Privacy Policy
Last updated: February 27, 2026
SpesaZen ("we", "our app") is developed and operated by SpesaZen. This policy describes how we collect, use, and protect your personal data when you use the SpesaZen application on Android, iOS, Windows, and the Web.
1. Data we collect
1.1 Account data
When you create a SpesaZen account, we collect:
- Email address — for authentication and account-related communications
- Unique user identifier (UUID) — generated automatically, contains no personal information
We do not collect your first name, last name, phone number, or physical address.
1.2 Shopping list data
The data you enter into the app (products, supermarkets, aisles, lists, purchase history) is:
- Stored locally on your device (offline-first SQLite database)
- Optionally synchronized to the cloud via your account, only if you are registered and synchronization is active
1.3 Usage and diagnostic data
We collect anonymous technical data to improve the app:
- Crash reports — via Sentry. They contain the error type, stack trace, and app version. They do not contain your email, personal identifiers, or list contents. You can disable crash report sending from the app: Settings → Data & Privacy
- Anonymous device identifier — used internally to distinguish sessions, not linked to your identity.
1.4 Analytics data (Firebase Analytics)
On Android, iOS, and the Web, we use Firebase Analytics (Google Analytics for Firebase) to understand how the app's screens are used. Data collection is only active in production builds and is disabled in debug mode.
Data collected automatically by Firebase:
- Device information (model, operating system)
- App instance ID
- Session data (duration, usage frequency)
- App version, device language, and timezone
Data collected by the app:
- Name of the screen viewed (screen view)
We do not collect through analytics: personal data, product names, prices, user identifiers, or list contents.
IP addresses are automatically anonymized by Firebase. Analytics data is transferred to and processed on Google LLC servers. Data is not shared with other Google products (Google Signals and Data Sharing are disabled). You can disable analytics data collection at any time from the app: Settings → Data & Privacy. This preference is persistent and takes effect immediately.
1.5 Push notifications
If you opt-in to receive push notifications, we use Firebase Cloud Messaging (FCM). Firebase stores an anonymous device token to send notifications. You can revoke consent at any time from your device settings.
2. How we use your data
| Purpose | Legal basis |
|---|---|
| Providing cloud synchronization service | Performance of a contract |
| Secure account authentication | Performance of a contract |
| Detecting and fixing bugs | Legitimate interest |
| Sending push notifications (only if accepted) | Consent |
| Improving the app via anonymous aggregated data | Legitimate interest |
| Analyzing screen views (Firebase Analytics) | Legitimate interest |
We do not use your data for advertising, commercial profiling, or selling to third parties.
3. Third-party services
SpesaZen uses the following external services, each with its own privacy policy:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Cloud database, authentication | supabase.com/privacy |
| Sentry | Crash reporting and diagnostics | sentry.io/privacy |
| Firebase (Google LLC) | Push notifications, Analytics | policies.google.com/privacy |
| Google Play | App distribution (Android) | policies.google.com/privacy |
Data sent to Sentry is filtered before transmission: email and IP addresses are automatically removed.
4. Data storage and security
- Local data: stored in an SQLite database on your device, protected by operating system security measures.
- Encrypted backups:
.szonbackup files are encrypted with AES-256 before being saved or shared. - Cloud data: transmitted over TLS and stored on Supabase servers (EU or US depending on project configuration).
- Authentication tokens: stored in the device's secure Keystore (Android Keystore / Windows Credential Store).
5. Data retention
| Data type | Retention |
|---|---|
| Account and list data (cloud) | Until account deletion or the end of the retention period |
| Local data (on device) | Under your control — stays on your device until the app is uninstalled |
| Crash logs (Sentry) | 90 days |
| FCM token (notifications) | Until app uninstallation or consent revocation |
| Analytics data (Firebase Analytics) | 14 months from collection |
| Subscription event log | 7 years from the event registration |
Account deletion: if you delete your account, all associated cloud data (profile, backups, sessions) is removed within 30 days.
Premium subscription expiration: if your premium subscription expires without renewal, your cloud backups are kept for a 180-day retention period, during which you can download your data or reactivate your subscription. After 180 days, cloud backups are automatically deleted. You will receive a notification before the retention period expires.
Subscription event log: we keep a log of subscription events (purchases, renewals, expirations, cancellations) containing the user identifier and email address, for legitimate interest and legal obligation purposes, for a maximum period of 7 years.
6. Your rights (GDPR)
If you reside in the European Union, you have the following rights:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — delete your account and all associated data (available directly in the app: Account → Delete account)
- Portability — export your data in CSV or JSON format (available in the app: Settings → Import/Export)
- Objection — object to processing based on legitimate interest
- Disable analytics — turn off analytics data collection directly from the app (Settings → Data & Privacy)
- Disable crash reports — turn off crash report sending directly from the app (Settings → Data & Privacy)
- Complaint — file a complaint with the Italian Data Protection Authority (garanteprivacy.it)
To exercise your rights, contact us at: support@spesazen.com
7. Minors
SpesaZen is not intended for children under 13 and does not knowingly collect data from minors. If you are a parent and believe your child has created an account, please contact us and we will delete it.
8. International data transfers
Data may be stored on servers outside the European Union (e.g., in Supabase or Google data centers). In such cases, the transfer occurs in compliance with the Standard Contractual Clauses (SCC) approved by the European Commission.
9. Changes to this policy
We reserve the right to update this policy. If we make material changes, we will notify you through an in-app notification or via email. The "Last updated" date at the top of the page indicates the latest version.
10. Contact us
For any questions regarding this privacy policy or the processing of your data:
Email: support@spesazen.com
Website: https://spesazen.com