Privacy Policy

Last updated: April 16, 2026

oof is a personal finance app built by Berk Çapar. This policy explains what data we collect, how we use it, and your rights regarding your information.

What We Collect

• Account info — email address and password for authentication (or Apple ID if using Sign in with Apple).
• Financial data — transactions, balances, and account metadata synced via Plaid. We never store your bank login credentials.
• Manual entries — expenses you add yourself through the app.
• Preferences — currency, income, savings goal, monthly bills, and focus area.
• Technical data — app version, device type, anonymized usage events (for debugging and improvement).

How We Use Your Data

• Calculate safe-to-spend, category breakdowns, and spending insights.
• Generate AI-powered coaching, roasts, forecasts, and wrapped reports (premium features).
• Improve the app experience and fix bugs.
• Communicate important account or service updates.

We do not sell, rent, or share your personal data with advertisers or any third party for marketing purposes.

Third-Party Services

• Supabase — authentication, database hosting, and edge functions (hosted in EU/US).
• Plaid — secure bank account connection. Plaid's own privacy policy governs the data they process on your behalf.
• RevenueCat — subscription management. No financial transaction data is shared.
• Anthropic (Claude) — AI insights and coaching. Only aggregated, anonymized spending patterns are sent; never raw bank credentials.
• Apple (Sign in with Apple) — optional authentication provider.

Data Storage & Security

Your data is stored in encrypted Supabase databases (AES-256 at rest). All data in transit is protected with TLS 1.2 or better. Bank connections are made through Plaid's secure, regulated infrastructure — we never see or store your banking passwords.

Data Retention

We retain your data for as long as your account is active. You can delete your account at any time from Settings → Delete Account. Upon deletion, all personal data is removed from our systems within 30 days, except where we are legally required to retain records (e.g., financial records for tax purposes).

Plaid access tokens are deleted immediately when you disconnect a bank or delete your account. We revoke the token via the Plaid API and purge it from our database.

Your Rights

• Access — request a copy of your data.
• Correction — update inaccurate information in the app.
• Deletion — permanently delete your account and data from Settings → Delete Account.
• Portability — export your data in a machine-readable format (CSV/JSON) upon request.
• Disconnect — remove bank connections anytime from Settings.
• Objection — object to processing for legitimate interests.

For GDPR, CCPA, or any privacy-related request, contact us at privacy@oof.app (or berkcapar@gmail.com). We respond within 30 days.

Legal Basis (GDPR)

We process your data under the following legal bases: (1) contract performance — to provide the oof service you signed up for; (2) consent — for optional features like bank connection; (3) legitimate interests — for security monitoring and product improvement.

Children

oof is not intended for users under 16 years old. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

International Data Transfers

Your data may be processed in the EU (Supabase), US (Plaid, RevenueCat, Anthropic), and other regions where our service providers operate. We ensure all transfers comply with GDPR via Standard Contractual Clauses (SCCs).

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated in the app and via email. Continued use after changes constitutes acceptance.

Contact

Berk Çapar
Email: privacy@oof.app
Fallback: berkcapar@gmail.com