Privacy Policy

Last updated: February 26, 2026

Data Controller Information

The data controller for the purposes of the General Data Protection Regulation (GDPR) and applicable data protection laws is: Artsiom Hontar, autonomous entrepreneur (autónomo) registered in Spain. NIF: Z2600619Z. Address: Calle de Colombia 14D, 28016 Madrid, Spain. Email: privacy@yomio.app. A Data Protection Officer (DPO) has not been appointed as the conditions of GDPR Article 37 are not met. For all privacy-related inquiries, please contact privacy@yomio.app.

1. Introduction

Welcome to Yomio ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application ("App"), website, and related services. This policy applies to users worldwide, with specific provisions for users in the European Economic Area (EEA), United Kingdom (UK), and California (USA).

2. Information We Collect

2.1 Summary — What we collect

  • Account information: name and email used for your account (authentication via AWS Cognito)
  • Receipt images & purchase data: photos you upload and structured data extracted from receipts (items, dates, totals, merchant names and addresses)
  • AI conversation data: messages and purchase context you share with the Copilot AI assistant
  • Family & sharing data: information about people you invite to share expense tracking
  • Subscription data: entitlements and platform receipt identifiers used to manage paid features
  • Device & usage data: device type, operating system, app version, usage events and diagnostic logs

2.2 Notes (permissions, analytics, biometric)

  • Camera & Photo Library: Camera access is required for receipt scanning; choosing a photo from your library is optional and only used with your permission.
  • Analytics (Mixpanel): Analytics tracking is governed by the app consent flow. You can opt out at any time in the App settings. Analytics events include screen views, feature usage, and app performance metrics — no receipt content or financial data is sent to analytics.
  • App Tracking Transparency (iOS): Where required, we request ATT consent before enabling cross-app tracking for analytics; you control this via the consent flow and device settings.
  • Biometric authentication: Biometric templates never leave your device — biometric unlock is used only to secure a local session token. We do not collect or store biometric data.

3. How We Use Your Information

We process your personal data only when we have a valid legal basis. Below we explain each purpose and its corresponding legal basis under the GDPR:

  • To provide and maintain our receipt scanning and expense tracking services — Legal basis: contract performance (Art. 6(1)(b))
  • To process receipt images using AWS Textract OCR technology — Legal basis: contract performance (Art. 6(1)(b))
  • To automatically categorize purchases and items using AI — Legal basis: contract performance (Art. 6(1)(b))
  • To provide AI-powered spending analysis via the Copilot assistant (your messages and purchase context are sent to OpenAI via OpenRouter for processing) — Legal basis: contract performance (Art. 6(1)(b))
  • To generate spending analytics and insights — Legal basis: contract performance (Art. 6(1)(b))
  • To enable family sharing features — Legal basis: contract performance (Art. 6(1)(b))
  • To process subscription payments and manage your account — Legal basis: contract performance (Art. 6(1)(b))
  • To send you transactional notifications about your subscription status (renewals, cancellations, billing) — Legal basis: contract performance (Art. 6(1)(b))
  • To send you marketing communications such as weekly spending summaries, product tips, and service updates via push notification and email — Legal basis: consent (Art. 6(1)(a)), obtained via the notification onboarding opt-in. You can withdraw consent at any time in Settings
  • To understand feature usage and improve our services via analytics (Mixpanel) — Legal basis: consent (Art. 6(1)(a)), controlled via the analytics toggle in App settings
  • To detect, prevent, and address technical issues via crash reporting (Firebase Crashlytics) — Legal basis: legitimate interest (Art. 6(1)(f)), as crash diagnostics are necessary for app stability and security. Crash reports contain device information and error stack traces but no receipt content or financial data
  • To improve our services and develop new features — Legal basis: legitimate interest (Art. 6(1)(f))
  • To comply with legal obligations — Legal basis: legal obligation (Art. 6(1)(c))

Profiling: Our AI-powered purchase categorization and spending analysis constitute profiling under GDPR Article 4(4). This processing involves automated analysis of your purchase patterns to generate categories, summaries, and insights. It does not produce legal or similarly significant effects. You may request human review of any AI-generated categorization or insight by contacting privacy@yomio.app.

4. Data Storage and Security

4.1 Cloud Storage

  • AWS S3: Receipt images and related files are stored on Amazon S3 with server-side AES-256 encryption. Uploaded images are processed by our backend and may be passed to AWS Textract for OCR.
  • AWS Textract: We use Amazon Textract to perform OCR on receipt images to extract text, totals, line items and other structured data. Images are processed in real-time and not retained by Textract after processing.
  • AWS RDS (PostgreSQL): Processed purchase data, AI conversation history, and user metadata are stored in our encrypted PostgreSQL database with encryption at rest and in transit.
  • AWS Cognito: Used for user authentication and identity management. Cognito attributes may be updated by the app (for example to record consent choices).

