Last updated · 23 May 2026 (describe AI auto-matching of bank transactions and the per-household opt-out)

Privacy Policy

This policy explains what personal data Kronero collects, why we collect it, who else handles it on our behalf, and the rights you have over it. We try to write it the way we'd want to read it — plainly, with the specifics you actually need.

1. Who we are

Kronero is operated by Athlegan AB, a Swedish limited company (aktiebolag), org.nr 559259-0318, with its registered address at Kvällsvägen 2, 146 31 Tullinge, Sweden. For all matters related to this policy or your data, contact us at support@kronero.com.

We are the data controller for the personal data described below. We are based in Sweden, and our processing is governed by the EU General Data Protection Regulation (GDPR), the Swedish Data Protection Act (lag 2018:218), and the Swedish Electronic Communications Act (lag 2022:482).

2. The short version

We collect only what we need to run a personal-finance service: your email, the data you enter into your plan, and a small amount of analytics about how you use the site.
We do not sell your data, and we do not use it to train AI models.
If you accept cookies, we also load Meta and Google advertising tags so we can show you Kronero ads on Facebook, Instagram, Google Search, and the Google Display Network. We never send your account email, name, or financial data to those providers.
Analytics and advertising cookies fire only after you accept the cookie banner. You can decline and still use the site.
You can ask for a copy of your data, or for it to be deleted, at any time by emailing support@kronero.com.

3. What we collect, why, and on what legal basis

Under GDPR Article 6, every piece of processing needs a legal basis. Here is ours, broken down by activity:

Data	Purpose	Legal basis
Email address (account, waiting list)	Create and authenticate your account; deliver the magic-link login; tell you when a beta spot opens up	Performance of a contract (Art. 6(1)(b)); pre-contractual measures for waiting-list signups
Display name, timezone, voice preference	Personalise the app, render the daily report at the right time, write reports in the tone you chose	Performance of a contract
Financial data you enter (balance, buffer, bills, expenses, incomes, bank-account names, imported transactions)	Operate the planning, tracking, and projection features that make up the service	Performance of a contract
Bank-account link metadata you initiate (chosen bank, aggregator session reference, account names and IBANs returned by the aggregator, periodically refreshed balances and transactions)	When you choose to connect a bank, our PSD2-licensed aggregator (Enable Banking Oy) reads the accounts you authorise so balances and transactions sync automatically. We never see or store your online-banking credentials — those are entered on your bank's own consent screen.	Performance of a contract; you can delete a connected account at any time from the Accounts page. The underlying bank consent itself expires automatically after 90 days and can also be revoked at any time from your bank's own app.
Daily prompts, daily reports, AI-generated narrative	Send the emails you have opted into; preserve continuity from one day's report to the next	Performance of a contract; you can disable email prompts, email reports, and the AI-generated narrative independently in your profile
Anonymous visitor identifier, page views, button clicks, A/B-test variant exposure	Understand how the site is used and which copy works, so we can improve it	Consent (Art. 6(1)(a)) — fires only after you accept the cookie banner
First-touch attribution (UTM parameters, referrer, landing path)	Measure which channels send us users, so we know where to invest	Consent
Advertising-platform cookies (Meta Pixel, Google Ads remarketing tag)	Build retargeting audiences so we can show you Kronero ads on Facebook, Instagram, Google Search, and the Google Display Network; measure which ads led to signups	Consent — fires only after you accept the cookie banner; withdrawable at any time
Newsletter subscription	Send the Kronero newsletter when you have opted in	Consent — withdrawable at any time via the unsubscribe link
Operational logs (HTTP method, path, status, duration, error fingerprints)	Debug failures, monitor service health, defend against abuse	Legitimate interest (Art. 6(1)(f)) — see "Our legitimate-interest balancing" below for the necessity, proportionality, and impact assessment we relied on.
Free-text input (waiting-list note, voice instructions, expense and bill names)	Whatever you wrote it for — we use it as you intended	Performance of a contract; consent for the waiting-list note (which is optional)

We do not engage in solely automated decision-making with legal or similarly significant effects on you, and we do not collect any of the special categories of data listed in GDPR Article 9 (health, beliefs, biometrics, etc.).

4. Cookies and similar technologies

Kronero uses a single browser cookie, and only after you click Accept on the cookie banner. The cookie is encrypted and signed (AES-GCM), but we want to be clear that it is not "small": it bundles several pieces of state that the application needs to function.

