Last Updated
16. February 2026

Privacy Notice pursuant to Art. 13 GDPR

General Information on Data Processing

Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection regulations is:
Stephan Lerner
Oldesloer Weg 9
21614 Buxtehude

Email: info@monee-app.com

Legal Basis for the Processing of Personal Data

In accordance with Art. 13 GDPR, we inform you of the legal bases of our data processing activities. Unless the legal basis is specifically mentioned in this privacy notice, the following applies: The legal basis for obtaining consent is Art. 6(1)(a) in conjunction with Art. 7 GDPR. The legal basis for processing to fulfill our services and carry out contractual measures, as well as to respond to inquiries, is Art. 6(1)(b) GDPR. The legal basis for processing to fulfill our legal obligations is Art. 6(1)(c) GDPR. If the processing of your data is necessary to protect a legitimate interest of our company or a third party, and the interests, fundamental rights, and freedoms of the data subject do not override the former interest, Art. 6(1)(f) GDPR serves as the legal basis for processing. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6(1)(d) GDPR serves as the legal basis.

Data Deletion and Storage Duration

We adhere to the principles of data minimization pursuant to Art. 5(1)(c) GDPR and storage limitation pursuant to Art. 5(1)(e) GDPR. We store your personal data only for as long as is necessary to achieve the purposes stated here or as required by the retention periods stipulated by law. Once the respective purpose no longer applies or upon expiry of these retention periods, the corresponding data will be deleted as soon as possible.

Notice on Data Transfer to Third Countries

Our website also integrates tools from companies based in third countries. When these tools are active, your personal data may be transmitted to the servers of the respective companies. The level of data protection in third countries generally does not correspond to EU data protection law. This means there is a risk that your data may be disclosed to authorities of those countries. We have no influence over these processing activities.

External Links

This website may contain links to third-party websites or to other websites under our responsibility. If you follow a link to a website outside our responsibility, please note that these websites have their own privacy policies. We accept no responsibility or liability for these external websites and their privacy notices. Therefore, please check whether you agree with the privacy policies of those websites before using them. You can recognize external links by the fact that they are displayed in a slightly different color from the rest of the text or are underlined. Your cursor will indicate external links when you move it over such a link. Only when you click on an external link will your personal data be transmitted to the link target. The operator of the other website will receive, in particular, your IP address, the time at which you clicked the link, the page on which you clicked the link, and other information that you can find in the privacy notices of the respective provider. Please also note that some links may lead to data transfer outside the European Economic Area. This could allow foreign authorities to access your data. You may not have legal recourse against such data access. If you do not want your personal data to be transmitted to the link target or to be exposed to access by foreign authorities, please do not click on any links.

Rights of the Data Subject

As a data subject within the meaning of the GDPR, you have the right to exercise various rights. The data subject rights arising from the GDPR are the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restriction of processing (Article 18), the right to object (Article 21), the right to lodge a complaint with a supervisory authority, and the right to data portability (Article 20).

Right of Withdrawal:

Some data processing activities can only be carried out with your express consent. You have the right to withdraw your consent at any time. However, the lawfulness of the data processing carried out until the withdrawal remains unaffected.

Right to Object:

If the processing is based on Art. 6(1)(e) or (f) GDPR, you as a data subject may, for reasons arising from your particular situation, object at any time to the processing of your personal data. This right also applies to profiling based on these provisions within the meaning of Art. 4(4) GDPR. Unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims, we will cease processing your data following an objection. If the processing of personal data is carried out for the purpose of direct marketing, you also have the right to object at any time. The same applies to profiling that is related to direct marketing. In this case as well, we will cease processing personal data once you lodge an objection.

Right to Lodge a Complaint with a Supervisory Authority:

If you believe that the processing of your personal data violates the GDPR, you have the right, without prejudice to any other administrative or judicial remedy, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

Right to Data Portability:

If your data is processed automatically on the basis of consent or the performance of a contract, you have the right to receive this data in a structured, commonly used, and machine-readable format. You also have the right to request the transfer and provision of the data to another controller, insofar as this is technically feasible.

