Gracyy.

Privacy Policy

← Back to home

Last updated: 21 May 2026

Effective date: 21 May 2026 · Last updated: 21 May 2026 · Version: 1.1

INTRODUCTION

Gracyy ("we", "us", "our") is committed to protecting your personal data with the highest standards of privacy and data security. This Privacy Policy explains in full transparency how we collect, use, store, share, and protect your personal data when you use the Gracyy mobile application and website at gracyy.com.

This Policy is drafted in compliance with:

  • EU General Data Protection Regulation (GDPR) 2016/679
  • UK General Data Protection Regulation (UK GDPR)
  • ePrivacy Directive 2002/58/EC
  • EU Digital Services Act (DSA) 2022/2065
  • Nigerian Data Protection Regulation (NDPR) 2019
  • Nigeria Data Protection Act (NDPA) 2023
  • Ghana Data Protection Act 2012 (Act 843)
  • Kenya Data Protection Act 2019
  • South Africa POPIA 2013
  • California Consumer Privacy Act (CCPA) 2018
  • Other applicable national data protection laws

If you have any questions about this Policy, contact our Data Protection contact at: hello@gracyy.com

ARTICLE 1 — DATA CONTROLLER INFORMATION

1.1 Identity of Controller:

Gracyy
Email: hello@gracyy.com
Website: gracyy.com

1.2 Gracyy is the data controller responsible for your personal data processed through the Gracyy application and website.

1.3 For all data protection enquiries, subject access requests, and complaints, contact us at: hello@gracyy.com. We will respond within 30 days as required by applicable law.

ARTICLE 2 — PERSONAL DATA WE COLLECT

2.1 DATA YOU PROVIDE DIRECTLY:

(a) Account Registration Data:

  • Full name
  • Email address
  • Password (stored in hashed, encrypted form — we never store plain-text passwords)
  • Authentication tokens (Apple Sign-In)

(b) Profile and Onboarding Data:

  • Country of residence
  • City
  • Phone number (optional)
  • Preferred currency
  • Household name

(c) Financial Data:

  • Expense records (amount, merchant, category, date, description)
  • Budget amounts and settings
  • Bank statement content (uploaded PDFs — processed and then discarded)
  • Receipt images (processed and then discarded)
  • Shopping list items
  • Recurring expense configurations

2.2 DATA GENERATED THROUGH YOUR USE:

(a) Usage Data:

  • App features used and frequency of use
  • Expense categories most used
  • Time and date of logins
  • Session duration

(b) Device Data:

  • Device type and operating system version
  • App version
  • Device identifiers (for security purposes only)

2.3 DATA WE DO NOT COLLECT:

We explicitly do not collect:

  • Bank account numbers or credentials
  • Payment card details
  • Government ID numbers
  • Biometric data
  • Precise real-time GPS location
  • Contact lists or address books
  • Photos or media beyond uploaded receipts

ARTICLE 3 — LEGAL BASIS FOR PROCESSING (GDPR)

For EU/UK users, we process your personal data on the following legal bases under Article 6 GDPR:

3.1 CONTRACTUAL NECESSITY (Art. 6(1)(b)):

Processing necessary to provide the Gracyy service:

  • Account creation and authentication
  • Expense tracking and display
  • Budget management
  • Shopping list functionality
  • Recurring expense management

3.2 LEGITIMATE INTERESTS (Art. 6(1)(f)):

Processing for our legitimate business interests where not overridden by your rights:

  • App security and fraud prevention
  • Service improvement and bug fixing
  • Financial health score calculation
  • AI-powered spending insights

3.3 CONSENT (Art. 6(1)(a)):

Processing based on your explicit consent:

  • Location-based store suggestions (you provide city/country voluntarily)
  • Optional phone number collection
  • Android waitlist registration

3.4 LEGAL OBLIGATION (Art. 6(1)(c)):

Processing required by law:

  • Responding to lawful requests from competent authorities
  • Compliance with applicable regulations

ARTICLE 4 — HOW WE USE YOUR PERSONAL DATA

4.1 SERVICE PROVISION:

  • Display your expenses, budgets, and financial analytics
  • Calculate your financial health score
  • Generate spending trends and category breakdowns
  • Power recurring expense tracking and reminders
  • Manage your shopping lists

4.2 AI-POWERED FEATURES:

  • Process uploaded receipts to extract transaction data
  • Analyse uploaded bank statements to import transactions automatically
  • Generate personalised store suggestions based on your location and shopping list
  • Power the Gracyy AI Chat assistant
  • Detect recurring expense patterns

4.3 COMMUNICATIONS:

  • Send essential service notifications
  • Respond to your support enquiries
  • Notify you of significant changes to this Policy or our Terms of Service
  • Send Android launch notification (waitlist users only, with consent)

4.4 SECURITY AND INTEGRITY:

  • Detect and prevent fraudulent activity
  • Protect against unauthorised access
  • Maintain the security of our systems
  • Enforce our Terms of Service

4.5 WHAT WE DO NOT DO WITH YOUR DATA:

  • We do not sell your personal data to any third party — ever
  • We do not use your financial data for advertising profiling
  • We do not share your data with banks or financial institutions
  • We do not use your data to train AI models
  • We do not share your data with data brokers

ARTICLE 5 — BANK STATEMENTS AND RECEIPTS

5.1 When you upload a bank statement PDF or receipt image, the following process occurs:

Step 1: The document is securely transmitted over encrypted HTTPS to Anthropic's Claude API.

