Skip to content
Plutario
Start for free

Privacy policy

Last updated: 2026-04-08 · version 2.0.0

This is an English translation of the Polish Privacy Policy provided for convenience. In case of any discrepancy, the Polish version (available at plutario.pl/privacy-policy) shall prevail.

1. Data controller

The controller of your personal data is Kacper Czarczyński Dreaming Software (jednoosobowa działalność gospodarcza), located at ul. Władysława Broniewskiego 24A/142, 01-771 Warszawa, Tax ID (NIP): 5252935425, Statistical ID (REGON): 523925339, registry: wpis do Centralnej Ewidencji i Informacji o Działalności Gospodarczej (CEIDG) (hereinafter: "we", "us", "Controller"). Data protection contact: contact@plutario.pl.

The Controller has not appointed a Data Protection Officer (DPO) — given the nature and scale of processing, this is not required under Art. 37 GDPR. For all data protection matters, please contact us at the address above. We respond within 30 days of receiving a request (Art. 12(3) GDPR).

2. Data we collect

When you use Plutario, we process the following categories of data:

  • Registration data: email address and first name (if provided).
  • Authentication data: data provided by OAuth providers (Google, GitHub, Microsoft) — we do not store passwords. Login sessions are managed by self-hosted Keycloak.
  • Financial data: budgets, financial accounts, transactions, categories — entered manually by you or imported from CSV files. We treat this data as sensitive and apply enhanced protection, even though it is not formally a special category under Art. 9 GDPR.
  • Technical data: IP address, browser type, operating system, session identifier — collected automatically for security and diagnostics.
  • Location data: approximate country based on IP address — only for aggregated analytics (Cloudflare Web Analytics).
  • Analytics data: anonymous usage statistics collected by Cloudflare Web Analytics (no cookies, no cross-site tracking, no browser fingerprinting).
  • Billing data: when purchasing a subscription — first and last name, email address, invoice details (if provided). Payment card data is not stored by us — it is processed exclusively by Stripe.

3. Purposes and legal basis

We process your data on the following legal bases (Art. 6 GDPR):

  • Performance of a contract (Art. 6(1)(b)): providing the Plutario service, creating and maintaining the Account, handling Subscriptions, handling complaints and withdrawals, transactional communication.
  • Legal obligation (Art. 6(1)(c)): fulfilling tax and accounting obligations (Polish Accounting Act — retaining accounting records for 5 years), handling data subject requests (GDPR).
  • Legitimate interest (Art. 6(1)(f)): ensuring service security, fraud prevention, aggregated analytics (Cloudflare Web Analytics), pursuing or defending against claims, internal reporting and statistics.
  • Consent (Art. 6(1)(a)): marketing communications (if you opt in). You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Automated decision-making and profiling

During CSV import, the Service automatically suggests categories for imported transactions based on their description (dictionary matching). This is profiling within the meaning of Art. 4(4) GDPR; however, it produces no legal effects concerning you and does not significantly affect you — the suggestion is merely a proposal that you may accept or change. We do not use automated decision-making within the meaning of Art. 22 GDPR.

4. Recipients and data processors

Your data may be shared with the following recipients / processors:

  • Stripe Payments Europe, Ltd. (based in Dublin, Ireland; parent: Stripe, Inc., USA) — payment and subscription processing. Stripe is an independent controller of payment data. Data is processed in compliance with PCI DSS. Transfers to the USA take place on the basis of Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequacy of the protection provided by the EU-US Data Privacy Framework (Stripe, Inc. is an active DPF participant), with SCCs as a supplementary mechanism.
  • Cloudflare, Inc. (USA) — CDN, WAF, DDoS protection, web analytics (Cloudflare Web Analytics). Transfers to the USA take place on the basis of the EU-US Data Privacy Framework (Cloudflare is an active DPF participant), with SCCs as a supplementary mechanism.
  • Hetzner Online GmbH (Germany, EEA) — hosting of production servers (VPS) running the Plutario application and database. All financial and Account data is stored exclusively on servers located in the European Union.
  • Keycloak — open-source authentication software running on the Controller's infrastructure (self-hosted on Hetzner servers in the EU). It is not a separate processor — it is a tool of the Controller.
  • SMTP service provider — for delivery of transactional emails (order confirmations, password resets, notifications). Detailed information about the current SMTP provider and location of its servers is available on request at contact@plutario.pl.
  • OAuth providers (Google, GitHub, Microsoft) — if you choose to log in via an external provider, that provider learns of the login event and passes us your identifier and email address. Their own privacy policies govern their processing.
  • Accounting office — for accounting documents (invoices) required by tax law.

