Privacy Policy
Dealy
This Privacy Policy explains how Dealy collects, uses, stores, shares, and protects personal data when you use the Dealy mobile app, including app builds that may still display the name Mon Panier.
1. Data Controller
The controller of the personal data processed through Dealy is:
[Insert legal entity name]
Operating name: Dealy
Postal address: [Insert registered address]
Email:
privacy@your-domain.com
If you have appointed a data protection officer, add:
[Insert DPO contact details]
2. Data We Process
Account and identity data
- Email address
- First name and last name
- Username and identity-provider identifiers
- Preferred language
- Authentication and session tokens
Shopping and budgeting data
- Shopping titles, dates, totals, and store information
- Purchased item names, quantities, prices, and classifications
- Budget values and spending analytics by product, category, and store
- Shopper profile data associated with your account
Receipt, file-import, and voice data
- Receipt photos captured with the camera
- Receipt images selected from the photo library
- Images or PDF files shared into the app from other apps
- Voice recordings made in the app
- Receipt references attached to shopping records
This content may contain personal data depending on what appears on a receipt or what is said in a voice note.
Subscription and payment-related data
- Subscription status and entitlement status
- Trial status
- Product identifiers and offering identifiers
Payments are handled by Apple App Store or Google Play. Dealy does not receive your full bank card number.
Technical, usage, and analytics data
- Feature usage, screen interactions, and event data
- App lifecycle events
- Analytics identifiers
- Session replay data if that feature is enabled
- Security and operational logs
Data stored locally on your device
- Theme and language preferences
- Onboarding completion state
- Weekly budget preference
- Tutorial progress and reminder state
- Home-screen widget data
- Authentication tokens stored in secure device storage
3. Purposes and Legal Bases
Under Article 6 GDPR, we process your data only where a valid legal basis applies.
| Purpose | Examples of data | Legal basis |
|---|---|---|
| Create, authenticate, and manage your account | Identity data, email, tokens, language | Performance of a contract or steps at your request |
| Provide core shopping, budgeting, widget, and sync features | Shopping history, shopper data, preferences | Performance of a contract |
| Process receipt images, imported files, and voice notes into structured shopping data | Receipt images, PDFs, voice recordings, extracted data | Performance of a contract or steps taken at your request |
| Manage subscriptions, trials, and related records | Entitlements, subscription status, product identifiers | Performance of a contract; legal obligation where accounting or tax rules apply |
| Secure the service, prevent abuse, and maintain operations | Logs, tokens, technical diagnostics | Legitimate interests |
| Send local reminders linked to your trial | Reminder state, subscription timing | Your device-level notification permission; performance of a contract or legitimate interests, depending on the reminder |
| Measure product usage, analytics, and session replay | Usage events, identifiers, replay data | Consent where required by applicable law; if an exemption applies, the legal basis may instead be legitimate interests for strictly exempt measurement |
4. Analytics, Traceurs, and Session Replay
Dealy uses product analytics and may enable session replay to understand how features are used and to improve the app.
For users in France and, more broadly, in the EEA, analytics and replay features must be assessed under the GDPR and Article 82 of the French Data Protection Act, including CNIL guidance on audience measurement and mobile apps.
- Where consent is legally required, analytics or replay should only be activated after valid consent has been obtained.
- Refusing consent must not block access to the core app unless the processing is strictly necessary for the requested service.
- Device permissions requested by iOS or Android are technical permissions. They do not by themselves replace GDPR consent where consent is required.
5. Recipients of Personal Data
We disclose personal data only where necessary to operate Dealy.
- Hosting and backend infrastructure providers
- Our authentication and account-management provider
- PostHog, for analytics and possibly session replay
- RevenueCat, for subscription and entitlement handling
- Apple App Store and Google Play, for in-app purchases and subscriptions
- Google Gemini API, for receipt and voice processing features
- Professional advisers or authorities where disclosure is legally required
We do not sell personal data. We do not use third-party advertising SDKs in the current mobile codebase.
6. International Transfers
Some of our processors or sub-processors may process personal data outside the European Economic Area.
Where such a transfer takes place, we aim to rely on an appropriate transfer mechanism, such as:
- An adequacy decision by the European Commission
- Standard Contractual Clauses
- Another transfer mechanism permitted by Chapter V GDPR
You can request more information about the transfer safeguards relevant to your data by contacting us.
7. Retention
We keep personal data only for as long as necessary for the purposes described above and in line with the GDPR storage-limitation principle.
- Account and profile data: for the life of the account, then for the time needed to meet legal obligations or handle claims.
- Shopping history and attached content: until you delete it, your account is deleted, or retention is otherwise no longer necessary.
- Receipt images and voice files: for the time needed to process the requested feature, then according to the retention of the resulting shopping record and any applicable backup, security, or dispute requirements.
- Subscription-related data: for the subscription period and for the time needed to comply with accounting, tax, or legal obligations.
- Analytics data: according to the settings configured in the analytics tool and your consent choices where consent applies.
- Local device data: until you clear it, uninstall the app, or it is overwritten by new settings.
8. Permissions and Optional Features
Depending on how you use Dealy, the app may ask for access to the following device resources:
- Camera, to capture receipt images
- Photo library or files, to import receipts and shared files
- Microphone, to record voice notes
- Notifications, to display local reminders
You can control these permissions in your device settings. Refusing a permission may limit the related feature.
9. Your Rights
Subject to the conditions of the GDPR and French law, you may have the following rights:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to object
- Right to data portability
- Right to withdraw consent at any time where processing is based on consent
- Right to define instructions for the handling of your data after your death, where French law applies
You also have the right to lodge a complaint with the French supervisory authority, the CNIL: www.cnil.fr.
The current app may not provide a full self-service account deletion flow in every case. If you want your account or associated data deleted, contact us using the details in Section 1.
10. Automated Decisions
Dealy uses automated tools to extract structured information from receipts and voice notes. However, this Privacy Policy is not intended to describe solely automated decision-making producing legal effects or similarly significant effects within the meaning of Article 22 GDPR.
11. Security
We implement reasonable technical and organisational security measures appropriate to the nature of the data and the risks involved. In the current app, network communications use HTTPS and authentication tokens are stored using secure device storage where available.
12. Children
Dealy is not directed to children. Where processing is based on consent in connection with an information society service and French law applies, a child aged 15 or over may generally consent alone. For children under 15, the agreement of the child and the holder of parental responsibility may be required.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the date shown at the top of this page and may also give additional notice in the app or on the relevant app-store listing.