Right to Access, Rectification, and Erasure:

You have the right to obtain information about your processed personal data regarding the purpose of the data processing, the categories, the recipients, and the duration of storage. If you have questions about this topic or any other questions regarding personal data, you are of course welcome to contact us using the contact details provided in the imprint.

Right to Restriction of Processing:

You may assert the restriction of the processing of your personal data at any time. To do so, you must meet one of the following conditions:

• You contest the accuracy of the personal data. For the duration of the verification of accuracy, you have the right to request restriction of processing.
• If processing is unlawful, you may request restriction of the use of the data instead of erasure.
• If we no longer need your personal data for the purposes of processing, but you need the data for the establishment, exercise, or defense of legal claims, you may request restriction of processing instead of erasure.
• If you have objected to processing pursuant to Art. 21(1) GDPR, a balancing of your and our interests will be carried out. Until this balancing has been completed, you have the right to request restriction of processing.

Restriction of processing means that the personal data may, apart from storage, only be processed with your consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State.

Processing of Personal Data on the Website

Website Hosting (Web Host)

Our website is hosted by: Vercel Inc. 440 N Barranca Ave #4133, Covina, CA 91723 USA

When you visit our website, we automatically collect and store information in so-called server log files. Your browser automatically transmits this information to our server or to the server of our hosting provider. This includes:

• IP address of the visitor's device
• Device used
• Hostname of the accessing computer
• Visitor's operating system
• Browser type and version
• Name of the file accessed
• Time of the server request
• Amount of data
• Information on whether the data retrieval was successful

This data is not merged with other data sources. Instead of operating this website on our own server, we may have it operated on the server of an external service provider (hosting company), which we have named above. The personal data collected by this website is then stored on the servers of the hosting company. In addition to the data mentioned above, the web host stores, for example, contact requests, contact data, names, website access data, meta and communication data, contract data, and other data generated via a website. The legal basis for processing this data is Art. 6(1)(f) GDPR. Our legitimate interest is the technically error-free presentation and optimization of this website. If the website is accessed to enter into contract negotiations or to conclude a contract, the additional legal basis is Art. 6(1)(b) GDPR. In the event that we have engaged a hosting company, a data processing agreement exists with this service provider.

Use of External Services

External services are used on our website. External services are services from third-party providers that are used on our website. This may occur for various reasons, for example for embedding videos or for website security. When using these services, personal data is also transmitted to the respective providers of these external services. If we do not have a legitimate interest in using these services, we will obtain your revocable consent as a visitor to our website before use (Art. 6(1)(a) GDPR).

Analytics

To analyze user behavior, we process personal data of website visitors. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This enables us to improve the user-friendliness of our website. The analytics tools used could, for example, create user profiles for the delivery of targeted or interest-based advertising messages, recognize our website visitors upon their next visit, measure their click/scroll behavior, downloads, create heatmaps, track page views, measure visit duration or bounce rates, and trace the origin of website visitors (city, country, which page the visitor came from). With the help of analytics tools, our market research and marketing activities can be improved. Processing only occurs if you consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent (Art. 6(1)(a) GDPR). Without your consent, the data processing described above will not take place. If you withdraw your consent (e.g., via the consent banner or other options provided on this website), we will cease this data processing. The lawfulness of the processing carried out until the withdrawal remains unaffected.

Review Platform

We use review platforms to display collected reviews on our website and thereby build trust among users. The collected reviews are published on our website. When you visit the website, a connection is established with the respective provider and data of the website visitor is transmitted. Personal data processed in this context includes, for example, the IP address. The legal basis for this processing is our legitimate interest in displaying product reviews and customer testimonials (Art. 6(1)(f) GDPR).

