waltra. Privacy Policy

Effective date: 20 June 2026 · Version 3.7 · Applies worldwide

    The short version: Waltra does not sell your data, does not link to your bank account, and does not share your information with advertisers. Your expense data belongs to you and your household.
  

1. Who we are

Waltra is part of Tivara — a suite of AI-powered financial tools developed by an independent developer based in the United Kingdom. Tivara also includes Quantara (AI stock analysis) and Vestara (portfolio tracking, coming soon).

For general enquiries: support@waltra.app
For privacy matters: privacy@waltra.app.

Depending on where you are located, we act as a data controller (UK/EU GDPR), business (California CCPA), or equivalent under your local law.

ICO registration: Waltra is registered with the UK Information Commissioner's Office (ICO) as required under UK GDPR. Registration number: ZC154837 (verifiable at ico.org.uk/ESDWebPages/Search).

Data Processing Agreement (Anthropic): We have accepted Anthropic's Data Processing Agreement (available at anthropic.com/legal) governing the processing of personal data through their Claude AI API.

2. What data we collect and why

The table below sets out exactly what we collect, why, and our lawful basis under UK/EU GDPR. We tell you this at the point of account creation and you can withdraw consent at any time.

Data	Why	Lawful basis
Email address, display name, profile emoji	Account creation and authentication	Contract (Article 6(1)(b))
Expense data (amounts, categories, notes, dates)	Core app function — tracking household spending	Contract (Article 6(1)(b))
Household data (name, members, budgets, savings goals, recurring expenses)	Shared household tracking	Contract (Article 6(1)(b))
Voice transcripts (text only, no audio)	AI-powered voice expense entry	Consent (Article 6(1)(a)) — given at signup, can be withdrawn by not using voice features
Receipt images (processed then discarded)	AI-powered receipt scanning	Consent (Article 6(1)(a)) — given at signup, can be withdrawn by not using scan features
AI chat messages	Waltra AI spending assistant	Consent (Article 6(1)(a)) — given at signup
Push notification token	Optional expense reminders	Consent (Article 6(1)(a)) — explicit browser permission required
Expense edit history	When a household member edits an expense added by another member, the editor's user ID and timestamp are stored on the expense record (lastEditedBy, lastEditedAt). This is displayed to household members as "edited by [name]" on the expense row for transparency.	Legitimate interests (Article 6(1)(f)) — household transparency and accountability
Marketing email preference	Occasional product updates	Consent (Article 6(1)(a)) — explicit opt-in, freely withdrawable
Founder Gifted Premium status	Grant or revoke complimentary Premium access gifted by the founder	Legitimate interests (Article 6(1)(f)) — managing gifted access; only applied to users explicitly selected by the founder
Pending Founder Gift (non-users)	Email address and name stored temporarily in a pendingGifts collection when a Founder Gift is sent to someone who does not yet have a Waltra account. Automatically applied and marked as used when they sign up.	Legitimate interests (Article 6(1)(f)) — fulfilling a gift promise made directly by the founder
Basic usage signals (crash reports)	App improvement via Firebase Analytics	Legitimate interests (Article 6(1)(f)) — improving service stability

3. AI features and consent

Waltra uses Anthropic's Claude AI for voice transcript parsing, receipt scanning, and the Waltra AI chat. Your consent to AI processing is collected at account creation and stored with a timestamp and version number in your user record.

When you use these features, relevant text (transcript or extracted receipt text) is sent to Anthropic's API for processing. Anthropic's privacy policy applies: anthropic.com/privacy. We have accepted Anthropic's Data Processing Agreement. No audio or images are ever sent — only text.

Withdrawing AI consent: You can effectively withdraw consent by not using AI features (voice entry, receipt scanning, Waltra AI). If you want us to delete any AI-processed data, email privacy@waltra.app.

Household AI data: AI consent is individual — it controls whether your device can initiate AI processing. It does not affect what expense data other household members can see or query. Because all household members have agreed to share expense data as part of joining a household, another member's use of Waltra AI may include your shared expense data in their session. This is covered under the household data sharing basis (Contract, Article 6(1)(b)), not AI consent. If you do not want your expense data accessible to any household member, the appropriate action is to leave the household.

Exchange rates for foreign currency conversion are fetched from open.er-api.com. No personal data is sent.

4. Data storage and security

Your data is stored in Google Firebase (Firestore and Authentication), with Firestore data stored in the United States and our Cloud Functions (which process requests) running in europe-west2 (London, UK). Firebase is certified under ISO 27001 and SOC 2/3. Data in transit is encrypted with TLS 1.2+. Data at rest is encrypted using AES-256.

Firestore Security Rules are enforced server-side to ensure only verified household members can read or write household data — no other Waltra user can access your household's expenses, budgets, or member information.

We implement reasonable technical and organisational security measures. If you become aware of a security issue, contact security@waltra.app immediately — or support@waltra.app if that address is unavailable.

