Privacy Policy

LiteWork Finance ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, why, and how it's handled. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

LiteWork Finance is a web-based budgeting application. For the purposes of data protection law, we are the data controller for the personal data described in this policy.

2. What Data We Collect

We collect and process very little personal data by design:

Account data (via Google Sign-In)

• Your name, email address, and profile photo — provided by Google when you sign in with OAuth
• A unique user identifier (Firebase UID)

We never see, store, or have access to your Google password.

Financial data (entered by you)

• Transactions (income, expenses, investments) that you manually enter or import via AI
• Budget limits, net worth snapshots, financial goals, notes, and card/bank labels

This data is stored directly in Google Cloud Firestore under your user account with strict per-user security rules. We do not aggregate, analyse, or access your financial data for any purpose other than providing the service to you.

Subscription and payment data

• Your subscription status (active/expired) and credit balance are stored in Firestore
• All payment processing is handled entirely by LemonSqueezy — we never see or store your card number, bank details, or payment credentials

Data we do NOT collect

• Bank login credentials — we never ask for them
• Open Banking or Plaid connections — we don't use them
• Cookies for tracking or advertising — we don't use tracking cookies
• Analytics or behavioural profiling data

3. Lawful Basis for Processing

Under UK GDPR, we process your data on the following bases:

• Contract (Article 6(1)(b)): Processing your account and financial data is necessary to provide the budgeting service you signed up for
• Legitimate interest (Article 6(1)(f)): Maintaining service security, preventing fraud, and processing referral credits

4. Third-Party Services

We use the following third-party services to operate LiteWork Finance:

Google Firebase (Authentication & Database)

Your account authentication and all financial data storage is handled by Google Firebase and Cloud Firestore. Google processes this data under their Firebase Privacy Policy. Data is stored in Google Cloud infrastructure with encryption at rest and in transit. Firebase servers may be located in the EU/EEA or the United States, covered by appropriate data transfer safeguards.

Google Gemini AI (AI Features)

When you use AI Import, Financial Roast, or Financial Health Report, the relevant data (statement content, transaction summaries) is sent to Google's Gemini API for processing. This data is used solely to generate your result and is subject to Google's Gemini API Terms of Service. We do not store AI-processed data separately from your Firestore account.

LemonSqueezy (Payments)

PRO subscriptions and credit pack purchases are processed by LemonSqueezy. They collect payment information (card details, billing address) directly. We only receive your subscription status and order confirmations via webhook. See LemonSqueezy's Privacy Policy.

Netlify (Hosting)

The website and serverless functions are hosted on Netlify. Netlify may process server logs containing IP addresses. See Netlify's Privacy Policy.

5. International Data Transfers

Some of our third-party providers (Google, Netlify, LemonSqueezy) may process data outside the UK. Where this occurs, transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) or adequacy decisions as required by UK GDPR.

6. Data Retention

• Financial data: Stored for as long as your account exists. You can delete your account at any time from the Profile section in the app — this triggers immediate deletion of all Firestore data and your authentication record
• Account data: Your Firebase Authentication record exists until you delete your account
• Payment records: LemonSqueezy retains transaction records as required by financial regulations — we have no control over their retention schedule
• Webhook idempotency records: Order IDs are retained to prevent duplicate processing

7. Your Rights

Under UK GDPR, you have the right to:

• Access your personal data — your financial data is visible in the app at all times
• Rectify inaccurate data — you can edit any transaction or data point directly in the app
• Erase your data — you can delete your account directly from the Profile section in the app. This immediately removes all Firestore data (transactions, subscription records, credits, referral data, and rate limit records) and your Firebase Authentication record
• Port your data — you can export all your data as CSV at any time from the app
• Object to processing — contact us to exercise this right
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

8. Children's Privacy

LiteWork Finance is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us and we will delete it.

9. Security

We implement appropriate technical measures to protect your data:

• All data in transit is encrypted with TLS
• All data at rest in Firestore is encrypted by Google Cloud
• Firestore security rules enforce per-user access — no user can read another user's data
• Server-side functions verify authentication tokens on every request
• Sensitive operations (credits, subscriptions) can only be written by server-side admin SDK, not client-side code
• Webhook signatures are verified with HMAC-SHA256

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the app or website. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For any privacy-related questions or to exercise your rights, contact us at: privacy@lightworkfinance.com