Privacy Policy
Last updated: March 08, 2026
Disclaimer: This is a provisional document pending final legal review. For any questions, contact us at hello@spendable.pro.
This Privacy Notice for Lomi Ventures FZ-LLC describes how and why we may access, collect, store, use, and share your personal information when you use Spendable.pro, including our website, mobile application, and related services.
Spendable.pro is a digital personal finance platform that helps users track bank accounts, investments, and cryptocurrency holdings in one place, with tools for budgeting, financial organization, spending analysis, and AI powered financial workflows, including native integration with ChatGPT.
1. Information We Collect
Information you provide directly
We collect personal information that you voluntarily provide to us when you register, use the Services, contact us, request support, participate in promotions, or otherwise interact with Spendable. This may include your name, phone number, email address, username, password, billing address, contact preferences, authentication data, and other information you choose to provide.
Sensitive information
Where permitted by law and where necessary to provide the Services, we may process sensitive information such as financial data. If biometric or voice related features are introduced in AI or voice interactions, they will only be processed where legally permitted and, where required, with your consent.
Payment data
If you make purchases through the Services, we may collect data necessary to process your payment. Payment information is handled only to the extent necessary for billing and transaction processing.
Social login data
If you choose to register or log in using a social media account, we may receive certain profile information from that provider, such as your name, email address, profile image, and other information you choose to make available.
Application and device data
If you use our app, we may collect device identifiers, device model, operating system, browser type, app version, IP address, mobile carrier, system configuration, and diagnostic data. We may also request permissions for notifications, contacts, social media account access, or secure bank integrations through licensed partners, depending on the features you choose to use.
Information collected automatically
We automatically collect certain information when you access or use our Services, including IP address, browser and device characteristics, language preferences, referring URLs, usage logs, interaction patterns, crash data, and approximate location information. We also use cookies and similar technologies for core functionality, analytics, security, and service improvement.
Information from third parties
We may receive information from public databases, marketing partners, affiliate partners, analytics providers, social media platforms, and other external sources in order to improve our records, support marketing, prevent fraud, and provide relevant services.
2. How We Use Your Information
We use your information to provide, operate, maintain, and improve Spendable. This includes account creation and authentication, syncing financial data, delivering budgeting and net worth tools, sending account and support communications, analyzing product usage, preventing fraud, improving performance, enforcing our terms, and complying with legal obligations.
We may also use your information to send marketing communications, request feedback, personalize content, measure the effectiveness of campaigns, and protect the safety and integrity of the Services. We do not sell your personal information.
3. AI-Based Features
Spendable offers features powered by artificial intelligence and large language models, including categorization suggestions, spending insights, natural-language queries over your data, and summaries. AI output is informational only and does not constitute personalized investment, tax, or legal advice.
When you use an AI feature, we send the minimum input required to fulfil your request to the AI provider: typically a natural-language prompt and, where strictly necessary, pseudonymized transaction descriptions, amounts, and categories. We do not send your name, email, bank account numbers, IBAN, card numbers, or authentication credentials. Current AI providers are OpenAI, L.L.C. and Anthropic, PBC (both United States). Both providers contractually commit not to use data submitted via their APIs to train their models.
You can disable AI features in your account settings. When disabled, no data is transmitted to AI providers.
4. Legal Bases for Processing
Where required under applicable law, including the GDPR and UK GDPR, we rely on one or more legal bases to process your personal information, including your consent, the performance of a contract, compliance with legal obligations, protection of vital interests, and our legitimate interests, provided that those interests are not overridden by your rights and freedoms.
5. Sub-processors and Service Providers
We rely on the following sub-processors and service providers to operate Spendable. Each is bound by a data-processing agreement consistent with Art. 28 GDPR. We do not sell personal information and we do not share data with third parties for their own marketing purposes.
| Provider | Purpose | Location |
|---|---|---|
| Salt Edge Limited | PSD2 open-banking (AISP, FCA ref. 822499, read-only) | UK / EEA |
| Google LLC (Firebase) | Authentication, app hosting | US / EU |
| RevenueCat, Inc. | Subscription and purchase management | US |
| OneSignal, Inc. | Transactional and marketing email delivery | US |
| OpenAI, L.L.C. | AI features (prompts, no model training) | US |
| Anthropic, PBC | AI features (prompts, no model training) | US |
| Vercel Inc. | Website hosting, analytics, Speed Insights | US / EU edge |
| Cloudflare, Inc. | CDN, DDoS protection, bot management | Global edge |
| Google LLC (Analytics) | Usage analytics (consent required) | US |
| Meta Platforms, Inc. | Meta Pixel, conversion measurement (consent required) | US |
| LinkedIn Ireland Unlimited Co. | LinkedIn Insight Tag, conversion measurement (consent required) | IE / US |
| Google LLC (Google Sheets) | Internal waitlist/purchase log (service account) | EU |
A dedicated page with purpose, data categories, location, and safeguards for each sub-processor is maintained at /legal/subprocessors. We may update the list. Material changes will be posted on that page and, where required, additional notice will be provided.