Step 2: Claude AI extracts transaction data (merchant names, amounts, dates, categories).

Step 3: The extracted structured data is saved to your Gracyy account.

Step 4: The original document (PDF or image) is NOT stored by Gracyy after processing is complete. We only retain the extracted data.

5.2 Anthropic processes your document solely to extract transaction data. Anthropic's privacy policy is available at anthropic.com/privacy.

5.3 You warrant that any document you upload belongs to you or that you have lawful authority to upload and process it.

5.4 DATA MINIMISATION: We extract only spending/debit transactions. We do not extract or store:

  • Your full bank account number
  • Your bank's internal reference numbers
  • Credit/income transactions (unless relevant to expense tracking)
  • Any sensitive personal identifiers within the document

ARTICLE 6 — DATA SHARING AND THIRD PARTIES

6.1 We share your personal data only with the following carefully selected processors, bound by strict data processing agreements:

SUPABASE (Supabase Inc., USA):
Role: Database hosting and user authentication
Data shared: All account and financial data
Safeguard: Standard Contractual Clauses (SCCs) for international transfers
Privacy Policy: supabase.com/privacy

ANTHROPIC (Anthropic PBC, USA):
Role: AI processing of receipts and bank statements
Data shared: Uploaded documents temporarily during processing only
Safeguard: Standard Contractual Clauses (SCCs)
Privacy Policy: anthropic.com/privacy

APPLE INC.:
Role: iOS app distribution and Apple Sign-In authentication
Data shared: App Store metrics (anonymised), authentication tokens
Privacy Policy: apple.com/privacy

GOOGLE LLC:
Role: Android app distribution (future)
Data shared: App Store metrics (anonymised)
Privacy Policy: policies.google.com/privacy

6.2 We do not share your personal data with:

  • Advertisers or marketing companies
  • Data brokers or analytics companies
  • Financial institutions or credit bureaus
  • Any other third parties not listed above

6.3 LEGAL DISCLOSURE: We may disclose your data if required by law, court order, or competent regulatory authority, or if we reasonably believe disclosure is necessary to protect our legal rights or prevent imminent harm.

ARTICLE 7 — INTERNATIONAL DATA TRANSFERS

7.1 Gracyy operates globally. Your data may be transferred to and processed in countries outside your country of residence, including the United States.

7.2 For transfers from the EU/UK/EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914)
  • Adequacy decisions where applicable
  • Supplementary technical measures including encryption in transit and at rest

7.3 For transfers involving data of Nigerian residents, we comply with NDPA 2023 cross-border transfer requirements including ensuring adequate data protection in the destination country.

7.4 For transfers involving data of Kenyan residents, we comply with Part V of the Kenya Data Protection Act 2019.

7.5 You have the right to obtain a copy of the safeguards we use for international transfers by contacting us at hello@gracyy.com.

ARTICLE 8 — DATA RETENTION

8.1 We retain your personal data only for as long as necessary to provide the service and fulfil the purposes described in this Policy.

8.2 RETENTION PERIODS:

Account data: Retained for the duration of your account. Deleted immediately and permanently upon account deletion.

Financial data (expenses, budgets, shopping lists): Retained for the duration of your account. Deleted immediately upon account deletion.

Uploaded documents (bank statements, receipts): NOT retained. Deleted immediately after AI processing is complete.

Security logs: Retained for maximum 90 days for security and fraud prevention purposes.

Legal compliance data: Retained for the minimum period required by applicable law where we have a legal obligation to retain.

Android waitlist emails: Retained until Android launch or until you unsubscribe, whichever is earlier.

8.3 ACCOUNT DELETION: When you delete your account via Settings → Delete Account:

  • All your personal data is permanently deleted immediately from our active systems
  • All expenses, budgets, and shopping lists are permanently deleted
  • Your authentication record is removed
  • Deletion is irreversible — we cannot recover deleted accounts

ARTICLE 9 — YOUR RIGHTS

9.1 EU/UK GDPR RIGHTS:

Under GDPR and UK GDPR you have the following rights:

RIGHT OF ACCESS (Art. 15 GDPR):
Request a copy of all personal data we hold about you, including the categories of data, purposes of processing, and recipients of your data.

RIGHT TO RECTIFICATION (Art. 16 GDPR):
Request correction of inaccurate or incomplete personal data. You can update most data directly in Settings.

RIGHT TO ERASURE / RIGHT TO BE FORGOTTEN (Art. 17 GDPR):
Request deletion of your personal data. You can delete your account and all data immediately via Settings → Delete Account. We will also respond to erasure requests submitted by email within 30 days.

RIGHT TO RESTRICTION (Art. 18 GDPR):
Request that we restrict processing of your data in certain circumstances, such as while a dispute about accuracy is resolved.

