Privacy Policy

Version 1.0 · Last updated: June 11, 2026 · Effective: June 11, 2026

Plain-language summary (not a substitute for the full text below): IQ-Wallet collects only the data necessary to run a personal finance app. We never sell your data. All financial records are stored in encrypted EU-based servers. You can export or permanently delete all your data at any time, directly from the app or by emailing us. Questions? Write to privacy@iq-wallet.com.

1. Data Controller and Contact Details

The data controller responsible for your personal data is:

Product name: IQ-Wallet
Operated by: IQ-Wallet ("we", "us", "our")
Privacy inquiries: privacy@iq-wallet.com
General support: support@iq-wallet.com
Website: https://iq-wallet.com

We are committed to protecting your personal data and processing it in accordance with the EU General Data Protection Regulation (GDPR), the Ukrainian Law on Personal Data Protection (No. 2297-VI, as amended), the California Consumer Privacy Act (CCPA), and other applicable data protection legislation.

2. Definitions

In this Privacy Policy:

"App" means the IQ-Wallet mobile application available on iOS and Android.
"Service" means the App and any related services we provide.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).
"Data Subject" means the individual whose personal data is being processed — that is, you.
"Processor" means a third party that processes personal data on our behalf.
"Special Category Data" has the meaning given in GDPR Article 9 (e.g., health, biometric, or financial data where it reveals special category information).
"EEA" means the European Economic Area.

3. Scope of This Policy

This Privacy Policy applies to all personal data we collect and process when you:

Download, install, or use the IQ-Wallet App;
Create an account or interact with our services;
Contact us via email or other channels;
Visit our websites at iq-wallet.com or policy.iq-wallet.com.

This Policy does not apply to third-party services (Apple, Google, etc.) that have their own privacy policies, which we encourage you to review independently.

4. Personal Data We Collect

4.1 Data You Provide Directly

Identity data: Full name, email address.
Authentication credentials: Password (stored as a one-way cryptographic hash — we never store plain-text passwords). If you register via social login (Apple Sign-In or Google Sign-In), we receive only the name, email address, and a unique identifier provided by that platform; we do not receive your social media password.
Financial data: Transactions (amount, date, category, merchant, notes), income records, bills and payment schedules, investment records, financial goals, credit lines, salary information, and IQ Financial Score data — all entered voluntarily by you.
Receipt images: Photographs of receipts you upload for the receipt scanning feature. Images are transmitted over an encrypted connection, processed by our AI layer to extract structured data, and deleted immediately after parsing. We do not store receipt images.
Support communications: Content of emails or messages you send to us.
AI advisor interactions: Queries you submit to the AI Financial Advisor. These are processed in real time and are not stored beyond the session unless you save them within the App.

4.2 Data Collected Automatically

Device data: Device type, operating system version, app version, and unique device identifiers (used for analytics and crash reporting).
Usage data: Features used, screens visited, session timestamps, and error logs — collected in aggregate to improve the Service. We do not build individual behavioral profiles for advertising.
Log data: Server logs including IP address, request timestamps, and HTTP response codes. Logs are retained for 30 days and then deleted.

4.3 Data Received from Third Parties

Apple / Google (in-app purchases): Subscription status, purchase date, product identifier, and transaction receipt. We do not receive card numbers, bank account details, or any other payment instrument data — Apple and Google are the merchants and retain all payment data.
RevenueCat: Subscription entitlement status and renewal metadata derived from Apple/Google receipts.
Apple Sign-In / Google Sign-In: Name, email address, and social platform user identifier, if you choose social registration.

4.4 Data We Do Not Collect

We do not collect: biometric data, health data, social security or national identification numbers, bank account or card details, precise geolocation, or data from your device contacts, photos, or files beyond receipt images you explicitly upload.