Name	What it contains	Lifetime	Flags
`session`	A randomly-generated visitor identifier (used for analytics and to remember your consent) A first-touch attribution map captured on your first visit (UTM parameters, referrer, landing path) — used to understand which channels send us users When you log in: your user ID, the IDs of households you belong to, and an authentication expiry timestamp The cookie is encrypted with a server-side key, so the values above are not readable by your browser, by us through the request log, or by any other site.	Up to 2 years for the cookie itself; the authentication portion expires after 30 days of inactivity	HttpOnly, Secure, SameSite=Lax, AES-GCM encrypted

Until you accept the banner, we set no cookie at all, we do not run any analytics or marketing scripts, and we do not load any third-party tags. Network requests to our advertising and analytics sub-processors begin only after you click Accept.

Advertising and retargeting tags

When you accept cookies, we load two third-party advertising tags. Each one sets its own cookies in your browser (under its own domain) and uses them to recognise you across visits, so we can show you ads on the advertising platform that referred you. Both are gated entirely by your consent — withdrawing it stops the tags from loading on subsequent page views.

Tag	Set by	Purpose	Typical cookies
Meta Pixel	Meta Platforms Ireland Limited	Build Facebook/Instagram retargeting audiences; measure conversions from Meta ads	`_fbp` (browser pixel ID, ~3 months); `_fbc` (click identifier when you arrive from a Meta ad, ~3 months)
Google Ads remarketing tag	Google Ireland Limited	Build retargeting audiences for Google Search and the Display Network; measure conversions from Google Ads	`_gcl_au`, `_gcl_aw`, `IDE`, and other Google advertising cookies (typically 90 days)

Both providers receive the page URL you are viewing, your IP address, your browser's user agent, and (for Meta) the cookie identifiers above when the tag fires. There is one form-submission exception: when you submit the public waiting-list form, our server additionally sends Meta a one-way SHA-256 hash of the email you typed, so the conversion can be matched to a Meta ad. The email itself is never transmitted in cleartext. We do not send either provider your name, your financial figures, or any data you have entered into the app.

If you would prefer to opt out of advertising tags only, you can decline cookies at the banner — the rest of the service remains fully available. You can also reset your choice from your browser at any time (clearing site cookies for kronero.com), which will re-show the banner on your next visit.

5. Who else handles your data (sub-processors)

Running Kronero requires a small set of trusted service providers. We share only what each one needs for its job, and we have data-processing agreements in place with each. Current sub-processors:

Provider	Purpose	Data shared	Location
Fly.io, Inc.	Application hosting and managed PostgreSQL	All data (encrypted at rest)	Stockholm region (arn). Provider US-headquartered.
Resend (Resend, Inc.)	Transactional email (login links, invitations, daily reports)	Recipient email and message contents — for daily reports, this includes your display name and a financial narrative	United States
OpenAI, L.L.C.	Generate the prose of your daily report, and — when your household has accepted auto-matching — map newly imported bank transactions to the bills and expenses you have logged	For report narration: display name, household name, plan figures (balance, buffer, daily plan, prior-period spending), your voice instructions, and the previous day's generated report for continuity. For transaction auto-matching: bank-statement descriptions and rounded amounts of newly imported transactions, plus the names, amounts, and (if you wrote any) notes of your unfulfilled bills and currently-due expenses. Names and descriptions are JSON-escaped before being sent so user-supplied text cannot be interpreted as instructions by the model.	United States. See "How we use AI" below for retention and training details.
Mixpanel, Inc.	Product analytics	Visitor identifier, page views, event properties; on login, your user ID, name, and email. IP addresses are stripped before storage.	EU residency (Frankfurt). Provider US-headquartered.
MailerLite (UAB MailerLite)	Newsletter list management — only if you opt into the newsletter	Email, display name, and (for waiting-list signups) the optional note you wrote	European Union (Vilnius, Lithuania)
Meta Platforms Ireland Limited	Retargeting audiences and conversion measurement on Facebook and Instagram — only after you accept cookies	Page URL, IP address, user agent, and the Meta-issued cookie identifiers (`_fbp`, `_fbc`). When you submit the waiting-list form, we additionally send Meta a one-way SHA-256 hash of the email you typed so the conversion can be matched to a Meta ad — the email itself is never transmitted in cleartext, and no name or financial data is shared.	European Union (Meta's EU controller); onward transfer to Meta Platforms, Inc. in the United States
Google Ireland Limited	Retargeting audiences and conversion measurement on Google Search and the Display Network — only after you accept cookies	Page URL, IP address, user agent, and Google-issued advertising cookie identifiers. No account email, name, or financial data.	European Union (Google's EU controller); onward transfer to Google LLC in the United States
Enable Banking Oy	PSD2 account-information service — only when you initiate a bank connection from the Accounts page. Enable Banking is a regulated AISP (authorised by the Finnish Financial Supervisory Authority, Finanssivalvonta) and acts as our sub-processor for fetching balances and transactions from your bank on your behalf.	When you click "Connect a bank" we redirect you to Enable Banking, which then redirects you to your bank's consent screen — your credentials are entered there, never at Kronero or Enable Banking. After consent we receive the accounts you authorised, their balances, and their transactions. We do not share your Kronero email, name, or any other Kronero data with Enable Banking; the link is identified by an aggregator-issued session reference only.	European Union (Helsinki, Finland)

Internal operational alerting may also send error metadata to a self-hosted notification topic (ntfy.sh) and an operator alert mailbox; these channels do not receive your routine activity, only failures that need an engineer's attention.

