Krapla
UA·EN

Privacy Policy

Last updated: 15 May 2026

This document explains what data we handle, why we handle it, and how you can control it. Written in plain language — no legal jargon — but it fully covers GDPR (EU) and Ukraine's Personal Data Protection Law (KZPD).

TL;DR: Krapla is a finance-tracking tool. We collect the minimum data needed to run the service, we don't share it with ad networks, and we'll delete everything on request.

1. Who we are

Krapla (the "Service", "we", "us") is a non-commercial project available at krapla.app.

Data Controller contact: info@krapla.app

If you have any questions about your data, email this address. We reply within 30 days (usually much sooner).

2. What data we collect

2.1 What you give us

  • Email — for sign-in and password recovery
  • Password — stored as a cryptographic hash; we never see the actual password
  • Budget / organization name — whatever you typed when creating it
  • Transactions — amounts, descriptions, dates, categories, currency, type (income/expense)
  • Receipt photos — only when you use the OCR feature
  • Feedback — messages you submit through the feedback form

2.2 What we collect automatically

  • Session cookies — to keep you signed in
  • Active-budget cookie (krapla_team_id) — to remember which budget you're working in
  • Standard server request logs — IP, User-Agent, path, response status — kept for 7-14 days for abuse detection

2.3 What we DO NOT collect

  • ❌ No Google Analytics, Facebook Pixel, or any tracker
  • ❌ No data sharing with ad networks
  • ❌ We don't sell your data to third parties
  • ❌ No geolocation, contacts, or browser history

3. Why we collect it

Email & password

So you can sign in and we can link transactions to your account.

Transactions, budgets, categories

This is the service — without it there's nothing to show.

Receipt photos

Only for OCR (recognition) at the moment of upload. We don't store the file after processing.

Cookies

Strictly necessary: without them you'd be logged out on every page reload.

Feedback

So we can reply and improve the service. Not used for anything else.

Legal basis (GDPR Art. 6 / KZPD Art. 11):

  • Contract performance — for credentials and transactions
  • Legitimate interest — for logs and abuse protection
  • Consent — for the cookie banner at the bottom

4. Cookies

We only use strictly necessary cookies — the service won't work without them. No analytics, no advertising, no tracking.

| Cookie | What it stores | Lifetime | |--------|----------------|----------| | sb-* (Supabase) | Session, refresh token | Until sign-out or 30 days | | krapla_team_id | ID of the active budget | 30 days | | krapla_cookie_consent | Banner acknowledgement | 1 year |

If you block cookies in your browser settings, sign-in won't work.

5. AI categorization (Anthropic API)

When you type a transaction description ("dog food 1200") or upload a receipt photo, we send that text or image to the Anthropic API to detect a category.

What we send:

  • The description text or receipt image
  • The list of available categories (no personal data)

What we DO NOT send:

  • Your email, name, account ID
  • Other transactions from your history
  • Any data that can identify you

Per Anthropic's policy, API data is not used to train models and is deleted within 30 days.

6. Who else processes your data (sub-processors)

We use the following sub-processors (all GDPR / DPA compliant):

| Service | What it does | Region | |---------|--------------|--------| | Supabase | Database, authentication | EU (Frankfurt) | | Vercel | Site hosting | Edge (global CDN) | | Resend | Email delivery | EU/US | | Cloudflare | DNS, DDoS protection | Global | | Anthropic | AI text & receipt recognition | US (with DPA) |

We don't share your data with anyone outside this list. Sub-processors aren't allowed to use your data for their own purposes.

7. Where your data is stored

The primary database is Supabase, Frankfurt (EU) region. That means your transactions, account, and main content all live within the European Union.

Specific services (Anthropic, Resend) may be in the US. Cross-border transfers are covered by EU Standard Contractual Clauses (SCC).

8. How long we keep it

| Data type | Retention | |-----------|-----------| | Account & transactions | While you're an active user | | After account deletion | Up to 30 days (for recovery), then full wipe | | Server logs | 7-14 days | | Receipt photos | Not stored after OCR | | Feedback | Until your request is resolved | | DB backups | Up to 30 days |

9. Your rights

Under GDPR and KZPD you have:

  • Right to know — what data we hold about you
  • Right of access — get a copy (CSV export available in settings)
  • Right to rectification — correct inaccurate info
  • Right to erasure ("right to be forgotten") — delete your account and data
  • Right to restrict processing — pause use
  • Right to data portability — get a machine-readable copy
  • Right to object — opt out of certain processing
  • Right to lodge a complaint — with the Ukrainian Ombudsman or an EU DPA

How to exercise: email info@krapla.app from the address you registered with. We reply within 30 days.

10. Security

  • Passwords stored as bcrypt hashes (we never see your password)
  • HTTPS / TLS for all connections
  • Row Level Security (RLS) — your transactions are invisible to other users at the database level
  • Regular security updates for dependencies

No system is 100% secure. If you find a vulnerability, please email us — we'll be grateful.

11. Children

The Service is not intended for users under 14. We don't knowingly collect data from children. If you become aware that a child has registered, please contact us and we'll delete the account.

12. Changes to this policy

For material changes we'll notify you by email or via a prominent banner on the site at least 30 days before they take effect. Minor edits (grammar, clarifications) may be made without notice.

The current version is always at: krapla.app/en/privacy

13. Contact & complaints

Data questions: info@krapla.app

Ukrainian Parliament Commissioner for Human Rights (KZPD): ombudsman.gov.ua

EU DPA (for EU residents): edpb.europa.eu/about-edpb/about-edpb/members_en

This document is based on the Ukrainian original. In case of discrepancies, the Ukrainian version at krapla.app/uk/privacy prevails.

← Back to home · Terms · FAQ · Roadmap

Back to homeTerms of Service →