Privacy Policy

1. Introduction

This Privacy Policy explains how Stefan Rosanitsch ("we", "us", "our") collects, uses, and protects your personal data when you use the Easy Earnings Tracker service. We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) and other applicable German data protection laws.

Data Controller: Stefan Rosanitsch, Kriegerdankstr. 14, 96450 Coburg, Germany

Contact: stefanrows@gmail.com

Last Updated: November 12, 2025

2. Legal Basis for Data Processing

We process your personal data based on the following legal grounds under GDPR:

  • Contract Performance (Art. 6(1)(b) GDPR): To provide our income tracking service and manage your account
  • Legitimate Interest (Art. 6(1)(f) GDPR): To improve our service, ensure security, and prevent fraud
  • Consent (Art. 6(1)(a) GDPR): For analytics and marketing purposes (where applicable)
3. Personal Data We Collect

Account and Profile Data:

  • Email address (for authentication and communication)
  • Name and profile information
  • Account preferences and settings

Income and Expense Tracking Data (Financial Information):

  • Income amounts and currency details
  • Platform/source of income (YouTube, Twitch, freelance clients, etc.)
  • Expense records and vendor information
  • Transaction dates and payment schedules
  • Custom categories and notes you create

Special Protection: We treat financial data with enhanced security measures, including encrypted storage, limited employee access, and audit logging. This data is processed solely to provide income and expense tracking services and is never used for marketing, profiling, or automated decision-making.

Technical Data:

  • IP address and location data
  • Browser type, version, and settings
  • Operating system and device information
  • Usage patterns and interaction data

Payment Data (via Stripe):

  • Payment method information (processed by Stripe)
  • Subscription status and billing history
  • Transaction records
4. How We Use Your Data

We use your personal data for the following purposes:

  • Service Provision: To create and manage your account, provide income tracking functionality
  • Payment Processing: To process payments and manage subscriptions through Stripe
  • Communication: To send service updates, security notifications, and support messages
  • Security: To protect against fraud, abuse, and unauthorized access
  • Analytics: To understand usage patterns and improve our service (with consent)
  • Legal Compliance: To comply with legal obligations and resolve disputes
5. Third-Party Services

Stripe (Payment Processing):

We use Stripe to process payments and manage subscriptions. Stripe collects and processes payment information according to their own privacy policy. We only receive confirmation of successful payments and subscription status.

  • Stripe Privacy Policy: https://stripe.com/privacy
  • Data shared: Payment method details, transaction amounts, subscription status
  • Purpose: Payment processing and subscription management

Google Analytics:

We use Google Analytics 4 (GA4) to understand how users interact with our website and improve our service. Google Analytics uses cookies and similar technologies to collect information about your use of our website.

  • Google Privacy Policy: https://policies.google.com/privacy
  • Data collected: Page views, session duration, user interactions, device information
  • Purpose: Website analytics and service improvement
  • Legal basis: Consent (you can opt-out via cookie settings)

Supabase (Backend Services):

We use Supabase as our backend service provider for data storage and authentication. Your data is stored in Frankfurt, Germany (EU), ensuring full compliance with EU data protection requirements.

  • Supabase Privacy Policy: https://supabase.com/privacy
  • Data location: Frankfurt, Germany (EU region)
  • Data stored: Account information, income data, expense data, preferences
  • Purpose: Data storage and authentication
  • Legal safeguards: Data Processing Agreement in place
6. Data Retention

We retain your personal data for the following periods:

  • Account Data: Until you delete your account or request deletion
  • Income Data: Until you delete your account or the specific entries
  • Payment Records: As required by law (typically 7-10 years for tax purposes)
  • Analytics Data: 26 months (Google Analytics default retention period)
  • Logs and Security Data: Up to 12 months for security and debugging purposes

Account Deletion: You can delete your account at any time from your Account Settings page. This will permanently delete all your personal data and income entries. This action cannot be undone.

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of Access (Art. 15 GDPR): Request a copy of your personal data and information about how it's processed
  • Right to Rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete data
  • Right to Erasure (Art. 17 GDPR): Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing (Art. 18 GDPR): Request limitation of data processing
  • Right to Data Portability (Art. 20 GDPR): Request transfer of your data to another service
  • Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for processing based on consent
  • Right to Lodge a Complaint: File a complaint with a supervisory authority

To exercise these rights, contact us at stefanrows@gmail.com. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Technical Safeguards:

  • Row-Level Security (RLS): Database-level access controls ensure users can only access their own data. Even in the event of an application vulnerability, users cannot access other users' information
  • Data Isolation: All user data is cryptographically separated at the database level, preventing unauthorized cross-user access
  • Encryption: TLS 1.3 for data in transit and AES-256 for data at rest
  • Authentication: Secure authentication with support for multi-factor authentication
  • Infrastructure: Hosted on Supabase (SOC 2 Type II certified) with industry-standard security
  • Backups: Regular encrypted backups with disaster recovery procedures

Organizational Safeguards:

  • Regular security assessments and updates
  • Limited access based on the principle of least privilege
  • Data Processing Agreements with all third-party processors
  • Regular security training and awareness
9. Cookies and Tracking Technologies

Essential Cookies:

These cookies are necessary for the website to function properly and cannot be disabled.

