Privacy Policy

Last updated: 1 June 2026

Lekkafy ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at lekkafy.com and our mobile applications. It also covers our obligations and your rights under the UK GDPR and EU GDPR.

By using Lekkafy, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of our service.

1. Who We Are

Lekkafy Ltd is a family budgeting application and acts as the Data Controller for personal data you provide when using our service. We determine the purposes and means of processing your personal data. We are registered in England and Wales (Company No. 12345678) and with the Information Commissioner's Office (ICO Registration No. ZA123456).

For data protection enquiries, contact us at support@lekkafy.com.

2. Information We Collect

2.1 Information you provide directly

  • Account information: Your email address (used for passwordless sign-in via magic link).
  • Display name: A name or alias of your choice — this does not need to be your real name. We do not ask for or verify your legal identity.
  • Financial data: Expense records, budget limits, income entries, loan records, and category labels that you manually enter or import.
  • Family data: A family name and display names for members you choose to add. These are aliases and do not need to reflect real names.
  • Receipts and statements: Images or PDFs you upload for AI-assisted parsing. These are processed and discarded; we do not store raw documents beyond the session.

2.2 Information collected automatically

  • Authentication logs: Our authentication infrastructure automatically logs sign-in event timestamps and IP addresses for security purposes. We do not read or process these logs directly; they are retained by our infrastructure provider as a data processor under our agreement with them.

2.3 What we do NOT collect

  • We never connect to your bank account.
  • We never collect bank credentials, sort codes, account numbers, or card numbers.
  • We never use open banking or third-party financial data aggregators.
  • We do not use analytics or tracking tools. No feature-usage metrics, session recordings, or behavioural tracking of any kind.
  • We do not collect device information, crash reports, or operating system data.
  • We do not sell your data to advertisers or third parties.

3. How We Use Your Information

  • To provide, operate, and maintain the Lekkafy service.
  • To authenticate your identity via magic-link email.
  • To process AI-assisted features such as receipt scanning, statement parsing, and budget suggestions.
  • To send transactional emails (magic links, family invitations, budget alerts). We never send unsolicited marketing without your consent.
  • To detect, investigate, and prevent fraudulent or unauthorised activity.
  • To comply with legal obligations.

4. Lawful Basis for Processing (UK GDPR / EU GDPR)

We process your data under the following lawful bases:

Processing ActivityLawful Basis
Account creation and authenticationContract (Art. 6(1)(b))
Storing financial records you enterContract (Art. 6(1)(b))
Sending magic links and invitationsContract (Art. 6(1)(b))
Security monitoring and fraud preventionLegitimate Interests (Art. 6(1)(f))
Marketing communications (if opted in)Consent (Art. 6(1)(a))
Legal holds or regulatory requestsLegal Obligation (Art. 6(1)(c))

5. Data Storage and Security

Your data is stored on infrastructure hosted in the EU (Ireland) region. We implement the following safeguards:

  • All data is encrypted in transit and at rest using industry-standard protocols.
  • Database-level security policies ensure each user can only access their own data.
  • Passwordless authentication: no passwords are ever stored or transmitted.
  • Access to production systems is restricted to authorised personnel only.
  • Regular security reviews and dependency audits.

No system is 100% secure. If you discover a security vulnerability, please report it responsibly to support@lekkafy.com.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data only with:

  • Infrastructure provider: database, authentication, and file storage hosted in the EU (data processor).
  • AI processing provider: when you scan a receipt or import a statement, the image or text is sent to an AI service for parsing only and is not permanently stored.
  • Email delivery provider: transactional emails (magic links, invitations). Only your email address is shared.
  • Law enforcement or regulators: where required by applicable law or court order.

All third-party processors are contractually bound to process your data only as instructed and to maintain appropriate security standards.

7. Data Retention

We retain your data for as long as your account is active. Specifically:

  • Account and profile data: retained until account deletion.
  • Financial records (expenses, budgets): retained until you delete them or delete your account.
  • Authentication logs: retained for 90 days for security purposes, then automatically purged.
  • Deleted data: purged from backups within 30 days of deletion.

8. International Data Transfers

Lekkafy stores data in the EU (Ireland). Some processing (such as AI receipt and statement parsing) may involve infrastructure that operates in the US.

For transfers outside the UK/EEA, we rely on:

  • The EU-US Data Privacy Framework and its UK Extension where the receiving vendor is certified.
  • UK International Data Transfer Agreements (IDTAs) and EU Standard Contractual Clauses (SCCs) as a fallback.

9. Your Rights Under GDPR

As a data subject under UK GDPR and EU GDPR, you have the following rights, which we honour without charge within 30 days of a verified request:

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, including how it is processed.

Right to Rectification (Art. 16)

Correct any inaccurate or incomplete personal data. You can update most data directly in the app.

Right to Erasure — 'Right to be Forgotten' (Art. 17)

Request deletion of your personal data. You can delete your account directly from Settings → Security → Delete Account. Upon deletion, data is purged within 30 days.

Right to Restriction (Art. 18)

Request that we restrict processing of your data while a dispute is being resolved.

Right to Data Portability (Art. 20)

Receive your personal data in a structured, commonly used, machine-readable format (JSON/CSV) to transfer to another service.

Right to Object (Art. 21)

Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

Right to Withdraw Consent (Art. 7(3))

Withdraw consent for any consent-based processing at any time without affecting the lawfulness of prior processing.

Rights Related to Automated Decision-Making (Art. 22)

Lekkafy does not make solely automated decisions with significant legal effects. AI-generated insights are informational only.

How to exercise your rights

Email support@lekkafy.com with your request. We may ask you to verify your identity before fulfilling the request. We will respond within 30 calendar days.

10. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (ICO for UK, applicable DPA for EU) within 72 hours of becoming aware.
  • Notify affected individuals without undue delay if the breach is likely to result in high risk.

11. Cookies

Lekkafy uses only essential cookies required for authentication (session tokens). We do not use advertising or tracking cookies. No third-party analytics scripts are loaded on authenticated pages.

12. Children's Privacy

Lekkafy is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us at support@lekkafy.com and we will delete it promptly.

13. Supervisory Authority

If you believe we have not handled your data in accordance with GDPR, you have the right to lodge a complaint with a supervisory authority:

We encourage you to contact us first at support@lekkafy.com. We will do our best to resolve any concern directly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notice at least 14 days before the change takes effect. Continued use of Lekkafy after the effective date constitutes acceptance of the updated policy.

15. Contact Us

For any privacy or data protection questions:

Lekkafy Ltd

Registered Office: 123 Example Street, London, SW1A 1AA, United Kingdom

Email: support@lekkafy.com

Website: lekkafy.com