Privacy Policy

LiteWork Finance ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, why, and how it's handled. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

LiteWork Finance is a web-based budgeting application. For the purposes of data protection law, we are the data controller for the personal data described in this policy.

2. What Data We Collect

We collect and process very little personal data by design:

Account data (via Firebase Authentication providers)

• Your name, email address, profile photo, and provider identifier (for example: Google OAuth or Email/Password)
• A unique user identifier (Firebase UID)

For OAuth providers (such as Google), we never see, store, or have access to your provider password. For Email/Password accounts, authentication is handled by Firebase Authentication and we do not store plaintext passwords in our own database.

• When using Email/Password sign-in, Firebase may send account security emails such as verification emails and password reset emails
• For account security, sensitive actions (such as account deletion) may require re-authentication with your active sign-in method

Financial data (entered by you)

• Transactions (income, expenses, investments) that you manually enter or import via AI
• Budget limits, net worth snapshots, financial goals, notes, and card/bank labels

This data is stored in Google Cloud Firestore under your user account with strict per-user security rules. We do not sell your financial data or use it for advertising. Access to raw user data is restricted and only used where necessary to operate, secure, support, and improve the service.

Operational and anonymised data

• We may access limited operational metadata (for example: account status, credit counters, rate-limit counters, and system error logs) to run and secure the service
• We may generate aggregated or anonymised statistics (for example: total user count or feature usage totals) that do not identify you personally

We do not use your personal financial data for ad targeting or sell it to data brokers.

Subscription and payment data

• Your subscription status (active/expired) and credit balance are stored in Firestore
• All payment processing is handled entirely by Creem - we never see or store your card number, bank details, or payment credentials

Data we do NOT collect

• Bank login credentials - we never ask for them
• Open Banking or Plaid connections - we don't use them
• Advertising cookies or cross-site ad retargeting

Cookies and analytics

• We use essential cookies/local storage for core app and security functionality
• We use Google Analytics only when you opt in via our consent controls (Accept, Reject, or Manage preferences)
• Consent defaults to non-essential cookies off unless you explicitly enable analytics
• You can reopen and change your analytics preference at any time using "Cookie settings" in the site footer

3. Lawful Basis for Processing

Under UK GDPR, we process your data on the following bases:

• Contract (Article 6(1)(b)): Processing your account and financial data is necessary to provide the budgeting service you signed up for
• Legitimate interest (Article 6(1)(f)): Maintaining service security, preventing fraud, and processing referral credits

4. Third-Party Services

We use the following third-party services to operate LiteWork Finance:

Google Firebase (Authentication & Database)

Your account authentication and all financial data storage is handled by Google Firebase and Cloud Firestore. Google processes this data under their Firebase Privacy Policy. Data is stored in Google Cloud infrastructure with encryption at rest and in transit. Firebase servers may be located in the EU/EEA or the United States, covered by appropriate data transfer safeguards.

Google Gemini AI (AI Features)

When you use AI Import, Financial Roast, Coach mode, or Financial Health Report, relevant data is sent to Google's Gemini API to generate your result. Depending on the feature, this may include statement content, transaction descriptions, category totals, income/expense summaries, and mode selection (Roast or Coach). This processing is subject to Google's Gemini API Terms of Service and related Google privacy terms. We do not sell this data, and we do not store a separate shadow copy of AI input/output outside your app data and operational logs.

Creem (Payments)

PRO subscriptions and credit pack purchases are processed by Creem. They collect payment information (card details, billing address) directly. We only receive your subscription status and order confirmations via webhook. See Creem's website for current policy details.

Netlify (Hosting)

The website and serverless functions are hosted on Netlify. Netlify may process server logs containing IP addresses. See Netlify's Privacy Policy.

5. International Data Transfers

Some of our third-party providers (Google, Netlify, Creem) may process data outside the UK. Where this occurs, transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) or adequacy decisions as required by UK GDPR.

6. Data Retention

• Financial data: Stored for as long as your account exists. You can delete your account at any time from the Profile section in the app - this triggers immediate deletion of all Firestore data and your authentication record
• Account data: Your Firebase Authentication record exists until you delete your account
• Payment records: Creem retains transaction records as required by financial regulations - we have no control over their retention schedule
• Webhook idempotency records: Order IDs are retained to prevent duplicate processing

7. Your Rights

Under UK GDPR, you have the right to:

• Access your personal data - your financial data is visible in the app at all times
• Rectify inaccurate data - you can edit any transaction or data point directly in the app
• Erase your data - you can delete your account directly from the Profile section in the app. This immediately removes all Firestore data (transactions, subscription records, credits, referral data, and rate limit records) and your Firebase Authentication record
• Port your data - you can export all your data as CSV at any time from the app
• Object to processing - contact us to exercise this right
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

8. Children's Privacy

LiteWork Finance is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us and we will delete it.

9. Security

We implement appropriate technical measures to protect your data:

• All data in transit is encrypted with TLS
• All data at rest in Firestore is encrypted by Google Cloud
• Firestore security rules enforce per-user access - no user can read another user's data
• Server-side functions verify authentication tokens on every request
• Sensitive operations (credits, subscriptions) can only be written by server-side admin SDK, not client-side code
• Webhook signatures are verified with HMAC-SHA256

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the app or website. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For any privacy-related questions or to exercise your rights, contact us at: support@litework.me