Privacy Policy

Effective 27 May 2026 · Last updated 27 May 2026

Stashio is a personal finance app. This page explains, in plain language, what data Stashio collects from you, how it's stored, who else sees it, and how you can take it back. If anything here is unclear or you want something deleted, write to luis@stashio.fi.

Short version. We only collect what's needed to run the app. We don't sell your data. We don't run ads. We don't share with anyone except the service providers listed below, and only to keep the app working. You can export or delete your data at any time.

1. Who is responsible

The data controller is Luis Lundstedt, operating Stashio as a sole trader in Finland. Contact: luis@stashio.fi. This contact also serves as the data protection contact under the EU General Data Protection Regulation (GDPR).

2. What we collect

Information you give us

Account credentials: email address and a password (stored as a one-way hash; we cannot read it).
Profile details you choose to enter: name, preferred currency, timezone.
Financial data you type in: transactions, budget categories, savings goals, investments, mortgage details.

Information from your bank (only if you connect one)

If you choose to link a bank account, we receive — through our licensed open-banking partner — read-only transaction history, account balance, and account metadata (account number masked, currency, type). We never receive your bank login or password; that authorisation happens entirely on your bank's own consent screen.

Technical information collected automatically

Browser session cookies (necessary to keep you logged in).
Basic security audit logs: login events, suspicious-activity flags, IP address at login. Used only for protecting your account.

Stashio does not run third-party analytics, marketing trackers, or advertising scripts.

3. Why we collect it (lawful basis)

Contract performance — to provide the app you signed up for.
Consent — for bank linking. You give explicit consent at your bank, and can withdraw it at any time.
Legitimate interest — for security audit logs, to detect account abuse.

4. Who else sees your data

We rely on a small number of trusted service providers (sub-processors) to run the app. None of them sell your data.

Supabase (EU region) — database, authentication, and edge functions. Your data sits in PostgreSQL behind row-level security policies so that no other Stashio user can read your rows. Supabase privacy policy.
Enable Banking (Finland) — our licensed Account Information Service Provider (AISP) under PSD2. Used only if you connect a bank. They handle the bank authorisation flow and pass transaction data to us. Enable Banking privacy policy.
Hostinger — hosts this marketing page (stashio.fi). They do not see your financial data.

We will not share your data with anyone else — including advertisers, data brokers, or law enforcement — except where required by Finnish or EU law and only after evaluating the legal basis.

5. Where your data lives

All financial data is stored in Supabase's EU region (Frankfurt). Backups are managed by Supabase under the same regional restriction. Data never leaves the EU/EEA.

6. How long we keep it

Account and financial data: as long as your account is active. You can delete your account at any time, which removes all your data within 30 days.
Security audit logs: 12 months, then deleted.
Bank-linking consents: capped at 180 days by PSD2. After that, you re-confirm via your bank.

7. Your rights under GDPR

Access — request a copy of everything we hold about you.
Rectify — fix anything that's wrong.
Erase — have your data deleted (the "right to be forgotten").
Restrict / object — limit how we use your data.
Portability — get your data in a machine-readable format (CSV / JSON).
Withdraw consent — for bank linking, revoke at any time inside the app or directly at your bank.
Complain — to the Finnish Data Protection Ombudsman (tietosuoja.fi) if you believe we've mishandled your data.

Email luis@stashio.fi to exercise any of these. Expect a reply within 30 days.

8. Bank linking, in detail

If you connect a bank, here is exactly what happens:

You click "Connect bank" inside the app.
Stashio asks Enable Banking to start a session. Enable Banking redirects you to your bank's own login page.
You authenticate with your bank (Mobile-ID, BankID, app push, etc.) — Stashio never sees your credentials.
Your bank confirms the consent and grants Enable Banking read-only ("Account Information Service") access for up to 180 days. No payment initiation. No write access. No ability to move money.
Stashio pulls your transactions on a daily schedule and stores them in your account.
You can revoke the connection at any time from the app, or directly from your bank's own settings.

9. Cookies

Stashio uses only essential session cookies needed to keep you signed in. There are no advertising or tracking cookies.

10. Changes to this policy

If we change this policy materially, we'll email you before the change takes effect. The "last updated" date at the top will always reflect the most recent revision.

11. Contact

For any privacy question, email luis@stashio.fi.