Skip to main content
Docs

Privacy policy - Valutra

Last updated: 2026-01-13

We take the protection of your personal data seriously. This privacy policy explains which data we process when you use Valutra and for what purposes. Valutra currently does not use tracking or analytics tools.

Controller

The controller responsible for processing personal data is:

Martin Siegling
Georg-Kerschensteiner-Straße 49
81829 München
Deutschland
Email: support@valutra.co

Contact

For privacy-related questions, contact us at support@valutra.co.

No data protection officer has been appointed because there is no legal obligation to do so.

No tracking / no ads

We do not use tracking or analytics services and we do not create user profiles. There is no consent banner because we use only technically necessary cookies.

For technical reasons, IP addresses are processed whenever you access the service. IP addresses are personal data. We process them only temporarily for security, to ensure reliable operations, and for troubleshooting; we do not use them for profiling or tracking.

Which data do we process?

Depending on how you use the app, we may process the following data:

  • Account data (e.g., email address, name, authentication data).
  • Financial data you enter (e.g., accounts, payments, plan items, assets, loans, settings).
  • Support/feedback content you send to us (including metadata such as time and, where applicable, your email address).
  • Technical log data for troubleshooting and security (e.g., timestamps, request IDs, potentially IP address in server logs).

Purposes of processing

  • Providing and operating the application.
  • Authentication, session management, and abuse prevention.
  • Handling support requests and feedback.
  • Security measures, error analysis, and platform stability.

Access to user data

  • Access to personal data and user-entered financial data occurs only when:
    • it is necessary to provide the service,
    • for troubleshooting,
    • or to handle a support request.
  • No content analysis, profiling, or active inspection of user data takes place for other purposes.
  • Access is limited to what is necessary and is performed only by the controller.
  • No disclosure or use for marketing or analytics purposes takes place.

Legal bases

Where we process personal data for the provision of the Service and the performance or initiation of a user contract (e.g. account data and user-entered data), processing is based on Art. 6(1)(b) GDPR. The processing of technical log data and IP addresses is carried out on the basis of Art. 6(1)(f) GDPR, based on our legitimate interest in IT security, error analysis, and the prevention of misuse. Where processing is required to comply with legal obligations, it is based on Art. 6(1)(c) GDPR.

Cookies

We use only technically necessary cookies to provide the app and to manage login sessions securely:

  • Session/authentication cookies (e.g., "authjs.session-token" or "__Secure-authjs.session-token" for login and signed-in usage; possibly also "authjs.callback-url" for redirects).
  • Security cookies (e.g., "authjs.csrf-token" to protect against CSRF and similar attacks).
  • Necessary functional cookies (e.g., "NEXT_LOCALE" for language preferences).

Without these cookies, the app (especially login) cannot function. In development environments, "__next_hmr_refresh_hash__" (hot reload) may also be set.

Recipients / processors

We use service providers that process data on our behalf (Art. 28 GDPR). This may include:

  • Hosting/platform operations (e.g., Vercel).
  • Database operations (e.g., Neon Postgres).
  • Email services (e.g., Resend for system/transactional emails; Namecheap PrivateEmail for mailboxes/inbound handling).

Data processing agreements in accordance with Art. 28 GDPR have been concluded with all commissioned processors.

International transfers

Depending on the service providers used, processing outside the EU/EEA may occur. In such cases, we ensure appropriate safeguards (e.g., Standard Contractual Clauses) where required.

Retention

We generally store personal data only for as long as necessary for the stated purposes or as required by law. You can request deletion by deleting your account; technical logs are typically retained for a limited period. Technical log data (e.g. server logs) is generally stored only for a limited period and is subsequently deleted or anonymized, unless a longer retention period is required for security-related reasons.

Your rights

Under the GDPR you have, in particular, the following rights. To exercise them, an informal request (e.g., by email) to the contact details above is sufficient:

  • Access (Art. 15 GDPR).
  • Rectification (Art. 16 GDPR).
  • Erasure (Art. 17 GDPR).
  • Restriction of processing (Art. 18 GDPR).
  • Data portability (Art. 20 GDPR).
  • Objection to processing based on legitimate interests (Art. 21 GDPR).

Right to lodge a complaint

You also have the right to lodge a complaint with a data protection supervisory authority. In particular, the authority at your habitual residence, place of work, or the place of the alleged infringement may be competent.

More legal information