6. Cookies and Tracking Technologies
We use cookies, pixels, and similar technologies to operate the Services, maintain security, remember preferences, measure traffic, analyze usage, and improve performance. We may also allow analytics and advertising related partners to use tracking technologies where permitted by law and subject to applicable consent requirements.
For more information, please refer to our Cookie Notice available at /legal/cookies.
7. Data Retention
We retain personal information only for as long as necessary for the purposes described in this Policy, or as required by law. The main retention periods are:
- Account data (name, email, authentication): for the duration of your account, plus up to 12 months after deletion for security, audit, and dispute resolution.
- Financial and transactional data (balances, transactions, holdings): for the duration of your account. After account closure, derived aggregates may be retained in pseudonymized form for up to 10 years to meet Italian tax and accounting obligations applicable to purchase invoices (Art. 2220 Italian Civil Code, Art. 22 D.P.R. 600/1973).
- Payment records (invoice, order ID, transaction metadata): 10 years (Art. 2220 Italian Civil Code).
- Access logs and security logs 12 months.
- Support correspondence 24 months from the last interaction.
- Marketing and newsletter until you unsubscribe or 24 months from last engagement, whichever comes first.
- AI prompt caches up to 30 days on the AI provider side for abuse prevention; not retained by Spendable beyond the request.
- Cookie consent decision 6 months.
- Marketing cookies up to 90 days (Meta) or 6 months (LinkedIn); analytics cookies up to 24 months (Google Analytics).
7a. Personal Data Breach Notification
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Art. 33 GDPR. Where the breach is likely to result in a high risk, we will also inform affected users in clear and plain language pursuant to Art. 34 GDPR.
8. Data Security
We implement reasonable technical and organizational safeguards designed to protect your personal information. However, no internet transmission or storage system can be guaranteed to be completely secure. You use the Services at your own risk and should only access them in a secure environment.
9. Minors
Our Services are not directed to children under 18 years of age, or the equivalent age under the law of your jurisdiction. We do not knowingly collect personal information from minors. If you believe that a minor has provided us with personal information, please contact us so that we can take appropriate action.
10. Your Privacy Rights
Depending on your jurisdiction, you may have the right to access, correct, update, delete, or restrict the processing of your personal information, receive a copy of your data, withdraw consent, object to certain processing, and request portability. You may also have rights related to profiling, automated decision making, targeted advertising, and sensitive personal information under applicable law.
You may exercise your rights by contacting us at hello@spendable.pro or by using the privacy request methods made available on Spendable.pro.
11. International Data Transfers
Some of our sub-processors (see Section 5) are located outside the European Economic Area, primarily in the United States. Where we transfer personal data to a country that has not been recognized as providing an adequate level of protection by the European Commission, we rely on appropriate safeguards under Chapter V GDPR, in particular the Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Decision 2021/914/EU) and, where available, additional technical and organizational measures such as encryption in transit and at rest, pseudonymization, and data-minimization.
Where providers are self-certified under the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023), transfers to those providers rely on that decision in addition to the contractual safeguards above. You may request a copy of the relevant transfer mechanism by writing to hello@spendable.pro.
11a. Regional Privacy Rights
If you are located in the EEA, the UK, Switzerland, Canada, California, or another jurisdiction with specific privacy laws, you may have additional rights under those laws. Where required, we will honor valid requests in accordance with applicable legal requirements. EU/EEA residents have the right to lodge a complaint with their local supervisory authority (in Italy: Garante per la Protezione dei Dati Personali, www.garanteprivacy.it).
12. Third Party Websites
Our Services may contain links to third party websites, apps, or services. We are not responsible for the privacy or security practices of those third parties. You should review their policies before providing them with personal information.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect legal, operational, or product changes. When we do, we will update the effective date shown above and, where required, provide additional notice.
14. Data Controller, Contact, and EU Representative
The data controller for the processing described in this Policy is Lomi Ventures FZ-LLC, Compass Building, Al Shohada Road, Al Hamra Industrial Zone FZ, Ras Al Khaimah, United Arab Emirates. You can contact us at hello@spendable.pro.
Pursuant to Art. 27 GDPR, our representative in the European Union for data-subject requests is Lorenzo Capone, reachable at hello@spendable.pro. You may contact the representative regarding any matter related to the processing of your personal data, in addition to or instead of contacting us directly.
We have not designated a Data Protection Officer because neither our core activities nor our scale currently trigger the mandatory-designation thresholds of Art. 37 GDPR. We will designate a DPO if and when those thresholds are met.