1. Data controller

The controller of your personal data is Plutario (hereinafter: "we", "us"), based in Poland. Contact: contact@plutario.pl.

2. Data we collect

When you use Plutario, we process the following categories of data:

Registration data: first name, surname, email address, phone number (optional).
Authentication data: data provided by OAuth providers (Google, GitHub, Microsoft, Apple) — we do not store passwords.
Financial data: budgets, financial accounts, transactions, categories — entered manually by you or imported from CSV files.
Technical data: IP address, browser type, operating system — collected automatically for security and diagnostics.
Analytics data: anonymous usage statistics collected by Cloudflare Web Analytics (no cookies, no cross-site tracking).

3. Purposes and legal basis

We process your data on the following legal bases (Art. 6 GDPR):

Performance of a contract (Art. 6(1)(b)): providing the Plutario service, account management, subscription handling.
Legitimate interest (Art. 6(1)(f)): ensuring service security, fraud prevention, analytics (Cloudflare Web Analytics).
Legal obligation (Art. 6(1)(c)): fulfilling tax and accounting obligations.
Consent (Art. 6(1)(a)): marketing communications (if you opt in).

4. Data processors

Your data may be shared with the following processors:

Cloudflare, Inc. — landing page hosting, CDN, web analytics.
Keycloak (self-hosted) — authentication and session management. Data stored on our EU servers.
SMTP provider — transactional email delivery (confirmations, reminders).
Stripe, Inc. — payment and subscription processing. Stripe processes payment data in compliance with PCI DSS.

5. Data retention

Account data: retained for the duration of your use of the service. After account deletion, data is permanently removed within 30 days.
Financial data (budgets, transactions): deleted together with the account or upon your request (export + delete).
Billing data: retained for the period required by law (5 years from the end of the financial year).
Technical logs: retained for up to 90 days.

6. Data security

We apply the following security measures:

Encryption of all connections using TLS 1.3.
Data storage on servers within the European Union.
OAuth 2.0 / OpenID Connect authentication via Keycloak.
Regular database backups.
Access restrictions based on the principle of least privilege.

7. Your rights (GDPR)

As a data subject, you have the right to:

Access — obtain information about processed data.
Rectification — correct inaccurate data.
Erasure ("right to be forgotten") — request deletion of data.
Portability — download data in a machine-readable format (export feature in the app).
Restriction of processing — request limitation of processing in certain situations.
Objection — object to processing based on legitimate interest.
Withdrawal of consent — at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at: contact@plutario.pl.

8. Cookies

The website plutario.pl uses Cloudflare Web Analytics, which does not use cookies and does not track users across sites. The application app.plutario.pl may use session cookies necessary for the service to function. Details in the cookie policy.

9. International data transfers

As a rule, your data is stored and processed exclusively on servers within the European Union. When using Cloudflare and Stripe services, data may also be processed in the USA based on Standard Contractual Clauses (SCC) approved by the European Commission.

10. Complaints

If you believe that the processing of your data violates GDPR, you have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl.

11. Changes to this policy

We reserve the right to update this policy. We will notify you of significant changes via email or an in-app notification. The date of the last update is displayed at the top of this page.