4.2 Security Measures

We implement industry-standard security measures to protect your data, including: AES-256 server-side encryption for stored files, TLS 1.2+ encryption for all data in transit, role-based access controls and least-privilege IAM policies, regular security audits and dependency vulnerability scanning, and secure authentication via AWS Cognito with optional biometric device-level protection.

4.3 Data Retention

  • Purchase data and receipt images: Free Tier — 6 months; Premium — unlimited (while subscription is active)
  • AI conversation history (Copilot): retained for the duration of your account
  • Crash reports (Firebase Crashlytics): 120 days (Firebase default retention)
  • Analytics data (Mixpanel): retained for up to 12 months, after which data is aggregated and anonymized. We review Mixpanel retention settings annually to ensure compliance.
  • Authentication data (AWS Cognito): retained for the duration of your account
  • Account deletion: You can delete your account at any time via App settings. Upon deletion, all associated data — including receipt images, purchase records, AI conversations, and account information — is permanently and immediately erased from our systems

5. Third-Party Services

We share your personal data with the following third-party service providers, each acting as a data processor on our behalf unless otherwise noted:

  • Amazon Web Services (AWS): Cloud infrastructure (S3, Textract, RDS, Cognito) that stores and processes receipt images, purchase data, and account information. AWS acts as a data processor under the AWS GDPR Data Processing Addendum (DPA) with Standard Contractual Clauses (SCCs) covering international transfers. Data is hosted in the US-East-1 (N. Virginia) region.
  • RevenueCat: In-app purchase entitlement management and subscription platform. Your user ID and email address are shared with RevenueCat solely for subscription management (e.g., renewal confirmations, cancellation notices) — lawful basis: contract performance (Art. 6(1)(b)). RevenueCat acts as a data processor under a signed DPA with Standard Contractual Clauses covering transfers to the USA.
  • Apple App Store / Google Play: App distribution and in-app purchase processing (billing and refund requests are handled through the respective stores). These platforms act as independent data controllers for payment processing.
  • OneSignal: Push notification and email marketing delivery platform. Your user ID and email address are shared with OneSignal to send push notifications and marketing emails (weekly summaries, product tips, service updates) — lawful basis: consent (Art. 6(1)(a)), obtained via the notification onboarding opt-in. You can withdraw consent at any time in Settings. OneSignal acts as a data processor under a signed DPA with Standard Contractual Clauses covering transfers to the USA.
  • Firebase Crashlytics (Google): Error tracking and crash reporting service. Device information, error logs, and a pseudonymized user identifier are shared for crash analysis — lawful basis: legitimate interest (Art. 6(1)(f)). Google acts as a data processor under the Google Cloud Data Processing Addendum. Crash data is retained for 120 days.
  • Mixpanel: Mobile analytics used to understand feature usage and improve the product. Analytics tracking is subject to your consent toggle in the App — lawful basis: consent (Art. 6(1)(a)). Mixpanel acts as a data processor under a signed DPA with Standard Contractual Clauses covering transfers to the USA.
  • Google Sign-In and Apple Sign-In: OAuth authentication providers offering alternative account creation and sign-in methods. These providers act as independent data controllers for their own authentication data.
  • OpenAI (via OpenRouter): AI-powered service used to generate purchase summaries, spending insights, and Copilot AI assistant responses. When you use AI features, purchase data (merchant names, item names, amounts, dates) and conversation messages are sent to OpenAI models via OpenRouter. OpenRouter acts as a data processor under their DPA with Standard Contractual Clauses. OpenAI acts as a sub-processor authorized by OpenRouter under their DPA. Data sent to the OpenAI API is not used for model training (per OpenAI's API data usage policy) and is retained by OpenAI for up to 30 days for abuse monitoring before deletion.
  • Azure Document Intelligence (Microsoft): Alternative OCR provider (fallback) used for receipt text extraction if AWS Textract is unavailable. Microsoft acts as a data processor under the Microsoft Products and Services DPA with Standard Contractual Clauses.
  • Expo (Expo.dev): Mobile app development and build platform used for app distribution and over-the-air updates. Device metadata (OS version, app version) is shared for update delivery. Expo acts as a data processor under their DPA.

6. International Data Transfers

Yomio is operated from Spain (EU), but your personal data is processed and stored in the United States. We ensure that all international transfers of your personal data are protected by appropriate safeguards as required by GDPR Chapter V:

  • AWS (primary infrastructure): Data is stored in US-East-1 (N. Virginia). Transfer mechanism: AWS GDPR Data Processing Addendum with Standard Contractual Clauses (SCCs).
  • RevenueCat (subscription management): US-based. Transfer mechanism: signed DPA with SCCs.
  • OneSignal (push notifications and email): US-based. Transfer mechanism: signed DPA with SCCs.
  • Mixpanel (analytics): US-based. Transfer mechanism: signed DPA with SCCs.
  • OpenRouter / OpenAI (AI processing): US-based. Transfer mechanism: DPA with SCCs.
  • Firebase / Google (crash reporting): US-based. Transfer mechanism: Google Cloud Data Processing Addendum with SCCs.
  • You have the right to obtain a copy of the Standard Contractual Clauses by contacting us at privacy@yomio.app.

