Privacy Policy

Effective date: 11 May 2025  |  Last updated: 11 May 2025

Save2Scroll ("the App") is operated by SEPA Property LTD ("we", "us", "our"), a company registered in the United Kingdom. This privacy policy explains how we collect, use, store, and protect your personal data when you use the App.

We are the data controller for the purposes of UK GDPR and the Data Protection Act 2018. If you have questions, contact us at sepaproperty@gmail.com.

1. What Data We Collect

1.1 Account Data

When you create an account we collect:

  • Email address
  • Display name (if provided)
  • Apple user identifier (for Sign in with Apple)
  • Account creation and last-updated timestamps

1.2 Financial Data (via Open Banking)

If you choose to connect a bank account, we access your data through TrueLayer, a Financial Conduct Authority (FCA) authorised Account Information Service Provider (AISP). We request the following Open Banking permissions:

  • Account information — account name, type (current or savings), and currency
  • Transaction history — transaction amounts, dates, descriptions, merchant names, and categories
  • Balance information — current account balances

We do not have the ability to initiate payments, move money, or modify your bank accounts in any way. We only read account and transaction data.

1.3 App Usage Data

  • Saving goals you create (targets, progress, time periods)
  • Screen time credit balances and redemption history
  • Credit formula preferences you configure
  • Which apps you select for screen-time shielding (stored as opaque tokens — we cannot see app names)

1.4 Device Data

  • Push notification token (Firebase Cloud Messaging) — used solely to send you unlock/relock notifications

1.5 Data We Do Not Collect

  • Location data
  • Contacts, photos, or other device content
  • Browsing history
  • Advertising identifiers
  • Bank login credentials (these are entered directly on your bank's website via TrueLayer's secure authentication — we never see them)

2. How We Use Your Data

Purpose Data Used Legal Basis (UK GDPR)
Provide the App's core functionality — track saving progress and award screen time credits Account data, financial data, goals, credits Performance of contract (Art. 6(1)(b))
AI-powered transaction analysis — classify transactions as value spend, impulse spend, or saving to calculate credit awards Transaction amounts, descriptions, merchant names, categories Performance of contract (Art. 6(1)(b))
Send push notifications when screen time unlocks or relocks Device push token Performance of contract (Art. 6(1)(b))
Maintain and improve the App Aggregated, anonymised usage patterns Legitimate interest (Art. 6(1)(f))

We do not sell, rent, or trade your personal data. We do not use your financial data for advertising, credit scoring, or any purpose other than providing the App's saving-to-screen-time functionality.

3. AI Processing of Financial Data

We use artificial intelligence to analyse your transactions and determine screen time credit awards. Specifically:

  • Transaction descriptions, amounts, and categories are sent to a large language model (LLM) for classification
  • The AI categorises each transaction as a value spend, impulse spend, or saving
  • This classification, along with your saving goals, determines how many screen time minutes you earn
  • No automated decision has legal or similarly significant effects — it only affects screen time credit amounts within the App

You can adjust the credit formula at any time in Settings to change how credits are calculated.

4. Third-Party Services

Service Provider Purpose Data Shared
Open Banking TrueLayer (FCA-authorised AISP) Securely access bank account and transaction data OAuth tokens (managed by TrueLayer)
Authentication Google Firebase Authentication User sign-in and identity management Email, Apple user ID
Database Google Cloud Firestore Secure storage of your data All App data (encrypted at rest)
Push Notifications Firebase Cloud Messaging Deliver unlock/relock notifications Device token, notification content
AI Analysis Anthropic (Claude API) Transaction classification for credit calculation Transaction descriptions, amounts, categories (no account numbers or personal identifiers)

Each third-party processor is bound by their own data processing agreements and privacy policies. We only share the minimum data necessary for each service to function.

5. Data Storage and Security

  • Your data is stored in Google Cloud Firestore with encryption at rest and in transit (TLS 1.2+)
  • Bank access tokens are stored server-side only — they never persist on your device
  • We do not store your bank login credentials at any point
  • Access to production systems is restricted to authorised personnel with multi-factor authentication
  • All API communication uses HTTPS

6. Data Retention

Data Type Retention Period
Account data Until you delete your account
Bank connection records Until you disconnect your bank or delete your account
Bank access/refresh tokens Deleted immediately upon disconnection or revocation
Transaction data 12 months from transaction date, or until account deletion (whichever is sooner)
Goals and credit history Until you delete your account
Push notification tokens Until you sign out or delete your account

7. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of all personal data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Restrict processing — limit how we use your data
  • Data portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, email sepaproperty@gmail.com. We will respond within 30 days.

8. Disconnecting Your Bank

You can disconnect your bank account at any time from within the App. When you disconnect:

  • Your TrueLayer access token is revoked immediately
  • All stored bank access and refresh tokens are permanently deleted from our servers
  • The bank connection record is marked as revoked and can be fully deleted on request
  • No further bank data will be fetched

Previously fetched transaction data is retained according to our retention schedule above. To request immediate deletion of all transaction data, contact sepaproperty@gmail.com.

9. Deleting Your Account

You may request full account deletion by emailing sepaproperty@gmail.com. Upon deletion:

  • All bank connections are revoked and tokens deleted
  • All personal data, transaction history, goals, and credits are permanently removed
  • This action is irreversible

10. Children's Privacy

The App is not intended for children under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a child, contact us immediately and we will delete it.

11. International Data Transfers

Your data may be processed in the European Economic Area (EEA), the United Kingdom, and the United States (where our cloud infrastructure and AI processing providers operate). Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the App or by email. The "Last updated" date at the top reflects the most recent revision.

13. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

14. Contact Us

SEPA Property LTD

36 Whitehorse St
Baldock SG7 6QJ
United Kingdom

Email: sepaproperty@gmail.com