6. How we use AI

We use a large language model hosted by OpenAI for two distinct purposes, each with its own opt-out:

Daily report narration. Daily reports are written by the model. To produce one report, we send OpenAI a templated prompt containing your display name, household name, plan figures (balance, buffer, daily plan, spending vs plan over the prior period), the voice/tone instructions you have set, and the previous day's generated report for narrative continuity. The narration prompt itself does not include transaction-level data.

Auto-matching of bank transactions. If your household has connected one or more bank accounts via Enable Banking and the household manager has left auto-matching enabled in the Manage tab (it is on by default), once per day we send OpenAI a separate prompt asking it to match newly imported transactions to the unfulfilled bills and currently due expenses you have logged. That prompt contains the bank-statement descriptions and rounded amounts of new transactions plus the names, amounts, and notes of those bills and expenses. We do not send your name, household name, account numbers, balances, plan figures, or any voice or continuity context in this prompt — it is scoped to the matching task only.

OpenAI processes data from both prompts under the same API terms, which we rely on as follows:

No model training. OpenAI is contractually committed not to train its models on data sent through the API. We have not opted into any data-sharing programmes.
Retention at OpenAI. Under OpenAI's default API policy, inputs and outputs are retained for up to 30 days for abuse and misuse monitoring, then deleted (subject to legal hold). There is no API parameter to shorten this — it is a binary choice between the 30-day default and a "Zero Data Retention" arrangement.
Zero Data Retention (ZDR). We have applied for ZDR with OpenAI. Once active, OpenAI does not store inputs or outputs at all and the 30-day abuse-monitoring window does not apply. Until the policy version below is updated to confirm active ZDR, assume the 30-day default.
Internal storage of narration output. We persist the model's daily-report response (subject and body) in our own database, in a daily_reports row. The next day's prompt re-uses that response as continuity context, and the row also lets you read your own past reports. We do not persist the narration prompt itself — only the model's reply. Both subject and body are deleted on account deletion.
Internal storage of matching output. The model's transaction-matching reply is parsed into rows on a transaction_matchings table that link a transaction to the bill or expense it most likely paid, together with the confidence the model assigned. This audit lets you see which transaction was credited to which bill, and stops us re-sending the same transaction to OpenAI on subsequent days. These rows are deleted when the underlying bank transaction is deleted (which happens on account deletion).
What we never send. Account passwords, contact-form messages, and the contents of password-protected fields are never sent to OpenAI. Bank-statement descriptions, transaction amounts, and bill/expense metadata are sent only for transaction auto-matching, only when the household has not opted out, and only for the transactions that have not already been considered.

You have two independent opt-outs:

Opt out of report narration by turning off "Receive AI-generated insights" on your Notifications settings. Your daily reports keep arriving with the deterministic plan summary, and your name, voice instructions, and personalised continuity context stop being sent to OpenAI. Shared household figures (balance, buffer, daily plan, prior-period spending) may still appear in reports generated for household co-members who have not opted out, since those reports are written about their view of the same household.
Opt out of transaction auto-matching by turning off "Send transactions to OpenAI for daily auto-matching" on the household's Manage tab. The morning bank sync still runs (so balances and transactions still flow into Kronero), but no transaction data leaves Kronero for OpenAI. Any household manager can flip this setting and it applies to everyone in the household. The two opt-outs are independent — turning either one off does not automatically turn the other off.

7. Transfers outside the EU/EEA

Several of the providers listed above are headquartered in the United States. Where personal data is transferred to the US, we rely on:

The EU–US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795), where the provider is certified under the framework; and
The European Commission's Standard Contractual Clauses (Module 2, Decision (EU) 2021/914) as a fallback, supplemented by the technical and organisational measures each provider documents in its data-processing addendum.

You can request a copy of the relevant transfer mechanism at support@kronero.com.

