell or share your personal information for cross-context behavioural advertising. To exercise CCPA/CPRA rights, email privacy@moneypalava.com with "California Privacy Request" in the subject line.

6b. Security of your data

We take reasonable technical and organisational measures to protect your data:

• Encryption at rest using AES-256 (Supabase managed Postgres);
• Encryption in transit using TLS 1.3 for every connection;
• Row-level security (RLS) policies enforced at the database level — even if our application code had a bug, the database itself refuses requests for data that doesn't belong to the requesting user;
• Bcrypt password hashing (passwords are never stored in plain text or recoverable form);
• Optional two-factor authentication via authenticator apps (TOTP);
• Stripe handles all payment data — we never see or store full card numbers;
• Regular review of access logs and security incidents.

However, no system is 100% secure. You play a critical role in protecting your account: use a strong unique password, enable two-factor authentication, keep your devices updated, and never share your login. If you suspect your account has been compromised, email security@moneypalava.com immediately.

7. Children

Money Palava is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has created an account, please contact us and we will delete it.

8. Changes to this policy

We will notify you of significant changes via email and post the updated date at the top of this page. Continued use after notification means acceptance of the updated policy.

9. Contact

Questions? Email us at privacy@moneypalava.com or use the contact form.

This policy is provided as a template and should be reviewed by a qualified solicitor before deployment in production. Davanji Ltd accepts no liability for use of this template without legal review.