Privacy Policy
Last updated: June 14, 2026
At Crumera, we take your privacy seriously — especially because we handle financial information. This policy explains what we collect, why, and what control you have. Here are the key points:
- We don't sell your data, and we don't run ads in the app. Crumera is funded by subscriptions, not advertising.
- Your financial data stays private. We never send your transactions, balances, or email to analytics tools — only anonymous usage events.
- Your data is hosted in the EU (Frankfurt, Germany).
- You're in control. You can delete your account or export your data at any time, directly in the app.
The rest of this document covers the details.
1. Who we are (Data Controller)
The data controller responsible for your personal data is the operator of Crumera.
Contact: support@crumera.com
If you have any questions about this policy or your data, contact us at the email above.
2. What data we collect
We collect only the data needed to provide the app.
Account data
- Email address
- Password (stored only in encrypted/hashed form — we never see your actual password)
- Name and profile photo (avatar), if you provide them
- A unique account identifier
Financial data you enter
- Transactions (amount, date, category, description)
- Accounts and cards (names/labels and balances you record)
- Budgets and subscriptions you set up
Crumera is a tracker, not a payment processor. We do not collect full card numbers, CVV codes, or bank login credentials, and we do not initiate real payments. The "cards" and "accounts" in the app are labels you create to organize your own records.
Technical data
- IP address and basic device/log information, collected automatically when you use the app (needed for security and to operate the service)
Sign-in via Google or Apple
- If you sign in with Google or Apple, we receive your email address and basic profile information from them to create and access your account.
Analytics data
- We use analytics tools to understand how the app is used — for example, which screens are viewed and which features are used. We do not record your screen, and we do not send your financial data, transaction details, or email to analytics tools. Only aggregated, non-identifying usage events are collected. We use two analytics providers: PostHog (hosted in the EU) and Firebase Analytics (Google).
Diagnostic / crash data
- We use Firebase Crashlytics (Google) to collect crash reports and technical diagnostics so we can fix bugs and keep the app stable. These reports contain technical information (such as error stack traces and device state), not your financial records.
Subscription & purchase data
- If you buy Crumera Premium, our purchase partner RevenueCat processes the purchase and tracks your subscription status. We receive your subscription status and a purchase identifier, linked to your account by a non-identifying app user id. We do not receive your full card number or payment credentials — those stay with Apple or Google.
3. How and why we use your data (legal bases)
| What we do | Why | Legal basis |
|---|---|---|
| Create and manage your account | To let you use the app | Performance of a contract |
| Store and display your financial records | Core function of the app | Performance of a contract |
| Send account emails (verification, password reset) | To operate your account securely | Performance of a contract |
| Keep the service secure, prevent abuse, basic logging | To protect users and the service | Legitimate interest |
| Crash reporting & diagnostics (Crashlytics) | To keep the app stable and fix bugs | Legitimate interest |
| Process subscriptions & track purchase status (RevenueCat) | To sell and manage Crumera Premium | Performance of a contract |
| Analytics (PostHog, Firebase Analytics) | To understand usage and improve the app | Consent, where required by law |
4. Analytics
We use only essential storage required to keep you logged in and run the app.
We also use analytics tools — PostHog (hosted in the European Union) and Firebase Analytics (Google) — to understand how the app is used and improve it. We do not record your screen, and we never send your financial data, transactions, or email to analytics tools.
Where the law requires your consent for analytics, we rely on that consent, and you can withdraw it at any time by contacting us at support@crumera.com. Crash diagnostics are collected via Firebase Crashlytics to keep the app stable.
5. Who we share your data with
We do not sell your data. We share it only with the service providers ("processors") that help us run the app, each under a data processing agreement, grouped by purpose:
Hosting & backend
- Supabase — database, authentication, file storage, backend (EU region, Frankfurt)
- Resend — sending account-related emails (verification, password reset)
Sign-in
- Google and Apple — sign-in, if you choose to use them
Analytics
- PostHog — product analytics (EU region)
- Firebase Analytics (Google) — product analytics
Diagnostics
- Firebase Crashlytics (Google) — crash reporting and stability
Payments & subscriptions
- RevenueCat — subscription processing and purchase status
- Apple and Google — app store billing, depending on your platform
Platform
- Lovable — application hosting/platform
We may also disclose data if required by law.
6. Where your data is stored, and international transfers
Your account and financial data are hosted in the European Union (Frankfurt, Germany) on Supabase, and our PostHog analytics is hosted in the EU.
Some providers process data outside the European Economic Area (EEA) — in particular Google (Firebase Analytics and Crashlytics) and RevenueCat (subscription processing) in the United States, and email delivery via Resend. Where data is transferred outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs).
7. How long we keep your data
- We keep your account and financial data for as long as your account is active.
- When you delete your account, we permanently delete your personal data from our active systems within 30 days, except where we must retain limited information to comply with legal obligations.
- Encrypted backups containing your data are rotated and expire within 7 days.
8. Your rights
Depending on where you live, you have the right to:
- Access — get a copy of the data we hold about you
- Rectification — correct inaccurate data (you can edit most data directly in the app)
- Erasure — delete your account and data ("right to be forgotten"), available in Settings → Delete account
- Portability — export your data in a machine-readable format
- Restriction / Objection — limit or object to certain processing
- Withdraw consent — for anything based on consent, at any time
To exercise any of these, use the in-app controls or contact us at support@crumera.com. We respond within one month.
You also have the right to lodge a complaint with your local data protection authority if you believe we have mishandled your data.
9. US / California residents
If you are a US resident, you have the right to know what personal information we collect, to request its deletion, and to opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information. You can exercise your rights, including deletion and export, directly in the app or by contacting us at support@crumera.com, and we will not discriminate against you for doing so.
10. How we protect your data
We use industry-standard security measures, including:
- Encryption of data in transit and at rest
- Row-level security so each user can only access their own data
- Restricted access to backend systems
No system is perfectly secure, but we take reasonable steps to protect your information and will notify you and the relevant authority of a data breach where legally required.
11. Children
Crumera is not intended for anyone under 13. We do not knowingly collect data from children under this age. If you believe a child has provided us data, contact us and we will delete it.
12. Business transfers
If Crumera is involved in a merger, acquisition, sale of assets, or in the unlikely event of bankruptcy, your personal data may be among the assets transferred. We will notify you of any such change, and any acquiring party will be required to honor this Privacy Policy or provide equivalent protection.
13. Changes to this policy
We may update this policy from time to time. We will post the new version here and update the "Last updated" date. Significant changes will be communicated in the app.
14. Contact
For any privacy questions or requests: support@crumera.com.