Privacy Policy

Last updated: April 18, 2026

Montly ("we", "our", "the app") is a personal finance application developed and operated by an independent developer. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your data.

By using Montly, you agree to this policy.

1. Data We Collect

We collect only the minimum data necessary to provide the service:

• Account data: name, email address, and hashed password (stored using bcrypt).
• Financial data: income accounts, expenses, bills, and savings goals that you enter manually. This data is stored in our secure database.
• Profile photo: if you choose to upload one, it is stored on Cloudinary (cloudinary.com). We store only the URL of the image.
• Apple Sign-In: if you use Sign in with Apple, we receive your Apple-assigned user ID and optionally your name and email as provided by Apple. We never receive your Apple password.
• Verification codes: temporary codes sent to your email for account verification and password reset. These expire in 10 minutes and are deleted after use.

2. Data We Do NOT Collect

• We do not collect bank credentials, card numbers or any payment instrument data.
• We do not use analytics SDKs (no Firebase Analytics, Mixpanel, etc.).
• We do not sell, rent or share your personal data with third parties for marketing purposes.
• We do not track your location.
• We do not run targeted advertising.

3. How We Use Your Data

• To provide, operate and maintain the Montly app.
• To authenticate your account and keep it secure.
• To send transactional emails (verification codes, password resets) via Resend.com. No marketing emails are sent without your consent.
• To process in-app subscription purchases via Apple's StoreKit. We do not handle payment directly — Apple processes all transactions.

4. Data Storage & Security

Your data is stored on servers provided by Railway (railway.app) and PostgreSQL. All data in transit is protected by HTTPS/TLS. Passwords are hashed using bcrypt with a work factor of 12 and are never stored in plain text. Authentication tokens expire and are rotated regularly.

While we take reasonable measures to protect your data, no system is completely secure. We encourage you to use a strong, unique password.

5. Data Retention

We retain your data for as long as your account is active. You may delete your account at any time from Settings → Account → Delete Account. Upon deletion, all your personal data and financial records are permanently removed from our systems within 30 days.

6. Third-Party Services

Montly uses the following third-party services, each governed by their own privacy policies:

• Cloudinary (cloudinary.com) — profile photo hosting.
• Resend (resend.com) — transactional email delivery.
• Railway (railway.app) — server and database hosting.
• Apple StoreKit — in-app subscription management.
• Apple Sign In — optional authentication.

7. Children's Privacy

Montly is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it.

8. Your Rights

Depending on your location you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (right to erasure).
• Export your data in a portable format.

To exercise any of these rights, contact us at support@montlyapp.com.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the date at the top of this page. Continued use of the app after changes constitutes acceptance of the updated policy.

10. Contact

If you have questions about this Privacy Policy or how your data is handled, please contact:

Montly Support
Email: support@montlyapp.com