Privacy Policy

Protecting your personal data is a core priority. This Privacy Policy explains what data we collect when you use WonderFunds, how we process it, and what rights you have.

WonderFunds is a privacy-first personal finance management service. We do not connect to bank accounts, we delete uploaded raw files after processing, and we encrypt financial data using a DEK/KEK scheme that prevents linking data to your identity even in the event of a database breach.

The data controller within the meaning of the GDPR is:

SKAJ Ventures GmbH
Sonnenlandstraße 4
14471 Potsdam
Germany

Managing Director: Stefan Köhn
Email: datenschutz@wonderfunds.app

We collect and process the following categories of personal data:

We do not collect bank account numbers, PINs, TANs, or any other banking credentials.

We process your data based on the following legal grounds under the GDPR:

• Art. 6(1)(b) GDPR — Contract performance: Processing account and financial data to provide the Service.
• Art. 6(1)(a) GDPR — Consent: Processing data through AI-powered features when you actively use them.
• Art. 6(1)(f) GDPR — Legitimate interest: Creating anonymized, aggregate statistics; improving the Service; fraud and abuse prevention.
• Art. 6(1)(c) GDPR — Legal obligation: Retention of billing data in accordance with tax regulations.

During registration, we collect your name, email address, and a password. The password is stored exclusively as a bcrypt hash — we never have access to your plaintext password.

Authentication is handled via NextAuth v5 with JWT-based session management. You can optionally enable two-factor authentication (TOTP or email OTP).

Your email address is used for:

• Login and account recovery
• Email verification
• Notifications about contract changes (e.g., Terms updates)
• Optional product notifications (can be unsubscribed)

Your financial data (transactions, categories, rules) is not directly linked to your user account. Instead, we use a pseudonymous token (userDataToken) protected by a DEK/KEK encryption scheme:

• Each user receives an individual Data Encryption Key (DEK).
• The DEK is stored encrypted with a Key Encryption Key (KEK).
• Financial data and user identity are separated in the database — even in a breach, no association is possible.

We store only: merchant names, amounts, dates, categories, and tags. No account numbers, IBANs, or other account identifiers.

When you upload a file (CSV or PDF), the following happens:

1. The file is temporarily stored on the server.
2. Transactions are extracted and added to your encrypted financial data.
3. The original file is permanently deleted — we do not store bank statements.

This process ensures that sensitive banking documents do not remain on our servers.

WonderFunds uses artificial intelligence for:

• Automatic transaction categorization based on merchant patterns
• Recurring payment detection
• Spending insight generation

AI processing is user-specific. Your data is not mixed with other users' data or used to train general AI models. The AI learns exclusively from your own corrections and rules.

AI-generated results are not shared with third parties and are not used for advertising purposes.

WonderFunds uses only strictly necessary cookies:

We do not use tracking cookies, third-party analytics cookies, or advertising cookies.

We use the following third-party services:

Data processing agreements pursuant to Art. 28 GDPR are in place with all processors. No personal data is transferred to countries outside the EU.

All personal data is processed and stored on servers in the European Union, primarily in Frankfurt am Main, Germany.

No data is transferred to countries outside the European Economic Area (EEA).

We retain your data only as long as necessary for the respective purpose:

Upon account deletion, all data — including encryption keys — is permanently and irreversibly deleted. Billing data is retained in accordance with statutory requirements.

Under the GDPR, you have the following rights:

• Right of access (Art. 15 GDPR) — You can request information about the data we process.
• Right to rectification (Art. 16 GDPR) — You can request correction of inaccurate data.
• Right to erasure (Art. 17 GDPR) — You can request deletion of your data. You can do this yourself via Settings → Delete Account.
• Right to restriction (Art. 18 GDPR) — You can request restriction of processing.
• Right to data portability (Art. 20 GDPR) — You can export your data in a machine-readable format (CSV export in Settings).
• Right to object (Art. 21 GDPR) — You can object to processing based on legitimate interests.
• Right to lodge a complaint — You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is the State Commissioner for Data Protection and the Right to Inspect Files of Brandenburg.

WonderFunds is intended for persons aged 18 and older. We do not knowingly collect personal data from minors. If we become aware that a minor has created an account, we will promptly delete the account and associated data.

We reserve the right to update this Privacy Policy as needed, particularly when the Service or legal requirements change. Material changes will be communicated to you via email or a notice within the Service.

The current version is always available at wonderfunds.app/privacy.

For questions about data protection or to exercise your rights, please contact:

SKAJ Ventures GmbH
Sonnenlandstraße 4
14471 Potsdam
Email: datenschutz@wonderfunds.app