The Controller has concluded a data processing agreement compliant with Art. 28 GDPR with each processor.

5. Joint controllership — budget sharing feature

With Standard and Premium plans, you can invite others to a shared budget. With respect to data processed within a shared budget (transactions, categories, financial accounts), you and other budget participants become joint controllers within the meaning of Art. 26 GDPR. Division of responsibilities:

  • Budget owner — determines the purposes and means of processing within the budget, manages participants, and may revoke access at any time.
  • Budget participants — have access to budget data within granted permissions; may enter and modify transactions.
  • Controller (Plutario) — provides technical infrastructure and security, handles data subject requests in cooperation with the budget owner.

The full text of the joint controllership arrangement is available on request at contact@plutario.pl. Regardless of the arrangement, data subjects may exercise their rights against any of the joint controllers.

6. Data retention

  • Account data: retained for the duration of your use of the service. After account deletion, data is permanently removed without undue delay, no later than 30 days.
  • Financial data (budgets, transactions): deleted together with the account or upon your request (export + delete).
  • Billing data (invoices): retained for 5 years from the end of the financial year (Art. 74 of the Polish Accounting Act).
  • Data for pursuing/defending claims: retained for the limitation period of claims (typically up to 6 years after termination of the contract).
  • Technical and security logs: retained for up to 90 days.
  • Complaint and withdrawal handling data: retained for 3 years after the case is closed.

7. Data security

We apply the following technical and organisational measures (Art. 32 GDPR):

  • Encryption of all connections using TLS 1.3.
  • Storage of production data on servers within the European Union (Hetzner, Germany).
  • OAuth 2.0 / OpenID Connect authentication via Keycloak.
  • Regular database backups stored in an EEA location.
  • Access restrictions based on the principle of least privilege.
  • Security incident monitoring and alerting.
  • Pseudonymisation and data minimisation in technical logs — we do not record transaction amounts, email addresses, or HTTP request bodies in application logs.

8. Your rights (GDPR)

As a data subject, you have the right to:

  • Access (Art. 15 GDPR) — obtain information about processed data and a copy of it.
  • Rectification (Art. 16 GDPR) — correct inaccurate or incomplete data.
  • Erasure / "right to be forgotten" (Art. 17 GDPR) — request deletion of data, subject to the Controller's legal obligations (e.g. retention of accounting documents).
  • Portability (Art. 20 GDPR) — download data in a machine-readable format (export feature in the app).
  • Restriction of processing (Art. 18 GDPR) — in certain situations.
  • Objection (Art. 21 GDPR) — object to processing based on legitimate interest, including analytics.
  • Withdrawal of consent (Art. 7(3) GDPR) — at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Lodging a complaint with a supervisory authority (Art. 77 GDPR) — the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl.

To exercise any of these rights, contact us at: contact@plutario.pl. We respond within 30 days of receiving the request. In justified cases (complexity of the request), the period may be extended by a further 60 days — we will inform you accordingly.

9. Cookies

The website plutario.pl uses Cloudflare Web Analytics, which does not use cookies and does not track users across sites. The application app.plutario.pl uses only cookies essential for the service to function (session, authentication). Details in the cookie policy.

10. International data transfers

As a rule, your data is stored and processed exclusively on servers within the European Union (Hetzner, Germany). To the extent we use Stripe and Cloudflare services, data may also be processed in the United States — such transfers take place on the basis of Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequate level of protection of personal data provided by the EU-US Data Privacy Framework. Both entities are active DPF participants. Standard Contractual Clauses (SCC) approved by the European Commission are used as a supplementary mechanism.

You can verify DPF participants at dataprivacyframework.gov.

11. Changes to this policy

We reserve the right to update this policy. We will notify you of significant changes at least 14 days in advance via email or in-app notification. The date of the last update and version number are displayed at the top of this page.