Privacy Policy for Alona

Effective Date: November 11, 2025

Last Updated: November 11, 2025

Alona ("we," "us," or "our") is a service provided by [Your Company Name or Individual Developer Name] and accessible at heyalona.com. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use Alona (the "App"). Alona monitors your Gmail inbox with read-only access including message attachments and your bank transactions via PSD2-compliant APIs to identify recurring payments and subscriptions. With your explicit consent, we may negotiate better prices on your behalf with service providers.

Alona processes personal data of EU/EEA residents and complies with the General Data Protection Regulation (GDPR) and the Revised Payment Services Directive (PSD2). We act as the data controller for your personal data.

By using Alona, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the App.

1. Information We Collect

a. Gmail Data (Read-Only Access with Attachments)

  • Alona requests read-only permission to your Gmail account via Google OAuth (https://www.googleapis.com/auth/gmail.readonly).

  • This scope allows us to view the following without modification:

    • Email metadata (e.g., subject lines, sender/recipient addresses, timestamps, labels).

    • Email message bodies (full text content).

    • Email attachments (e.g., PDFs, invoices, receipts) — only when necessary to identify subscription or billing details.

  • Attachments are accessed only if:

    • The email is flagged as potentially related to a recurring payment (e.g., contains keywords like "invoice", "subscription", "receipt").

    • The attachment type is supported (e.g., PDF, text, image) and under 5 MB.

  • We do NOT:

    • Send emails on your behalf.

    • Modify, delete, or move your emails or attachments.

    • Access or store your email passwords.

    • Download or retain attachments beyond temporary analysis (see Section 3).

b. Bank Transaction Data (PSD2 Access)

  • Alona connects to your bank accounts via PSD2 APIs as an Account Information Service Provider (AISP).

  • With your explicit consent (via Strong Customer Authentication - SCA), we access:

    • Transaction history (dates, amounts, payees, descriptions).

    • Account balances and identifiers needed to detect recurring payments.

  • We do NOT:

    • Initiate payments or transfers.

    • Access full account or card numbers beyond PSD2-permitted identifiers.

    • Store login credentials.

c. Account Information

  • Google sign-in: Your email address, display name, and unique user ID.

  • Bank connection: Masked account identifiers and institution name.

  • Consent logs for data access and negotiation actions.

d. Usage & Device Data

  • Anonymized analytics (features used, session length).

  • Device info (browser, OS, IP) for security and debugging.

  1. How We Use Your Information

We use your data only to:

  • Identify subscriptions: Cross-reference Gmail (including attachments) and bank data to detect recurring charges.

  • Generate reports: Show you active subscriptions, costs, and savings opportunities.

  • Negotiate (with consent): Contact providers using pre-approved templates (you review/send or we send on your behalf).

  • Improve service and prevent fraud.

  • Comply with legal and regulatory requirements.

We do NOT use your emails, attachments, or transactions for:

  • Advertising or marketing.

  • Training third-party AI models.

  • Sharing with unrelated parties.

Legal Bases (GDPR):

  • Consent (Art. 6(1)(a)): Gmail access, attachment processing, PSD2 connection, negotiations.

  • Contract (Art. 6(1)(b)): To deliver the service you request.

  • Legitimate Interests (Art. 6(1)(f)): Fraud detection, security, anonymized analytics.

  1. Data Storage & Security

Data Type

Storage

Retention

Security

Emails & Metadata

In-memory only

Deleted after analysis

TLS 1.3, no persistent storage

Attachments

Temporary (in-memory or encrypted cache)

Max 24 hours, then auto-deleted

AES-256, access-controlled

Bank Transactions

Encrypted database (EU servers)

Up to 12 months (for history)

AES-256, tokenization

Access Tokens

Encrypted vault

Auto-revoked on logout

Short-lived, refresh rotated

Logs

Encrypted audit trail

30 days

Immutable, tamper-evident

All processing occurs in EU/EEA data centers.

  • Regular Data Protection Impact Assessments (DPIAs) for attachment and financial data processing.

  • Breach notification within 72 hours to you and Datatilsynet.

  1. Data sharing & Disclosure

We never sell your data. We share only:

With Whom

What

Why

Safeguards

Cloud Providers (e.g., AWS Frankfurt)

Encrypted data at rest

Hosting & processing

DPA, SCCs, ISO 27001

Google

OAuth tokens

Authentication

Google’s GDPR compliance

Banks (via PSD2 APIs)

Consent & access requests

Transaction access

SCA, AISP licensing

Service Providers (for negotiation)

Subscription proof (e.g., invoice snippet)

Only with your approval

Consent record, minimal data

5. Your Rights & Controls

You control your data at all times:

  • Revoke Gmail access: myaccount.google.com/permissions

  • Revoke bank access: Via your bank’s PSD2 dashboard

  • Delete cached attachments: Auto-deleted in 24h; manual delete via app

  • Request data: Email contact@heyalona.com with "GDPR Request"

  • Withdraw negotiation consent: Instantly pauses all outreach

We respond within 30 days. All requests are free.

  1. International Data Transfers

Primary processing: EU/EEA

  • Any transfer outside EEA (e.g., US subprocessors):
    EU Standard Contractual Clauses (SCCs)
    EU-US Data Privacy Framework (where certified)

  1. Children's Privacy

Alona is not for users under 16. We delete any data if we learn a child has signed up.

  1. Changes to This Policy

Material changes will be:

Continued use = acceptance.

  1. Contact us

Data Protection Officer (DPO) & Support:

📧 contact@heyalona.com

🌐 heyalona.com

📍 Pilestræde 60, 1112 København