5. Legal Basis for Processing (GDPR)

For users located in the EEA and the UK, we process your personal data on the following legal bases under GDPR Article 6:

Purpose of Processing	Legal Basis
Creating and maintaining your account; providing core app features (transaction tracking, goals, bills, investments)	Performance of a contract (Art. 6(1)(b))
Generating your IQ Financial Score and AI-powered insights	Performance of a contract (Art. 6(1)(b))
Processing receipt images through AI scanning	Performance of a contract (Art. 6(1)(b))
Managing subscriptions and billing records	Performance of a contract (Art. 6(1)(b))
Sending essential service notifications (trial expiry, security alerts)	Legitimate interests (Art. 6(1)(f)) — to keep you informed about your account status
App crash reporting, stability monitoring, and compatibility improvements	Legitimate interests (Art. 6(1)(f)) — to maintain and improve the quality of the Service
Responding to support requests	Legitimate interests (Art. 6(1)(f)) — to resolve issues and provide assistance
Complying with legal obligations (e.g., responding to lawful government requests, maintaining mandatory records)	Compliance with a legal obligation (Art. 6(1)(c))
Establishing, exercising, or defending legal claims	Legitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You may request a copy of that assessment by emailing privacy@iq-wallet.com.

6. How We Use Your Personal Data

We use the personal data described in Section 4 for the following purposes:

To create, authenticate, and manage your user account;
To provide the core features of the App (transaction management, budgeting, goal and investment tracking, bill management);
To generate your IQ Financial Score based on the financial data you enter;
To power the AI Financial Advisor with context relevant to your query;
To process receipt images and return structured expense data;
To process and verify your subscription status through Apple App Store or Google Play;
To send essential transactional communications (account verification, trial expiry reminders, subscription confirmation, security notices);
To detect and prevent fraudulent, abusive, or unlawful activity;
To debug, monitor, and improve the performance and security of the Service;
To comply with applicable law, legal process, and regulatory requirements;
To enforce our Terms of Use.

We do not use your personal data for: behavioural advertising, data brokerage, sale to third parties, credit scoring by third parties, or any purpose incompatible with those stated above.

7. Automated Decision-Making and Profiling

The IQ Financial Score is calculated automatically using an algorithm applied to the financial data you enter. This score is generated solely for your personal informational use within the App. It is not shared with any third party, does not affect your access to credit, insurance, or other financial products, and does not produce any legal or similarly significant effect on you within the meaning of GDPR Article 22.

We do not conduct profiling for marketing, creditworthiness assessment, or any other purpose that produces significant legal or personal effects.

8. Data Sharing and Third-Party Processors

We share your personal data with the following categories of recipients, strictly on a need-to-know basis and only to the extent necessary to provide the Service:

Recipient	Role	Data Shared	Location	Safeguard
Supabase, Inc.	Data Processor — database hosting and authentication	Account data, financial data, session tokens	EU (Frankfurt, Germany)	Data Processing Agreement (DPA); GDPR-compliant
Anthropic, PBC	Data Processor — AI processing (Claude API)	Query text and minimal financial context you provide during an AI interaction; receipt image content during scanning	United States	DPA with Standard Contractual Clauses (SCCs); Anthropic does not retain data beyond the API request lifecycle
RevenueCat, Inc.	Data Processor — subscription management	Subscription status, product identifiers, anonymous device ID, App User ID	United States	DPA with SCCs; no financial or payment data transmitted
Apple Inc.	Independent Controller — in-app purchases (iOS)	Purchase receipt and transaction verification tokens	United States	Apple's own privacy policy governs; Apple is the merchant of record
Google LLC	Independent Controller — in-app purchases (Android)	Purchase receipt and transaction verification tokens	United States	Google's own privacy policy governs; Google is the merchant of record

8.1 Other Disclosures

We may also disclose your personal data:

To comply with a legal obligation: When required by applicable law, court order, or binding governmental request, we will disclose the minimum data necessary and, where legally permitted, notify you.
To protect rights and safety: Where we believe in good faith that disclosure is necessary to prevent fraud, protect the security of our systems, or protect the rights, property, or safety of us, our users, or the public.
In connection with a business transfer: In the event of a merger, acquisition, asset sale, or insolvency proceeding, your data may be transferred to a successor entity, subject to equivalent privacy protections. We will notify you before your data is transferred and becomes subject to a different privacy policy.

