Privacy Policy

Effective date: May 2026

1. Introduction

WealthNow ("we," "us," or "our") operates a personal finance visualization tool accessible as a progressive web application (PWA). WealthNow is not a bank, financial institution, or fintech service. It is a tool that allows users to manually enter and visualize arbitrary display content — such as numbers, names, and descriptions — for personal visualization and educational purposes.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the WealthNow service ("the Service"). It is written in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), in particular Articles 13 and 14, which require us to inform you about how your data is processed.

By creating an account or using WealthNow, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller

The data controller responsible for processing your personal data is:

• Name: nSilence
• Address: Contact us at for our registered address
• Email:

If you have any questions about this Privacy Policy or how we process your data, you can contact us at the email address above.

3. Data We Collect

3.1 Account Data

When you create an account, we collect your name, email address, and a hashed password. Passwords are hashed using industry-standard algorithms (bcrypt) via BetterAuth before storage. We never store your password in plaintext.

3.2 User-Created Display Content

You may manually enter display content into the Service, including:

• Account names, types, and balances
• Transaction records (descriptions, amounts, dates, categories)
• Payment method labels (e.g., "Visa 4521")

Important: This is not real banking data. WealthNow does not connect to any bank, financial institution, or payment network. All display content in the Service is entered manually by you and exists solely within WealthNow. It is arbitrary user-created content — like text in a design tool — and we have no way to verify whether it reflects actual financial accounts or transactions.

3.3 Technical Data

We automatically collect limited technical data during use:

• IP address (during authentication and API requests)
• User agent string (browser type, version, operating system)
• Device type (mobile, desktop, tablet)

This data is collected for security purposes and abuse prevention. We run our own first-party, self-hosted analytics on infrastructure we control (see Section 3.5 below). We do not use third-party analytics processors, advertising trackers, or any form of cross-site tracking.

3.5 Product Usage Analytics

We collect anonymized usage analytics to understand how the Service is used and to improve it. Analytics data is processed by self-hosted Umami running on our own server at improve.nsilence.com. No third-party analytics processor receives this data.

What we collect. Page views, in-product actions (e.g., signup, account setup completed, transaction created, theme changed, subscription activated), device type, locale, and the navigation path of pre-defined routes. Free-text content you type (transaction descriptions, account names, etc.) is never sent to analytics — only fixed event names and enumerated values.

How we identify visitors. Before you sign in, we store a random UUID in your browser's sessionStorage (not a cookie) so that page views from the same tab session are grouped together. After signup, this anonymous identifier is replaced by a derived stable identifier — an HMAC-SHA256 hash of your user ID — so analytics records are linked to your account internally but the raw user ID never appears in the analytics database.

IP addresses. Umami hashes IP addresses with a salt rotated daily; raw IPs are not stored.

Legal basis. Legitimate interest under GDPR Art. 6(1)(f) — improving the Service. Because the analytics is cookieless and runs entirely on infrastructure we control, no consent banner is required under the ePrivacy Directive (Art. 5(3) cookie rule does not apply to sessionStorage when used solely for first-party analytics).

Sharing. Analytics data is never shared with any third party.

Your rights. You may request deletion of analytics records linked to your account by contacting us at the email below (Section 12).

3.4 Payment Data

If you subscribe to a paid plan, payment is processed entirely by Dodo Payments, which acts as our merchant of record. Dodo Payments independently collects payment from you, handles applicable taxes, and shares with us only:

• Subscription status (active, cancelled, past due)
• Billing period dates
• Transaction identifiers

Your credit card number, CVV, and full billing details are collected and processed exclusively by Dodo Payments. They never touch our servers. For information on how Dodo Payments handles your payment data, see Dodo Payments' Privacy Policy.

4. How We Use Your Data

The following table describes each type of data we collect, the purpose of processing, and the legal basis under GDPR Article 6:

We do not use your data for advertising, profiling, automated decision-making, or any purpose other than providing and securing the Service.

5. Legal Basis for Processing

Under GDPR Article 6, every processing activity must have a lawful basis. We rely on the following:

5.1 Contract Performance (Art. 6(1)(b))

Most of our data processing is necessary to perform the contract between you and WealthNow — that is, to provide the Service you signed up for. This includes creating and maintaining your account, storing and displaying the content you enter, and processing your subscription payments through Dodo Payments.

5.2 Legitimate Interest (Art. 6(1)(f))

We process limited technical data (IP address, user agent, device type) for the legitimate interest of securing the Service, preventing abuse and unauthorized access, and maintaining system integrity. We have assessed that these interests are not overridden by your rights and freedoms, given the limited nature and short retention period of this data.

5.3 Legal Obligation (Art. 6(1)(c))

Where required by applicable laws (e.g., tax and accounting regulations), we may retain certain payment and transaction records for the legally mandated period.

5.4 Consent (Art. 6(1)(a))

We currently do not process any data on the basis of consent alone. If we introduce features that require consent in the future (e.g., marketing emails), we will obtain your explicit, informed consent before processing, and you will be able to withdraw it at any time.

6. Data Sharing and Third Parties

We share your data only with the following third-party service providers, and only to the extent strictly necessary to operate the Service:

6.1 Dodo Payments (Merchant of Record)

• What is shared: your email address and subscription selection. Dodo Payments independently collects your payment card details during checkout.
• Purpose: payment processing, invoicing, subscription management, and tax compliance. Dodo Payments acts as the merchant of record and is responsible for VAT/GST/sales tax collection and remittance in your jurisdiction.
• Location: United States. Dodo Payments uses Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers.
• Dodo Payments' privacy policy: dodopayments.com/legal/privacy-policy

6.2 Hosting Provider

• Provider: Hetzner Online GmbH
• Location: Helsinki, Finland (European Union)
• Purpose: infrastructure and data storage. All Service data (database, application) is hosted on this provider's servers.
• The server runs isolated Docker containers with restricted network access between services.

