Privacy & Cookie Policy

Updated on September 9, 2025. Notice provided under Articles 13–14 of Regulation (EU) 2016/679 (“GDPR”) and applicable Italian law.

1) Scope of this notice

This notice applies to the website and web app MyHomesBudget and describes how we process personal data of users who access or use the service.

2) Controller & contacts

Controller
Marco Lombardo
Address
Via Sant’Antonio n.5 – 22070 – Locate Varesino (Como), Italy
VAT / Tax ID
VAT 03090650130 — Tax ID LMBMRC86A13L319I
Privacy email
privacy@myhomesbudget.com
DPO
Not appointed. Please use the contacts above for any request.

3) Key definitions

  • Personal data: any information relating to an identified or identifiable person (Art. 4(1) GDPR).
  • Processing: any operation performed on personal data (Art. 4(2) GDPR).
  • Processor: a person or entity processing personal data on behalf of the Controller (Art. 28 GDPR).
  • Special categories of data: data under Art. 9 GDPR (e.g., health, religious/political beliefs, sexual orientation).

4) Categories of data

  • Account data: email; technical identifiers for auth (Supabase, Google GIS).
  • Profile/app data: language, preferences, onboarding status, plan_type, trial_end.
  • Financial data entered by the user: transactions, categories/subcategories, budgets, goals, notes (content decided by the user).
  • Technical data: logs, IP (anonymized in GA4), user agent, device params, usage events (e.g., page views, CTAs).
  • Billing data (if/when purchases are enabled): data required for invoicing and payment processing.

No special categories: the app does not require Art. 9 GDPR data. Please do not enter health data, religious/political beliefs, biometric or judicial data in notes or elsewhere.

5) Sources of data

  • Directly from you (e.g., registration, entries, preferences).
  • Automatically via the web app (technical logs) and, subject to consent where required, via Google Analytics 4.
  • Third parties: only the technical providers indicated in this notice (auth and analytics).
  • Service delivery: create/manage account; login (email/password, Google GIS); store, display and organize user data; dashboards, summaries, charts. Legal basis: contract (Art. 6(1)(b)).
  • Plan management (Starter 30 days, Plus, Pro): compute and verify trial period; enable/limit features; anti-fraud and security controls. Legal basis: contract (6(1)(b)) and legitimate interests (6(1)(f)).
  • Support and service communications (e.g., technical notices). Legal basis: contract (6(1)(b)).
  • Legal compliance (e.g., tax/accounting, security, regulatory). Legal basis: legal obligation (6(1)(c)).
  • Analytics with GA4 (IP anonymized) to improve performance and usability. Legal basis: consent (6(1)(a)) where required via banner; without consent, analytics is off.
  • Promotional communications (if enabled): product news and updates. Legal basis: consent (6(1)(a)); can be withdrawn anytime.

7) Mandatory or optional nature

Data marked as necessary (e.g., email for account) are essential to provide the service: without them, the account cannot be created or used. Non-essential data (e.g., some preferences) can be omitted without impacting core features.

8) Processing & security

  • Electronic processing with appropriate technical/organizational measures (Art. 32 GDPR).
  • Encrypted connections (HTTPS/TLS); at-rest encryption at provider level; infrastructure hardening.
  • Row Level Security (RLS) on user-scoped tables; access controls and environment segregation.
  • Backups and restore capabilities aligned with the Supabase Pro plan.
  • Administrative access restricted to authorized personnel; logging of relevant operations.

9) Profiling / automated decisions

No profiling producing legal or similarly significant effects under Art. 22 GDPR. Only technical service features (e.g., in-app hints, summaries) and aggregated GA4 stats, with no individual effects.

10) Data retention

  • Account & content: for the life of the account and, after closure, up to 12 months for backup/log purposes, unless longer terms are legally required.
  • Technical logs: up to 180 days, unless security needs justify longer.
  • Billing (if enabled): as required by Italian law for fiscal retention.

11) Recipients & processors (Art. 28 GDPR)

  • Supabase (DB, authentication) — EU region selected; TLS and RLS in place.
  • Google — Google Identity Services (login), Google Analytics 4 / Tag Manager (analytics, subject to consent where required).
  • Static hosting/CDN for the site (if used).
  • Advisors/providers (e.g., accounting/legal/IT), acting as processors or independent controllers depending on the case.
  • Authorities or public bodies, within legal limits.

12) International transfers

Where some providers (e.g., Google) process data outside the EEA, transfers rely on GDPR Chapter V safeguards (e.g., Standard Contractual Clauses, supplementary measures). For analytics, IP anonymization is enabled and collection is subject to consent where required.

13) Cookies & similar technologies

13.1 Types

  • Strictly necessary: essential for operation (authentication, security). Do not require consent.
  • Analytics (GA4): aggregated metrics to improve the service. Active only with consent, where required.

13.2 Preferences & control

Where present, a banner allows you to grant or withdraw choices at any time. You can also manage cookies from your browser (deletion, restrictions).

13.3 Local storage

The web app may use local storage (e.g., localStorage) for non-sensitive preferences (e.g., language mhb_lang, onboarding/verification flags).

14) Data subjects’ rights (Arts. 15–22 GDPR)

  • Access to data and information on processing.
  • Rectification of inaccurate data and erasure (“right to be forgotten”) where applicable.
  • Restriction and objection to processing within legal limits.
  • Portability of provided data in a structured format.
  • Withdrawal of consent (e.g., analytics) without affecting prior lawfulness.

To exercise rights: write to privacy@myhomesbudget.com. We usually respond within 1 month (Art. 12 GDPR), after verifying your identity. You may lodge a complaint with the Italian Data Protection Authority (Garante) (www.garanteprivacy.it).

15) Children

The service is intended for adults. We do not knowingly process data of children under 16; any such content will be deleted where technically feasible.

16) Personal data breaches

In case of a breach, we assess the event under Arts. 33–34 GDPR and, where required, notify the supervisory authority and communicate with affected users, adopting corrective and preventive measures.

17) Changes to this notice

This notice may be updated to comply with law or service evolution. The current version is published on this page with the update date.

18) Contacts

Controller
Marco Lombardo
Privacy email
privacy@myhomesbudget.com
Address
Via Sant’Antonio n.5 – 22070 – Locate Varesino (Como), Italy
VAT / Tax ID
VAT 03090650130 — Tax ID LMBMRC86A13L319I

For disputes, please refer to our Terms & Conditions (competent court: Como, Italy).