  • Authentication cookies (session management)
  • Security cookies (CSRF protection)
  • Preference cookies (theme, language settings)

Analytics Cookies:

Google Analytics cookies help us understand website usage. You can control these through your browser settings or our cookie consent mechanism.

  • _ga, _ga_* (Google Analytics)
  • _gid (Google Analytics)
  • _gat (Google Analytics)

Cookie Consent Management:

Upon your first visit, we present a cookie consent banner allowing you to:

  • Accept or reject analytics cookies
  • Customize cookie preferences
  • Access this privacy policy for more information

Withdrawing Consent:

You can withdraw cookie consent at any time by:

  • Adjusting your browser cookie settings
  • Using browser extensions that block tracking
  • Contacting us at stefanrows@gmail.com to request removal from analytics

Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal. Disabling essential cookies may affect website functionality.

10. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

If we discover that we have inadvertently collected data from a child under 16, we will delete it within 30 days. Parents can contact us at stefanrows@gmail.com to report such cases.

11. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by:

  • Posting the updated policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification for significant changes

We encourage you to review this policy periodically. Your continued use of our service after changes become effective constitutes acceptance of the updated policy.

12. Contact Information

If you have any questions about this privacy policy or our data practices, please contact us:

Data Controller: Stefan Rosanitsch

Address: Kriegerdankstr. 14, 96450 Coburg, Germany

Email: stefanrows@gmail.com

Supervisory Authority (Germany):

If you have concerns about our data processing, you may also contact our supervisory authority:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Promenade 18

91522 Ansbach, Germany

Phone: +49 (0) 981 180093-0

Email: poststelle@lda.bayern.de

Website: https://www.lda.bayern.de

For users in other EU countries, you may contact your local data protection authority. A full list is available at:https://edpb.europa.eu/about-edpb/about-edpb/members_en

13. Data Processing Agreements & Sub-Processors

We have entered into Data Processing Agreements (DPAs) with all third-party processors that handle your personal data, in accordance with Article 28 of the GDPR. These agreements ensure that your data is processed only according to our instructions and with appropriate security measures.

Our Sub-Processors:

  • Supabase: Cloud database and authentication services (Data location: Frankfurt, Germany)
  • Stripe: Payment processing (Level 1 PCI DSS compliant)
  • Google Cloud Platform: Analytics infrastructure
  • Vercel: Hosting and edge computing

These agreements incorporate Standard Contractual Clauses (SCCs) approved by the European Commission for any international data transfers, ensuring your data receives adequate protection regardless of processing location.

You can request more information about our DPAs or sub-processor details by contacting us at stefanrows@gmail.com.

14. International Data Transfers

Primary Data Location: Your personal data is primarily stored and processed within the European Union (Frankfurt, Germany). This ensures compliance with EU data protection standards.

Limited International Transfers:

In some cases, data may be transferred internationally for the following purposes:

  • Payment processing through Stripe (may involve US processing)
  • Technical support and maintenance operations

Safeguards for International Transfers:

When data is transferred outside the EU/EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with adequate security guarantees
  • Regular security audits and compliance reviews

If you have specific concerns about international data transfers, please contact us at stefanrows@gmail.com.

15. Automated Decision-Making & Profiling

In accordance with Article 22 of the GDPR, we want to be transparent about our use of automated systems:

We do NOT use your personal data for:

  • Automated decision-making that produces legal or similarly significant effects
  • Profiling for marketing or advertising purposes
  • Automated credit scoring or risk assessment
  • Algorithmic determination of service access or pricing

Our service processes your income and expense data solely to provide the tracking, analytics, and reporting features you request. All decisions about your account, subscription, and data remain under your direct control. The calculations and charts we provide are simple mathematical operations based on the data you input, not automated decision-making in the sense of GDPR Article 22.

16. Data Breach Notification

We take data security seriously and have implemented measures to prevent data breaches. However, in the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

Our Obligations:

  • Notify the relevant supervisory authority (BayLDA) within 72 hours of becoming aware of the breach
  • Inform affected users via email without undue delay if the breach is likely to result in high risk
  • Provide information about the nature of the breach and measures taken
  • Offer guidance on protective steps you can take
  • Document all breaches and our response for regulatory compliance

If You Suspect Unauthorized Access:

If you believe your account has been compromised, please take immediate action:

  1. Change your password immediately
  2. Contact us at stefanrows@gmail.com
  3. Review recent account activity in your dashboard
  4. Check your linked payment methods for any unauthorized charges

We maintain incident response procedures and regularly test our security measures to minimize the risk of data breaches.

Privacy Policy - Easy Earnings Tracker