Product Hunt

We use the Product Hunt service on our website. The provider of the service is Product Hunt, Inc., 90 Gold St, FLR 3, San Francisco, CA 94133, USA. The use of this service may result in data transfer to a third country (USA). Further information can be found in the provider's privacy policy at the following URL: https://www.producthunt.com/legal#privacy.

Content Delivery Network (CDN)

We use a Content Delivery Network (CDN) to optimize the performance and availability of our website. For this purpose, the service provider that provides this network processes your IP address and the information about when you visited our website. All further information on data processing by this service provider can be found in their privacy notice. We base this processing on a legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest in using a Content Delivery Network is to be able to present our website as quickly, securely, and reliably as possible.

CloudFlare

We use the CloudFlare service on our website. The provider of the service is Cloudflare Germany GmbH, Rosental 7, 80331 München, Germany. The use of this service may result in data transfer to a third country (USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection. Further information can be found in the provider's privacy policy at the following URL: https://www.cloudflare.com/privacypolicy/.

Newsletter Tools

As part of our marketing, we offer you the option to subscribe to our newsletter via our website. To order the newsletter, you go through a registration process during which we verify that you are the owner of the specified email address and that you agree to receive our newsletter. The data remains with us or with the newsletter service we have commissioned for the duration of your voluntary subscription until you unsubscribe from the newsletter. If you unsubscribe from the newsletter, you will be removed from the distribution list. This list is not merged with other data. Unsubscribing from the newsletter does not, however, lead to the deletion of data stored for other purposes (e.g., customer accounts). Processing only occurs if you consent to this data processing (via our consent banner on the website). The legal basis for this processing is consent (Art. 6(1)(a) GDPR). Without your consent, the data processing described above will not take place. If you withdraw your consent (e.g., via the consent banner or other options provided on this website), we will cease this data processing. The lawfulness of the processing carried out until the withdrawal remains unaffected.

Mailerlite

We use the Mailerlite service on our website. The provider of the service is MailerLite Limited, Ground Floor, 71 Lower Baggot Street, Dublin 2, D02 P593, Ireland. The use of this service may result in data transfer to a third country (USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection. Further information can be found in the provider's privacy policy at the following URL: https://www.mailerlite.com/legal/privacy-policy.

Email Contact

We have provided an email address on our website in accordance with legal requirements. The data transmitted via this channel is automatically stored by us in order to process the corresponding inquiries or to contact the inquiring person. This data will not be shared with third parties without your consent. If you contact us via our email address for pre-contractual or contractual purposes, the processing of personal data is based on the legal basis of Art. 6(1)(b) GDPR. For all other contacts by you, the processing of personal data by us is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR.

Processing of Personal Data in the App (iOS/Android)

Provision of the App

When using the app, we process technical information that is necessary to provide the app and keep it functional. This may include: device information, app version, time of use, IP address if applicable, and technically necessary identifiers. The legal basis is Art. 6(1)(b) GDPR (contract/usage relationship), insofar as the processing is necessary for the use of the app; otherwise Art. 6(1)(f) GDPR (legitimate interest in security, stability, and error correction).

Firebase Authentication

When registering and using the app, it is possible to sign in as a guest or via "Sign in with Apple" (iOS) or "Sign in with Google" (Android). Depending on the login method chosen, a technical user identifier (e.g., Firebase UID) and, if applicable, an email address are processed (for Apple, this may also be a forwarding address provided by Apple, such as "Hide my email").

The data is processed in particular for the following purposes:

• Unique identification of a user account,
• Login and account management,
• Restoration of access (e.g., after logout, device change, or reinstallation).

The processing is carried out in accordance with Art. 6(1)(b) GDPR, as it is necessary for the performance of the usage relationship.

The data is processed by Firebase (Google Cloud EMEA Limited, Gordon House, Barrow Street, Dublin 4, Ireland), which acts as a data processor for the operation and maintenance of authentication. The use of this service may result in data transfer to a third country (USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection.