6.3 Email Provider (Transactional Email)

• Provider: Resend (United States, compliant with EU-US Data Privacy Framework)
• What is shared: your email address and email content for transactional messages only (account verification, password reset, billing notifications).
• We do not send marketing emails, newsletters, or promotional communications.

6.4 ALTCHA (Anti-Bot Protection)

• ALTCHA is a proof-of-work challenge system that runs entirely on our own servers.
• No data is sent to any third party for anti-bot verification.
• ALTCHA does not set any cookies or track users.

6.5 What We Do Not Do

• We do not sell, rent, or trade your personal data to any third party.
• We do not use your data for advertising or behavioral profiling.
• We do not share data with data brokers, ad networks, or marketing platforms.
• We do not use third-party analytics processors or cross-site tracking tools. Our product usage analytics runs on self-hosted Umami on our own infrastructure (see Section 3.5).

7. International Data Transfers

Our primary servers are located in the European Union (Finland). However, some data is transferred to service providers headquartered in the United States.

For data transfers outside the European Economic Area (EEA), we rely on the following safeguards:

• Dodo Payments: uses Standard Contractual Clauses (SCCs) as approved by the European Commission for international data transfers.
• Resend: used for transactional email delivery (verification, password reset). Processes only email addresses and message content. Compliant with the EU-US Data Privacy Framework.

All other data processing (hosting, anti-bot protection) occurs within the European Union.

8. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this policy:

• Account data (name, email, hashed password): retained while your account is active. Upon account deletion, permanently removed from our production systems within 30 days. Encrypted backups may retain residual data for up to 90 days before being rotated out.
• User-created display content (accounts, transactions, payment methods): deleted immediately upon account deletion via cascade delete. When you delete your account, all associated display content is irreversibly removed.
• Payment records (subscription status, transaction identifiers, billing dates): retained as required by applicable tax and accounting laws, typically for up to 7 years.
• Server logs (IP addresses, request logs): retained for 90 days for security monitoring and debugging, then automatically purged.

9. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

• Right of access (Art. 15): you have the right to request a copy of all personal data we hold about you, along with information about how it is processed.
• Right to rectification (Art. 16): you have the right to request correction of inaccurate or incomplete personal data. You can also update most of your data directly through the Service.
• Right to erasure (Art. 17): you have the right to request deletion of your personal data ("right to be forgotten"). You can delete your account at any time through the Service, which triggers automatic deletion of all associated data.
• Right to restrict processing (Art. 18): you have the right to request that we limit how we process your data in certain circumstances, for example while we verify the accuracy of data you have contested.
• Right to data portability (Art. 20): you have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and to transmit it to another service.
• Right to object (Art. 21): you have the right to object to processing based on legitimate interests. If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent (Art. 7(3)): where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

How to Exercise Your Rights

To exercise any of these rights, contact us at . We will verify your identity and respond to your request within 30 days. If your request is complex or we receive a high volume of requests, we may extend this period by an additional 60 days, in which case we will inform you of the extension within the initial 30-day period.

There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

10. Cookies

We use only essential cookies required for the Service to function:

• Authentication session cookie (BetterAuth): maintains your authenticated session. This cookie is strictly necessary for the Service to work and does not require consent under GDPR Article 5(3) of the ePrivacy Directive.

We do not use:

• Tracking cookies
• Analytics cookies
• Advertising or marketing cookies
• Third-party cookies of any kind

Our anti-bot protection (ALTCHA) is self-hosted and operates via a proof-of-work challenge. It does not set any cookies, does not use fingerprinting, and does not track users across sessions.

Our product usage analytics (Umami, see Section 3.5) is also cookieless — it stores a random identifier in your browser's sessionStorage, which is per-tab and cleared when you close the tab. sessionStorage is not a cookie under the ePrivacy Directive.

Because we use only strictly necessary cookies and our analytics is cookieless, we do not display a cookie consent banner.

11. Children's Privacy

The Service is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a person under 18, we will delete it promptly. If you believe that a child has provided us with personal data, please contact us at so we can take appropriate action.

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of all data in transit using TLS 1.2 or higher
• Password hashing using bcrypt (via BetterAuth) — plaintext passwords are never stored
• Rate limiting on authentication endpoints to prevent brute-force attacks
• Proof-of-work anti-bot challenges (ALTCHA) on authentication forms
• Isolated Docker container architecture with restricted inter-service network access
• Regular encrypted backups
• Server access restricted to SSH key-based authentication

For more details about our security practices, see our Security page.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours in accordance with GDPR Article 33, and will inform affected users without undue delay in accordance with GDPR Article 34.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes:

• We will update the "Effective date" at the top of this page.
• For material changes that affect how we collect, use, or share your data, we will notify registered users by email at least 30 days before the changes take effect.
• Your continued use of the Service after the new effective date constitutes acceptance of the updated policy.
• If you do not agree with the changes, you may delete your account before the new policy takes effect.

14. Contact and Complaints

If you have questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, contact us at:

Email:

We aim to resolve all concerns directly. However, if you are located in the European Economic Area and believe that we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority. You can find the contact details of all EU/EEA data protection authorities at:

European Data Protection Board — Members

For information about our terms and conditions, see our Terms of Service. For information about how WealthNow should and should not be used, see our Disclaimer.