5. Local storage and device data

Waltra stores the following data in your browser's local storage (not cookies). This data stays on your device and is never transmitted to our servers:

Key	What it stores	When cleared
waltra_privacy	Whether amounts are hidden (privacy mode on/off)	On sign out
waltra_pin	Hashed PIN (bcrypt — not reversible)	When PIN is removed or reset
waltra_faceid_enabled	Whether biometric login is enabled	When biometric is disabled or PIN is reset
waltra_data_pref	Whether user accepted local data caching	On browser data clear
waltra_ios_install_dismissed	Whether iOS install prompt was dismissed	On browser data clear
waltra_tour_seen	Whether app tour has been completed	On browser data clear
waltra_swipe_hint_seen	Whether swipe hint was dismissed	On browser data clear
waltra_voice_seen	Whether voice entry tooltip has been shown	On browser data clear
waltra_push_enabled	Whether expense reminders are enabled	On sign out or when reminders disabled
waltra_build_etag	Hash of the last app version seen — used to detect updates and reload automatically	Preserved across sessions; cleared on browser data clear
waltra_review_dismissed_YYYY	Whether the Annual Review for year YYYY was dismissed (e.g. waltra_review_dismissed_2026)	On browser data clear
waltra_hid_{uid}	Cached household ID for faster loading	On sign out

We do not use advertising cookies, third-party tracking pixels, or fingerprinting technology.

6. Data sharing

We share data only in the following circumstances:

Within your household — all members see all household expenses, budgets, and savings goals in real time. Each account can only belong to one household at a time, which is how we keep this data correctly isolated — if you need to be part of more than one household, you'll need a separate account and email address for each.
Anthropic — text from voice entry, receipt scanning, and AI chat is processed via their API under a signed DPA
Google Firebase — infrastructure and authentication provider; bound by Google's DPA and GDPR commitments
Referral data: If you use the referral programme, we store your referral code, the number of successful referrals, credits earned, and whether your email address has been verified (required to activate referral credits). Referred users' identities are not shared with referrers — only the referral count is visible to you. When a referral is credited, we send a confirmation email to the referrer and store a transient in-app notification in your account (marked as read once viewed and not retained thereafter).
open.er-api.com — exchange rate lookups; no personal data sent
Stripe — payment processing. When you subscribe, your payment details are handled directly by Stripe. Waltra never sees or stores your card number. Stripe's privacy policy applies: stripe.com/privacy. Stripe stores your email address and billing information as needed to process recurring payments and provide a customer billing portal.
Legal requirements — if required by law, court order, or to protect our legal rights

We never sell your data.

7. Data retention

Your data is held while your account is active. When you delete your account:

Your profile and member record are removed from your household immediately
If you were the last member, all household data is deleted immediately
If other members remain, your historical expenses stay attributed to "Previous Member"
All remaining personal data is automatically purged within 30 days
Consent records (timestamps of when you gave consent) are retained for 12 months for legal compliance purposes, then deleted
A confirmation email is sent to your registered address confirming permanent deletion

8. Your rights

Regardless of where you live, you can:

Access & export your data — CSV export in the Expenses tab
Delete your account — Profile → Delete account
Correct your data — edit directly in the app
Withdraw AI consent — by not using AI features; or email us to delete AI-processed data
Opt out of marketing emails — Profile → Settings → Marketing emails
Unsubscribe from monthly summary emails — link in every summary email, or Profile → Settings → Monthly email
Request any of the above by emailing privacy@waltra.app

🇬🇧 UK users (UK GDPR): Our lawful bases are set out in Section 2. You have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk. ICO registration number: ZC154837.

🇪🇺 EU/EEA users (GDPR): Lawful bases are as per Section 2. Data transferred to the US is done under Firebase's and Anthropic's Standard Contractual Clauses. You may lodge a complaint with your local supervisory authority.

🇺🇸 California users (CCPA/CPRA): We do not sell or share your personal information for cross-context behavioural advertising. You have the right to know, delete, correct, and opt out. Email privacy@waltra.app. We do not discriminate against users who exercise privacy rights.

🇮🇳 India users (DPDP Act 2023): You are a "data principal." You have the right to access, correct, and erase your personal data and to withdraw consent. Contact privacy@waltra.app. We process your data only for the purposes in this policy.

9. Data Protection Impact Assessment (DPIA) summary

Scope: AI processing of personal data (voice transcripts, receipt text) via Anthropic's Claude API.

Risk identified: Personal financial and behavioural data processed by a third-party AI system. Risk level: Medium.

Mitigations applied:

Consent collected at point of account creation with timestamp and version number
No audio or images transmitted — only derived text
Data discarded by Anthropic immediately after processing under signed DPA
Processing limited to specific features; users can withdraw by not using those features
AI processing limited to 10 messages/household/month and 10 receipt scans/month

Residual risk: Low. Mitigations reduce risk to an acceptable level. Full DPIA on file.

10. Age requirement & children's privacy

Waltra requires all users to be at least 18 years of age. We do not knowingly collect data from anyone under 18. If we become aware that a user is under 18, we will delete their account and data promptly. If you believe a minor has provided us with personal data, contact privacy@waltra.app.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified within the app. Continued use after changes constitutes acceptance. The version number and effective date at the top of this document will be updated.

12. Contact

For any privacy questions, to exercise your rights, or to request our full DPIA: privacy@waltra.app

We aim to respond within 30 days. For EU/EEA users, within the GDPR-required timeframe.

For press enquiries: press@waltra.app · For partnerships: partnerships@waltra.app