8. How long we keep your data

We keep personal data only as long as we have a clear reason to. Concrete timeframes per category:

Account data — kept while your account is active. If you ask us to delete your account, we remove your personal data from our database within 30 days; encrypted backups expire on their own rolling schedule (no longer than 30 days after deletion).
Inactive accounts — if you do not log in for 24 months, we delete the account and its data on the same terms as a user-requested deletion. Before we do, you receive four reminder emails on the run-up to deletion: 2 months, 1 month, 1 week, and 1 day before the scheduled date. Logging in at any point during the cadence resets the clock and cancels the deletion — no need to reply to the email or click anything in it beyond the login link.
Waiting-list signups — kept until you ask us to remove you, or until we have invited you and you have created an account. If we have not been able to invite you within 24 months of signup, we delete your prospect record. We send a single reminder email 30 days before that deletion so you have a chance to ask for an invitation if you still want one.
Authentication tokens (magic links, invitation links, email-change confirmations) — expire automatically (15 minutes for magic links, 24 hours for email confirmations, 7 days for invitations) and are marked used on first consumption.
Daily reports and plan history — retained for the lifetime of your account so you can review your own history. Removed on account deletion.
Bank transactions — retained for the lifetime of the bank account in your household, whether they arrive through the Enable Banking aggregator sync or a CSV export you upload yourself. We never see your online-banking credentials in either path: aggregator consent is granted on your bank's own screen, and CSV uploads are parsed contents only.
Operational logs — retained for up to 30 days, then deleted.
Analytics events (Mixpanel) — retained at Mixpanel for the duration set by Mixpanel's free-plan default. Our project is on Mixpanel's free tier, which does not expose the configurable retention setting available on paid tiers; we will shorten retention when we move to a plan that allows it. Regardless of the platform-wide retention window, when you delete your account we issue a Mixpanel deletion request keyed to your user identifier (Mixpanel "Right to Erasure" API); Mixpanel completes the deletion within 30 days and removes your historical events from their store independently of the standard retention window.

9. Our legitimate-interest balancing

Three of our processing activities rely on legitimate interest (GDPR Art. 6(1)(f)) rather than your consent or a contractual necessity: operational logs, security telemetry, and the operator-alert pipeline that routes warnings and errors to us. Article 6(1)(f) requires us to balance our interest against your rights and freedoms; here is the balance we drew, in plain terms:

Necessity. Without operational logs we cannot diagnose failures, monitor service availability, defend against abuse and credential-stuffing, or meet our obligations under GDPR Article 32 (security of processing). There is no realistic less-intrusive alternative — we have to know what the application did when something goes wrong.
Proportionality. The data we log is operational metadata, not personal interaction. The HTTP request log records method, path, status code, and request duration — nothing else. Application-layer errors and warnings may also include a user ID and a short error fingerprint so that a failed action can be traced. We do not log request bodies, IP addresses, your financial figures, or any of your free-text input. Logs are retained for 30 days and then deleted.
Impact on you. The processing has minimal impact on your privacy: it does not profile you, draw inferences about you, build a behavioural picture of you, or share data with third parties for advertising. It exists only to keep the service working and secure for you and other users.
Your right to object. You have an unconditional right under Article 21 to object to legitimate-interest processing. Email support@kronero.com; we will assess your objection on the merits and either stop the processing for you or explain in writing why our interest overrides yours. While we assess, we will mark your data as restricted and not use it for the disputed purpose.

10. Your rights

Under GDPR Articles 15–22, you have the right to:

Access — get a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data. Most account data is editable directly in the app under Profile.
Erasure — ask us to delete your data ("right to be forgotten"). We will, unless we are required to retain something for a legal obligation.
Restriction — ask us to pause processing while we investigate a concern.
Portability — receive your data in a structured, machine-readable format, or have it sent directly to another controller where technically feasible.
Object — object to processing based on legitimate interests (such as our operational logs).
Withdraw consent — at any time, for any processing based on consent (cookies, newsletter). Withdrawal does not affect processing that already happened.

To exercise any of these rights, email support@kronero.com from the address associated with your account. We will respond within 30 days (longer only in genuinely complex cases, in which case we will tell you why and when to expect a reply).

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Swedish data protection authority, Integritetsskyddsmyndigheten (IMY), at imy.se. You may also contact the supervisory authority in your country of residence within the EU/EEA.

11. Security

Kronero uses encryption in transit (TLS) for every connection and encryption at rest for the database. Session cookies are encrypted with AES-GCM and signed. Passwords (when used) are hashed with bcrypt. Access to production systems is limited to the operator and protected by multi-factor authentication. We document our processors and review them periodically.

No system is perfectly secure. If we ever discover a personal data breach that is likely to result in a risk to your rights, we will notify the Swedish data protection authority within 72 hours and you without undue delay, in line with GDPR Articles 33 and 34.

12. Children

Kronero is not directed at children. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, please contact us at support@kronero.com and we will delete the account.

13. Changes to this policy

We may update this policy from time to time — for example, when we add a new sub-processor, change a feature, or clarify wording. The Last updated date at the top of the page reflects the current version. For material changes (a new processor, a new purpose, a new legal basis), we will notify you in the app or by email before the change takes effect.

14. Contact

Questions, requests, or concerns about your data:
support@kronero.com