FamSpendy

Privacy Policy

Effective 26 April 2026 · Last updated 26 April 2026

This Privacy Policy explains how Somi Technologies Ltd collects, uses, and protects your personal data when you use FamSpendy. We collect only the personal data necessary to provide the service. We do not sell personal data, and you may request deletion of your account and associated data at any time.

Who we are

Somi Technologies Ltd is a company registered in England and Wales, with its registered office at 182-184 High Street North, East Ham, London, E6 2JA. We act as the data controller for personal data processed in connection with FamSpendy. You can contact us at support@somitechnologies.com.

Personal data we collect

Information you provide to us

  • Account details: your name, email address, and a password. We store passwords as salted hashes and do not retain or process them in clear text.
  • Circle details: the name of your circle, members you invite, your role within the circle, your base currency, and your configured budget month start day.
  • Onboarding responses: the answers you provide during the setup flow, including who you share money with, country of residence, and financial concerns.
  • Financial data: expenses, recurring bills, budgets, income, categories, merchants, and any associated notes.
  • Receipts and documents: images you upload for receipt scanning and the resulting parsed line items.
  • Assistant interactions: messages you send to the in-app assistant, Somi, and the responses returned. These are retained so the conversation persists across sessions.

Information collected automatically

  • Device and usage data: app version, operating system, screen events, interaction events, and progress through onboarding. Used for diagnostics and to understand which features are useful.
  • Approximate location: derived from your IP address at signup, used solely to suggest a default base currency. We do not perform ongoing location tracking.
  • Crash and error reports: stack traces and application state captured at the time of an error. Personal identifiers are removed before transmission.
  • Push notification tokens: the device token issued by the operating system, collected only if you opt in to notifications.

How we use your personal data

  • To operate FamSpendy: storing your data, rendering your dashboard, generating reports, and sending your weekly summary.
  • To power the Somi assistant. When you send a query, we transmit the relevant context to a third-party AI model. The context is limited to your prompt, your category list, and the subset of your financial data needed to respond. See the AI processing section below.
  • To send transactional communications: account verification, password reset, family invitations, bill reminders, and weekly reports.
  • To improve the product through aggregated analytics on feature usage and onboarding drop-off. We do not build behavioural profiles or share this data with advertisers.
  • To detect and resolve issues through crash and error monitoring.
  • To meet legal obligations, including fraud prevention and statutory record-keeping.

Legal bases for processing under UK GDPR

  • Performance of a contract: for processing necessary to deliver the service.
  • Legitimate interests: for product analytics, error monitoring, and security. We balance these interests against your privacy by minimising the data collected, using EU and UK-region providers where available, and never sharing data with advertisers.
  • Consent: for push notifications and any optional marketing communications. You may withdraw consent at any time.
  • Legal obligation: for tax and accounting records, fraud prevention, and lawful disclosure requests.

AI processing

FamSpendy uses third-party AI models to power the in-app assistant Somi and to extract structured data from receipt images. The current providers are Anthropic, OpenAI, and Google, accessed via OpenRouter. Under the commercial API terms of these providers, your data is not used to train their models.

We transmit only the information required to fulfil a specific request. For example, when you ask Somi about grocery spending we send the relevant expense summary, not your entire financial history. We do not transmit your password or contact details to these providers. Responses generated by the assistant may be inaccurate or incomplete and should not be relied upon as financial, tax, or legal advice.

Data processors and recipients

We use a limited number of third-party processors to operate the service. These providers process personal data on our instructions and under written data processing agreements.

  • Hetzner Online GmbH, Finland: application and database hosting.
  • Cloudflare R2, EU jurisdiction: receipt image storage.
  • Resend: transactional email delivery.
  • PostHog, EU region: product analytics.
  • Sentry, EU region: crash and error monitoring.
  • OpenRouter, Anthropic, OpenAI, Google: AI model inference. See the AI processing section above.
  • Apple App Store and Google Play: app distribution and, for in-app purchases, billing. Apple and Google act as the data controllers of your payment information; we do not receive or store your payment card details.

Where personal data is transferred outside the UK or EU, including to US-based providers such as Resend or the AI model providers, we rely on Standard Contractual Clauses or equivalent safeguards to protect that data.

Retention

  • Account and financial data: retained for the duration of your active account.
  • After account deletion: personal data is retained for 30 days following a deletion request to allow account restoration. After this period, personal data is removed from our active systems. Backups are rotated and overwritten within 30 days.
  • Receipt images: deleted with the parent account, or individually at any time on request.
  • Email and analytics records: retained for up to 24 months, then deleted or aggregated.
  • Billing and tax records: retained for 6 years where required by HMRC and UK tax law.

Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Delete your account and associated personal data. You can do this from within the app under Settings → Account, or by contacting us.
  • Receive a copy of your data in a structured, commonly used, machine-readable format. Email support@somitechnologies.com and we will provide an export within 30 days.
  • Object to processing based on legitimate interests, including the analytics described above.
  • Withdraw consent for any processing you previously opted into.
  • Lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

To exercise any of these rights, contact us at support@somitechnologies.com. We will respond within 30 days.

Children

FamSpendy is not intended for, and we do not knowingly collect personal data from, children under the age of 16. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete the relevant account.

Security

Passwords are stored as salted bcrypt hashes. Data in transit is protected by TLS 1.2 or higher. Data at rest is encrypted by the hosting provider. Production system access is restricted to a limited number of authorised operators and is logged. No security measure is absolute; in the event of a personal data breach affecting you, we will notify you within 72 hours, in line with applicable law.

Changes to this policy

We will notify you of any material changes by email and in-app at least 30 days before they take effect. Routine updates, such as the addition of a new processor or wording clarifications, will be reflected in the "last updated" date above.

Contact

Email: support@somitechnologies.com
Post: Somi Technologies Ltd, 182-184 High Street North, East Ham, London, E6 2JA, United Kingdom