What we collect
Your email and a hashed password (handled by Supabase Auth). The API tokens you connect — encrypted at rest with Fernet/AES and only decrypted in memory while a sync runs. The cost data those tokens return (line items, dates, dollar amounts). The advisor conversation history you generate, scoped to your account.
How we use it
To run the product: aggregate your spend, render dashboards, generate advisor responses. We do not sell your data. We do not train AI models on your spend or chat history.
Subprocessors
Supabase (auth + database, EU region). Stripe (billing). Anthropic (AI advisor responses). Vercel (frontend hosting). DigitalOcean (backend hosting). Backblaze B2 (encrypted backups).
Retention
Cost entries: kept for the lifetime of your account so historical comparisons keep working. Advisor conversations: capped at 5 most recent per user. Backups: 30 days. On account deletion we remove all rows within 30 days, except where legal or accounting obligations require longer retention.
Your rights (GDPR)
You can request a data export, correction, or deletion at any time. Email hello@insightdesk.ch and we'll respond within 30 days.
Security
All traffic is HTTPS. Provider credentials are encrypted at rest. Database access is RLS-scoped per user. We log access to sensitive operations.