Privacy Policy

Last updated: 1 March 2026

1. Who we are

PocketSpend is operated by ONXYN Limited, registered in England and Wales (company no. 14728XX), with headquarters in Birmingham, United Kingdom. ONXYN is the data controller for personal data processed via the PocketSpend mobile and web applications.

2. What we collect

  • Account data: name, email, password hash, region, currency preference.
  • Bank data: read-only transaction history, account balance, account name, sort code/IBAN tail. We never see your bank login credentials.
  • Device data: device type, OS version, app version, anonymous crash reports.
  • Usage data: features used, retention metrics. Aggregated and anonymised.

3. Open Banking partners

We use FCA-authorised Yapily (UK), Plaid (US), Basiq (Australia) and Lean Technologies (UAE/GCC) to retrieve transaction data. Each partner is read-only, OAuth-only, and regulated in their jurisdiction. We never receive your bank password.

4. How we use your data

To operate the service: categorize transactions, generate budgets, surface subscriptions, send alerts. We use AI categorization models trained on aggregated, anonymised transactions β€” your individual data is never used to train external models.

5. What we never do

  • Sell your data to advertisers, brokers or partners.
  • Share identifiable financial data with third parties.
  • Use your data for ad targeting outside the app.
  • Move money or initiate payments on your behalf.

6. Data residency

UK/EU user data lives in AWS eu-west-2 (London). US data in AWS us-east-1. Australian data in AWS ap-southeast-2 (Sydney). UAE/GCC data in AWS me-south-1 (Bahrain). We respect data residency expectations of each jurisdiction.

7. Your rights

Under UK GDPR, EU GDPR, CCPA, CDR Privacy Safeguards and CBUAE Open Finance, you have the right to access, rectify, delete and port your data. Request via /delete-account or email privacy@pocketspend.cloud. We respond within 30 days.

8. Security

Read-only bank connections via regulated aggregators (Plaid, Yapily, Basiq, Lean) β€” bank credentials never touch our servers. Biometric app lock on iOS and Android. Certificate pinning on iOS. Row-level security at the database layer. Full details at /security.

9. Contact

Data Protection Officer: dpo@pocketspend.cloud. ICO complaints: ico.org.uk.