Authentication data is generally stored until the account is deleted and is then deleted with a time delay as part of technical routines.

The provision is necessary for the use of the app's features. Without authentication, the app cannot be used or can only be used to a limited extent.

Firebase Realtime Database

When using the app, the content you enter is stored in the Firebase Realtime Database. This includes in particular:

• Amounts, status "settled/unsettled", date, categories, intervals for recurring transactions,
• Descriptions (free text field),
• Person (usually a nickname; a real name may also be entered),
• Account names, account currency, time zone.

The data is processed in particular for the following purposes:

• Assignment of income and expenses to persons/profiles,
• Display of overviews and evaluations,
• Synchronization and use of data in the respective account/household (if these features are used).

The processing is carried out in accordance with Art. 6(1)(b) GDPR, as it is necessary for the performance of the usage relationship.

The data is processed by Firebase (Google Cloud EMEA Limited, Gordon House, Barrow Street, Dublin 4, Ireland), which acts as a data processor for the operation and maintenance of the database. The use of this service may result in data transfer to a third country (USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection.

The selected storage location is europe-west1.

The data will be deleted as soon as it is no longer necessary for the achievement of the purpose for which it was collected. This is particularly the case:

• when you delete your account, or
• when a profile has been inactive for 12 months (inactivity deletion).

Without the storage of this content, we cannot provide the essential app features (recording, overview, evaluation).

Firebase Crashlytics

In the event of an app crash, diagnostic data is processed. This may include:

• Crashlytics installation identifiers,
• Crash and error logs (e.g., crash traces / minidump data),
• Technical device and app information,
• Firebase UID (if technically linked).

The data is processed in particular for the following purposes:

• Debugging app crashes,
• Improving the stability and functionality of the app.

The processing is carried out in accordance with Art. 6(1)(f) GDPR, based on our legitimate interest in a secure and stable app.

The data is processed by Firebase (Google Cloud EMEA Limited, Gordon House, Barrow Street, Dublin 4, Ireland), which acts as a data processor for the operation and maintenance. The use of this service may result in data transfer to a third country (USA). The provider is certified under the EU-U.S. Data Privacy Framework and therefore offers an adequate level of data protection.

Crashlytics data is stored for a limited period and then deleted (regularly within 90 days, depending on the configuration).

Without this data, error analysis and stability improvement are limited.

Brevo (Email Notification before Account Deletion)

If an email address is associated with your account (e.g., through sign-in with Apple/Google), we use it to send you a notification by email in the event of an upcoming account deletion due to prolonged inactivity.

For this purpose, we process:

• Email address,
• Nickname/username,
• Planned deletion date,
• Time zone (e.g., Europe/Berlin) for localizing the email.

The processing is carried out in accordance with Art. 6(1)(b) GDPR, as it is necessary for the performance of the usage relationship (account management/communication).

The data is processed by Brevo (Sendinblue SAS, 17 rue de Salneuve, 75017 Paris, France) as a data processor, which carries out the sending of notification emails on our behalf.

RevenueCat (Payment Service Provider)

We integrate the payment service RevenueCat in our app. The provider of this service is RevenueCat.com, 631-633 Taraval St #101, San Francisco, United States.

When you make a purchase from us, your payment data (e.g., name, payment amount, account details, credit card number) is transmitted to RevenueCat and processed by them for the purpose of payment processing. The respective terms and conditions and privacy policies of RevenueCat apply to this processing. Details can be found in RevenueCat's privacy policy at the following link: https://www.revenuecat.com/privacy/.

The use is based on Art. 6(1)(b) GDPR (contract processing) and in the interest of a smooth, convenient, and secure payment process (Art. 6(1)(f) GDPR). The data transfer to the USA is based on the Standard Contractual Clauses of the EU Commission. Details can be found here: https://www.revenuecat.com/dpa/.