Alloc

Privacy Policy

Last updated: February 17, 2026

This platform is a personal development project and is not intended for public or production use. While it is accessible via the internet, it is provided solely for testing, experimentation, and development purposes. Functionality may be incomplete, unstable, or modified without prior notice.

1. Data Controller

Email: alloc.wizjonerek+privacy@gmail.com
Location: Poland

This Privacy Policy describes how Alloc ("Service") collects, processes, and stores your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Data Collected

The Service collects the following categories of personal data through open banking integrations:

Category Data Source
Account identifiers IBAN, account holder name, currency, account type Your bank
Balance information Current balance, available balance, balance date Your bank
Authentication metadata Session identifiers, consent validity period Open banking provider

The Service does not collect:

  • Transaction history or spending data
  • Banking credentials (username, password, PIN)
  • Payment card numbers
  • Biometric data

3. Legal Basis for Processing

Processing activity Legal basis (GDPR)
Retrieving account balances Art. 6(1)(a) — your explicit consent via bank authentication
Storing balance data Art. 6(1)(a) — consent
Displaying aggregated balances Art. 6(1)(b) — performance of the service you requested

4. How Data Is Processed

Account data is retrieved from your bank through a licensed open banking intermediary. The intermediary does not store or cache your data — it acts solely as a pass-through.

Once retrieved, your data is:

  1. Encrypted in transit — all communication uses industry-standard encryption
  2. Encrypted at rest — stored data is encrypted using a key derived from your password; without your password, stored data cannot be decrypted
  3. Processed locally — data is processed within the Service's infrastructure and is never shared with third parties

5. Data Sharing

Your personal data is not shared with, sold to, or disclosed to any third party, except:

  • Open banking intermediary — the licensed provider used to access your bank's account information interface
  • Your bank — which processes the data access request as part of the consent flow
  • Legal obligation — if required by applicable law, regulation, or court order

6. Data Retention

Data type Retention period
Account balances Until you delete them or close your account
Session identifiers Until consent expiry (max 180 days) or revocation
Encrypted credentials Until you delete your account

Upon account deletion, all stored data is permanently erased.

7. Data Security

The Service implements the following security measures:

  • Password-derived encryption — sensitive data is encrypted with a key derived from your password; the Service cannot access your data without your active participation
  • No plaintext storage — banking identifiers, session data, and balance information are stored exclusively in encrypted form
  • Minimal data collection — only balance data is collected; transaction history is explicitly excluded

8. Your Rights

Under the GDPR, you have the following rights:

  • Access (Art. 15) — request a copy of your personal data
  • Rectification (Art. 16) — request correction of inaccurate data
  • Erasure (Art. 17) — request deletion of your data
  • Restriction (Art. 18) — request restriction of processing
  • Portability (Art. 20) — receive your data in a structured, machine-readable format
  • Withdrawal of consent (Art. 7(3)) — withdraw consent at any time without affecting the lawfulness of prior processing
  • Lodge a complaint — with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl

To exercise any of these rights, contact: alloc.wizjonerek+privacy@gmail.com

Requests will be responded to within 30 days.

9. International Data Transfers

Your bank data is processed within the European Economic Area (EEA). No personal data is transferred outside the EEA.

10. Cookies and Tracking

The Service uses a single session cookie required for authenticated access. This is a strictly necessary cookie and does not require separate consent. No analytics, tracking, or advertising cookies are used.

11. Changes to This Policy

Material changes to this Privacy Policy will be communicated through the Service interface. The "Last updated" date at the top reflects the most recent revision.

12. Contact

Data Protection Contact: alloc.wizjonerek+privacy@gmail.com

Back to login