← Back

Privacy Policy

Last updated: March 2026

Data Controller

BroMony is operated by Leonardo Ferhati, Copenhagen, Denmark.

Contact: hello@bromony.com

What Data We Collect

When you create an account, we collect your email address, display name, and an optional avatar. When you use BroMony, we store the financial account entries you create (names, balances, categories) and group membership data. Financial data is encrypted in transit and at rest at the infrastructure level. We use Supabase (AWS Frankfurt) which provides AES-256 disk encryption. We also collect basic usage analytics such as page views and session duration.

Legal Basis for Processing

We process your data under the following legal bases (GDPR Art. 6):

  • Account data (email, display name) — performance of a contract (Art. 6(1)(b)). Necessary to create and maintain your account.
  • Financial data (assets, net worth snapshots) — performance of a contract (Art. 6(1)(b)). This is the core service you signed up for. Net worth data does not constitute special category data under Art. 9 GDPR.
  • Group data (group membership, leaderboards) — performance of a contract (Art. 6(1)(b)). Enables the group comparison features.
  • Usage analytics (page views, session duration) — legitimate interests (Art. 6(1)(f)). Used to improve the service and fix issues.

We never sell your personal data to third parties, and we never use it for advertising.

How Long We Keep It

Your data is retained for as long as your account is active. If you delete your account, all associated data is permanently removed from our systems within 30 days. Backups that may contain residual data are purged within 90 days.

Security event logs (login attempts, data exports) are automatically deleted after 90 days.

Accounts inactive for 12 months will receive a warning email. Accounts inactive for 24 months with no data activity will be flagged for deletion. You can delete your account at any time from Profile Settings.

Who We Share Data With

We use the following third-party services to operate BroMony:

  • Supabase — database hosting and authentication infrastructure (AWS Frankfurt, EU).
  • Vercel — application hosting, edge functions, and analytics.
  • Resend — transactional emails such as verification and password reset.
  • Stripe — payment processing for optional donations. Privacy policy: stripe.com/privacy
  • Google — authentication via Google Sign-In (OAuth). Data processed: email address and display name at login. Privacy policy: policies.google.com/privacy
  • Apple — authentication via Apple Sign-In. Data processed: email address at first login only. Privacy policy: apple.com/legal/privacy

These providers process data on our behalf and are contractually obligated to protect it. We do not share your data with anyone else.

Some of these providers (Google, Apple) may process data outside the European Economic Area. Such transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection.

Your Rights

Under the GDPR, you have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Rectification — correct any inaccurate or incomplete data.
  • Erasure — request deletion of your account and all associated data.
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — request that we limit how we use your data while a dispute is being resolved.
  • Object — object to processing based on legitimate interests (e.g. analytics).
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@bromony.com. We will respond within 30 days.

Cookies and Local Storage

BroMony uses only strictly necessary cookies for authentication (session management via NextAuth.js). We do not use advertising cookies or tracking cookies.

We also use browser localStorage to remember your theme preference (light/dark mode) and to store your cookie banner acknowledgement. No personal data is stored in localStorage.

You can disable cookies in your browser settings at any time. Please note that doing so will prevent you from logging in to BroMony, as session cookies are strictly required for authentication to function.

Supervisory Authority

You have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) if you believe we have processed your personal data in violation of the GDPR.

Datatilsynet

Carl Jacobsens Vej 35

2500 Valby, Denmark

Tel: +45 33 19 32 00

Email: dt@datatilsynet.dk

Website: datatilsynet.dk

Contact

If you have any questions about this privacy policy or wish to exercise your rights, contact us at hello@bromony.com.