At Sumant we care about your data. This document explains clearly what information we collect, what we use it for, who we share it with, and what you can do about it.
1. Data controller
The owner of the Sumant project. Contact: hello@sumant.app.
We comply with the General Data Protection Regulation (GDPR, EU 2016/679) and Spanish Organic Law 3/2018 on Data Protection.
2. Data we process
Sumant requires an account to work — we need an email to identify you and sync your data across devices. The data we handle:
- Account data: your email and an encrypted password (we never see your password in plain text).
- Financial data you enter: accounts, categories, movements, goals, recurring expenses and notes. Stored in your local browser and synced to our encrypted European servers.
- Payment data (only if you buy PRO): handled by Stripe. Sumant does not store your card number at any time. We only receive a payment identifier and the plan contracted.
- Communications: if you write to us, we keep your email and message to reply.
- Newsletter signup: if you join the list, we keep your email and, optionally, your feedback message.
What we do NOT process: we don't connect to your bank, we don't process banking credentials, we don't track your browsing outside the app, we don't profile you for third parties.
3. Purposes
- Provide the service (record and display your finances).
- Sync your data across your devices.
- Manage your PRO subscription if you contract one.
- Reply when you contact us.
- Send you product updates, only if you've subscribed.
- Comply with legal obligations (invoicing, tax).
4. Legal basis
- Contract performance: by creating an account you accept the Terms; we process your data to provide the service.
- Consent: for newsletter or marketing communications. You can withdraw it anytime.
- Legal obligation: invoicing and tax regulations.
- Legitimate interest: service security and fraud prevention.
5. Who accesses your data
You. Internally, only personnel strictly necessary to operate the service can access your synced data, always for technical purposes and never commercial.
6. Processors
We work with these providers, all GDPR-compliant:
- Supabase (servers in Frankfurt, EU) — synced data storage and authentication.
- Cloudflare — app hosting and CDN.
- Vercel — landing hosting and forms.
- Stripe — payment processing. PCI-DSS Level 1 compliant.
- Resend — transactional emails and newsletter delivery.
7. International transfers
Most of our providers process data within the EU. Stripe may process data in the US under Standard Contractual Clauses approved by the European Commission.
8. Retention period
We keep your data while your account is active. If you delete your account, we erase your data in under 30 days, except information legally required to retain (invoices: 6 years).
9. Your rights
You can exercise the rights of access, rectification, erasure, objection, restriction and portability at any time. The fastest way:
- From the app: Settings → Account → Sign out and delete data.
- By writing to hello@sumant.app.
If you believe we haven't respected your rights, you can file a complaint with the Spanish Data Protection Agency.
10. Security
We apply appropriate technical and organizational measures: encryption in transit (HTTPS), encryption at rest in the database, Row Level Security to isolate your data, and secure authentication. No system is 100% inviolable, but we do everything reasonable to protect your information.
11. Cookies and similar
The landing and app only use technical storage necessary for the session and preferences (language, theme) to work. We don't use advertising tracking cookies or intrusive third-party analytics.
12. Minors
Sumant is for those aged 16+. We do not knowingly process minors' data.
13. Changes to this policy
If we update this policy we'll let you know here and by email (if you have an account) with at least 15 days' notice when changes are material.
14. Contact
For any inquiry about how we process your data, write to hello@sumant.app.