7. Cookies and Tracking Technologies

Our website (yomio.app) uses cookies and similar technologies. Our mobile App does not use cookies.

  • Necessary cookies: Essential for website functionality (session management, security tokens, cookie consent preferences). These are always active and do not require consent.
  • Functional cookies: Remember your preferences such as language settings (yomio_preferred_language). Requires your consent.
  • Analytics cookies: Google Analytics is used to understand website usage and performance. Analytics scripts are blocked until you provide explicit consent via our cookie banner. We use IP anonymization (anonymize_ip: true) and Google Consent Mode v2.
  • Marketing cookies: Used for ad targeting and campaign measurement. Blocked until you provide explicit consent.
  • You can manage your cookie preferences at any time via the cookie settings accessible from the website footer. Revoking consent will remove existing optional cookies from your browser.

8. Your Rights and Choices

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

  • Access (Art. 15): Request a copy of all personal data we hold about you, including purchase data, receipt images, AI conversations, and account information
  • Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
  • Erasure (Art. 17): Request deletion of your account and all associated data. You can do this directly in the App settings, or by contacting us
  • Data portability (Art. 20): Export your purchase data in CSV or PDF format via the App. For a complete data export including all personal data categories, contact us at privacy@yomio.app
  • Restriction (Art. 18): Request that we limit how we process your personal data in certain circumstances
  • Objection (Art. 21): Object to processing based on legitimate interest (including analytics and service improvement). We will cease processing unless we demonstrate compelling legitimate grounds
  • Automated decision-making (Art. 22): Our AI-powered categorization and spending analysis involve automated processing but do not produce legal or similarly significant effects. You may request human review of any AI-generated categorization or insight
  • Withdraw consent: Where processing is based on consent (marketing communications, analytics), you can withdraw your consent at any time via App settings without affecting the lawfulness of prior processing
  • Opt-Out: Unsubscribe from marketing communications and opt out from analytics/tracking at any time in the App settings or by contacting us
  • Complaint: You have the right to lodge a complaint with a supervisory authority. If you are in Spain, this is the Agencia Española de Protección de Datos (AEPD) at www.aepd.es. You may also contact the supervisory authority in your country of residence

9. How to Exercise Your Rights

To exercise any of your rights described above, please contact us at privacy@yomio.app. We will verify your identity before processing your request (typically by confirming your account email). We will respond to your request within 30 days of receipt, as required by GDPR Article 12(3). If your request is complex or we receive a large number of requests, we may extend this period by an additional 60 days, and we will inform you of any such extension. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, our business purpose for collection, and the categories of third parties with whom we share your information.
  • Right to Delete: You may request deletion of personal information we have collected about you, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale or Sharing: We do not sell your personal information for monetary consideration. We do not share your personal information for cross-context behavioral advertising purposes.
  • Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information beyond what is necessary to provide our services.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights — we will not deny services, charge different prices, or provide a different quality of service.
  • How to exercise: Contact us at privacy@yomio.app with the subject line 'California Privacy Request'. We will respond within 45 days as required by law. We may need to verify your identity before processing your request.

United Kingdom Privacy Rights (UK GDPR)

If you are located in the United Kingdom, your personal data is processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The data controller for UK residents is Artsiom Hontar (details above). International transfers of your personal data from the UK are protected by the UK International Data Transfer Agreement (IDTA) or the Addendum to EU Standard Contractual Clauses, as applicable. You have the same data subject rights as described in Section 8 above. To lodge a complaint, you may contact the Information Commissioner's Office (ICO) at ico.org.uk, by telephone on 0303 123 1113, or by post at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.

10. Children's Privacy

Yomio is not directed at children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal data from children below these age thresholds. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us immediately at privacy@yomio.app. If we discover that we have collected personal data from a child below the applicable age threshold without verified parental consent, we will take steps to delete that information from our servers as quickly as possible.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via email and/or in-app notification. We will also notify the competent supervisory authority (AEPD) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Our notification will describe the nature of the breach, the categories of data affected, the likely consequences, and the measures taken to address the breach.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email and through an in-app notification at least 30 days before the changes take effect. The updated policy will indicate the new "Last updated" date and version number. We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: Email: privacy@yomio.app. Postal address: Artsiom Hontar, Calle de Colombia 14D, 28016 Madrid, Spain. For privacy-related inquiries, we aim to respond within 5 business days.