We do not sell, rent, lease, or trade your personal data to any third party for commercial purposes.

9. International Data Transfers

Our primary data storage is within the European Union (Supabase, Frankfurt). However, some of our service providers are located in the United States, which means your personal data may be transferred to, stored in, and processed in the United States or other countries outside the EEA.

Where we transfer personal data to countries not deemed adequate by the European Commission, we rely on one or more of the following transfer mechanisms:

Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision (EU) 2021/914);
Adequacy decisions issued by the European Commission for the recipient country;
Binding Corporate Rules where applicable.

You may request details of the specific transfer mechanisms in place for any processor by emailing privacy@iq-wallet.com.

10. Data Retention

Category of Data	Retention Period	Reason
Account data (name, email, hashed password)	Duration of account + deleted immediately on account deletion	Necessary to provide the Service
Financial data (transactions, goals, bills, investments, etc.)	Duration of account + deleted immediately on account deletion	Core service functionality
Receipt images	Deleted immediately after AI parsing completes (within seconds)	Images are transient processing inputs only
AI advisor conversation context	Session only (not stored beyond the active session)	Context is transient; Anthropic API does not retain data
Server logs (IP address, request metadata)	30 days	Security monitoring and debugging
Subscription and billing records	Deleted on account deletion, except where retention required by applicable tax or financial law	Regulatory compliance
Support communications (emails)	3 years from last interaction, or until deletion is requested	Limitation periods for potential claims

Account deletion: When you delete your account (via App Settings → Delete Account, or by written request to privacy@iq-wallet.com), all of your personal data stored in our systems — including all financial records, profile information, session tokens, and subscription records — is permanently and irreversibly deleted. Deletion completes automatically and immediately upon your request; in all cases within 24 hours. Deletion is irreversible: we cannot restore any data after account deletion.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, including:

Encryption in transit: All data transmitted between the App and our servers is encrypted using TLS 1.2 or higher.
Encryption at rest: Personal data stored in our database is encrypted at rest using AES-256.
Authentication security: Passwords are hashed using a strong, salted cryptographic hash function. We support secure session management with short-lived tokens.
Access controls: Access to production data is restricted to authorised personnel on a strictly need-to-know basis and is logged and audited.
Service role separation: Production API keys and service credentials are separated by privilege level and rotated periodically.

Despite our security measures, no method of data transmission or storage is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (as required by GDPR Article 33) and notify affected users without undue delay where required by Article 34.

12. Your Rights as a Data Subject

12.1 Rights Under GDPR (EEA and UK Users)

If you are located in the EEA or the UK, you have the following rights under the GDPR:

Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data together with supplementary information about how it is processed.
Right to rectification (Art. 16): You have the right to have inaccurate personal data corrected or incomplete data completed without undue delay.
Right to erasure / "right to be forgotten" (Art. 17): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (where applicable), where you object and there are no overriding legitimate grounds, or where processing is unlawful. You can exercise this right directly via App Settings → Delete Account.
Right to restriction of processing (Art. 18): You have the right to request that we restrict processing of your personal data in certain circumstances (e.g., while a rectification request is being verified).
Right to data portability (Art. 20): Where processing is based on contract or consent and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. Submit a request to privacy@iq-wallet.com and we will provide your data within 30 days.
Right to object (Art. 21): You have the right to object at any time to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
Rights related to automated decision-making (Art. 22): You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects. As noted in Section 7, the IQ Financial Score does not produce such effects.

12.2 Rights Under the CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA / CPRA):

Right to know: The right to request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell.
Right to delete: The right to request deletion of personal information we have collected, subject to certain exceptions.
Right to correct: The right to request correction of inaccurate personal information.
Right to opt-out of sale or sharing: We do not sell or share personal information for cross-context behavioural advertising. No opt-out is required.
Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes other than providing the Service.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise CCPA rights, submit a verifiable consumer request to privacy@iq-wallet.com. We will respond within 45 days (with a possible one-time 45-day extension).