RIGHT TO DATA PORTABILITY (Art. 20 GDPR):
Request your personal data in a structured, commonly used, machine-readable format (JSON or CSV). Contact us to request a data export.

RIGHT TO OBJECT (Art. 21 GDPR):
Object to processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING (Art. 22 GDPR):
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Gracyy does not make such decisions about you.

RIGHT TO WITHDRAW CONSENT:
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

9.2 NIGERIAN RESIDENTS (NDPA 2023):

You have the right to:

  • Be informed about the processing of your personal data
  • Access your personal data
  • Correct inaccurate personal data
  • Delete your personal data
  • Object to processing
  • Withdraw consent at any time

9.3 CALIFORNIAN RESIDENTS (CCPA/CPRA):

You have the right to:

  • Know what personal information is collected
  • Know whether personal information is sold or disclosed and to whom
  • Opt out of the sale of personal information (note: we do not sell personal information)
  • Access your personal information
  • Equal service and price (non-discrimination)
  • Request deletion of personal information

9.4 HOW TO EXERCISE YOUR RIGHTS:

Submit requests to: hello@gracyy.com
Subject line: "Data Subject Request — [Your Right]"

We will respond within:

  • 30 days (GDPR/UK GDPR)
  • 21 days (NDPA Nigeria)
  • 45 days (CCPA California)

We may require identity verification before processing your request to protect your data.

9.5 RIGHT TO LODGE A COMPLAINT:

You have the right to lodge a complaint with your local supervisory authority:

EU residents: Your national Data Protection Authority (find yours at edpb.europa.eu)

UK residents: Information Commissioner's Office ( ico.org.uk)

Nigerian residents: Nigeria Data Protection Commission ( ndpc.gov.ng)

Kenyan residents: Office of the Data Protection Commissioner ( odpc.go.ke)

Ghanaian residents: Data Protection Commission ( dataprotection.org.gh)

South African residents: Information Regulator ( inforegulator.org.za)

ARTICLE 10 — DATA SECURITY

10.1 We implement comprehensive technical and organisational security measures to protect your personal data including:

TECHNICAL MEASURES:

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for all data in transit
  • Row-Level Security (RLS) on all database tables — each user can only access their own data
  • Hashed and salted password storage (we never store plain-text passwords)
  • Secure token-based authentication
  • Regular security audits and penetration testing
  • API rate limiting to prevent abuse

ORGANISATIONAL MEASURES:

  • Principle of least privilege — access to data is strictly limited
  • Data minimisation — we only collect what is necessary
  • Privacy by design — privacy is built into our development process

10.2 DATA BREACH NOTIFICATION:

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware (as required by Art. 33 GDPR)
  • Notify affected users without undue delay where the breach is likely to result in a high risk (Art. 34 GDPR)
  • Take immediate remedial action

10.3 Despite our security measures, no system is completely immune to breaches. If you suspect unauthorised access to your account, contact us immediately at hello@gracyy.com and change your password immediately.

ARTICLE 11 — CHILDREN'S PRIVACY

11.1 Gracyy is not directed at, and is not intended for use by, children under the age of 18 (or the applicable age of digital consent in your jurisdiction, which may be as low as 13 in some countries under GDPR Article 8).

11.2 We do not knowingly collect personal data from children under 18. If you believe we have inadvertently collected data from a child, please contact us immediately at hello@gracyy.com and we will delete such data promptly.

ARTICLE 12 — COOKIES AND TRACKING

12.1 The Gracyy mobile application does not use cookies.

12.2 The Gracyy website (gracyy.com) may use essential technical cookies necessary for website functionality only. We do not use advertising, tracking, or analytics cookies without your explicit consent.

12.3 We do not use cross-site tracking, fingerprinting, or any other tracking technology beyond what is strictly necessary for the service.

ARTICLE 13 — CHANGES TO THIS PRIVACY POLICY

13.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

13.2 For material changes that affect your rights or how we use your data, we will:

  • Send an email notification to your registered email address at least 30 days before the change takes effect
  • Display a prominent notice within the app
  • Update the "Last updated" date at the top of this Policy

13.3 For non-material changes (corrections, clarifications), we will update the Policy and the "Last updated" date.

13.4 We encourage you to review this Policy periodically. Your continued use of Gracyy after changes take effect constitutes acceptance of the revised Policy.

13.5 If you do not agree to material changes, you may delete your account before they take effect.

ARTICLE 14 — CONTACT AND COMPLAINTS

14.1 For all privacy-related enquiries, data subject requests, and complaints:

Email: hello@gracyy.com
Subject: "Privacy Request — [Your Query]"
Response time: Within 30 days

14.2 We take all privacy complaints seriously and will investigate and respond to all legitimate concerns promptly.

14.3 If you are not satisfied with our response, you have the right to escalate your complaint to your local supervisory authority as listed in Article 9.5.

This Privacy Policy was drafted in English. In the event of any conflict between translated versions and this English version, the English version shall prevail.

Gracyy. Spend with Grace. gracyy.com

← Back to Gracyy.com