Legal · Privacy Notice
Privacy Policy
Your privacy matters. This Privacy Policy explains what personal data Banymay (“we”) collects, why we collect it, how we use and protect it, and the rights you have under the EU General Data Protection Regulation (“GDPR”) and related laws.
1. Who we are
The data controller for the personal data processed through the Service is the operator of Banymay. For any privacy-related question you can reach us at contact@banymay.com.
2. Scope
This notice applies to personal data we process when you visit the Banymay website, create an account, use the application or interact with us by email. It does not cover third-party sites linked from the Service; please consult their own privacy notices.
3. Personal data we collect
| Category | Examples |
|---|---|
| Account data | username, email, password hash, first & last name, country, age |
| Authentication | session tokens, password-reset tokens, login timestamps, IP address, user-agent |
| Portfolio content | stocks, deposits, withdrawals, dividends, snapshots, brokers, currency preferences — all entered by you |
| Usage data | pages visited, feature interactions, error logs, request metadata |
| Device data | browser type and version, operating system, screen size, language |
| Billing data | subscription plan, status, billing period, partial card metadata (last 4 digits, brand) — full payment data is processed by our payment provider, not stored by us |
| Communications | messages you send to support or feedback channels |
We do not intentionally collect special categories of data (health, biometric, political, religious, etc.). Please do not enter such data into your portfolio notes.
4. Purposes & legal bases (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Creating and operating your account | Performance of a contract (Art. 6(1)(b)) |
| Storing and displaying your portfolio content | Performance of a contract (Art. 6(1)(b)) |
| Processing subscription payments & invoicing | Performance of a contract; legal obligation (Art. 6(1)(b)(c)) |
| Authentication, fraud prevention, abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Service improvement, analytics, debugging | Legitimate interests (Art. 6(1)(f)) |
| Sending service emails (security, billing, changes) | Performance of a contract; legal obligation |
| Sending optional product or marketing emails | Consent (Art. 6(1)(a)) — revocable at any time |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Defending legal claims | Legitimate interests (Art. 6(1)(f)) |
5. Sources of data
We collect personal data:
- directly from you (registration, app use, support messages);
- automatically (logs, cookies, device signals);
- from our processors (payments, hosting, market data);
- from publicly available sources where strictly necessary.
7. International transfers
Some of our processors are located outside the European Economic Area. Where this is the case, transfers are protected by appropriate safeguards under GDPR Chapter V, in particular the European Commission’s Standard Contractual Clauses and supplementary technical measures (e.g. encryption in transit and at rest).
8. Retention
- Account & portfolio data — for as long as your account exists, plus up to 90 days after deletion to allow recovery and resolve disputes.
- Billing records & invoices — up to 10 years, where required by tax / accounting law.
- Security logs — typically 30–180 days.
- Backup snapshots — rotated periodically; residual copies may persist for a short additional window.
- Support correspondence — up to 24 months.
When the retention period ends, data is deleted or irreversibly anonymised.
9. Security
We apply technical and organisational measures appropriate to the risk, including:
- HTTPS/TLS for all network traffic;
- password hashing using modern algorithms (no plaintext passwords);
- scoped access controls and per-user data isolation;
- regular dependency updates and security review;
- periodic backups and restore drills.
No system can guarantee absolute security. Please notify us immediately if you suspect any unauthorised access to your account.
11. Your GDPR rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you (Art. 15);
- Rectify inaccurate or incomplete data (Art. 16);
- Erase your data — the “right to be forgotten” (Art. 17);
- Restrict processing in certain circumstances (Art. 18);
- Data portability — receive your data in a structured, machine-readable format and transmit it to another controller (Art. 20);
- Object to processing based on legitimate interests (Art. 21);
- Withdraw consent at any time, without affecting the lawfulness of past processing;
- Lodge a complaint with a supervisory authority — in Romania this is the ANSPDCP; you may also contact the authority of your habitual residence.
To exercise any right, contact contact@banymay.com. We respond within 30 days, extendable by up to 60 days for complex requests.
12. Automated decision-making
We do not subject users to decisions producing legal or similarly significant effects based solely on automated processing, including profiling, within the meaning of GDPR Art. 22.
13. Children
The Service is not directed to persons under 18 years of age. We do not knowingly process personal data of minors. If you believe a minor has provided us with personal data, please contact us so we can delete it.
14. Data-breach notification
In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, in accordance with GDPR Art. 33, and we will inform affected users without undue delay where Art. 34 applies.
15. Changes to this Policy
We may update this Privacy Policy. The “Last updated” date at the top reflects the most recent version. Material changes will be notified through the Service or by email at least 30 days in advance, where required.
16. Contact & Data Protection Officer
For any privacy enquiry, request, or complaint write to: contact@banymay.com.