12.3 Rights Under Ukrainian Law

If you are located in Ukraine, you have rights under the Law of Ukraine "On Personal Data Protection" (No. 2297-VI), including the right to access, correct, object to, and request deletion of your personal data. These rights are exercisable by contacting us at privacy@iq-wallet.com.

12.4 How to Exercise Your Rights

To exercise any of the rights described above:

Account deletion: Directly via App → Settings → Account → Delete Account (instant).
Name update: Directly via App → Settings → Account → Edit Name.
All other requests: Email privacy@iq-wallet.com from the email address registered to your account, stating your request clearly.

We may need to verify your identity before fulfilling a request. We will respond within 30 days of receipt (or within the timeframe required by the applicable law, whichever is shorter). If we are unable to fulfill a request, we will explain why.

12.5 Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the relevant supervisory authority:

EEA users: The data protection authority in your EU member state. A full list is available at: https://edpb.europa.eu
UK users: The Information Commissioner's Office (ICO) — ico.org.uk
Ukrainian users: The Ukrainian Parliament Commissioner for Human Rights (Ombudsman) — the supervisory authority for personal data protection in Ukraine.

We would, however, appreciate the opportunity to address your concerns directly before you contact a supervisory authority. Please email privacy@iq-wallet.com first.

13. AI Processing — Specific Disclosures

IQ-Wallet uses the Claude API, operated by Anthropic, PBC, to power the AI Financial Advisor and the receipt scanner. The following applies to AI-related data processing:

What is sent to Anthropic: When you submit a query to the AI Financial Advisor, we send the text of your query and a minimal relevant financial summary (only what you have explicitly asked about) to Anthropic's API. When you scan a receipt, the receipt image is sent to Anthropic for parsing.
What is not sent: We do not send your full transaction history, account credentials, or personally identifying information to Anthropic unless it is directly contained in the text or image you submit.
Anthropic's data handling: Anthropic does not use your data to train its models under its API terms. Data is processed in real time and not retained by Anthropic beyond the lifecycle of the API request. Anthropic acts as our data processor under a Data Processing Agreement incorporating SCCs for international transfers.
AI output is not advice: Outputs from the AI Financial Advisor are informational and do not constitute professional financial, investment, tax, or legal advice. See Section 8 of our Terms of Use.

14. Children's Privacy

The Service is not directed to, and we do not knowingly collect personal data from, individuals under the age of 16 (or the applicable minimum age in their jurisdiction). If you are under 16, do not use the App or provide any information to us.

If we become aware that we have collected personal data from a minor without verified parental consent, we will take immediate steps to delete that information. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@iq-wallet.com.

15. Cookies and Tracking Technologies

The IQ-Wallet mobile application does not use browser cookies. We use minimal in-app analytics (aggregated, non-identifiable usage data) to understand how features are used and to improve the Service. We do not use cross-app tracking, advertising identifiers for targeting, or third-party analytics SDKs that profile individual users.

If you visit our websites (iq-wallet.com, policy.iq-wallet.com), standard web server logs are collected as described in Section 4.2.

16. Third-Party Links and Services

The App and our websites may contain links to third-party websites or services (such as Apple App Store, Google Play Store, or external resources). This Privacy Policy does not apply to those third-party services. We have no control over and assume no responsibility for the privacy practices of third-party services. We encourage you to read their privacy policies before providing any personal data to them.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last updated" date at the top of this page;
Post a notice within the App; and/or
Send an email notification to your registered email address, where required by law.

We will provide at least 14 days' advance notice before any material change takes effect. Continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes. If you do not agree to the revised Policy, you may delete your account at any time.

18. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Privacy enquiries: privacy@iq-wallet.com
General support: support@iq-wallet.com
Website: https://iq-wallet.com

We aim to respond to all enquiries within 5 business days and to fulfill all rights-exercise requests within the timeframes required by applicable law (maximum 30 days under GDPR, 45 days under CCPA).