1. Who we are
Hustlay ("we", "us", "our") is a software-as-a-service product operated independently. For contact and legal entity details see the Impressum. Our contact email for privacy matters is privacy@hustlay.com.
2. What data we collect
Account data: Email address, hashed password, and optional display name when you create an account.
Financial data you enter: Transactions, invoices, project names, expense amounts, time entries — all data you manually input into the app. This data is stored in your account and is never sold or shared with third parties.
Usage data: Page views, feature interactions, and error events collected via PostHog (self-hosted analytics) and Sentry (error tracking). This data is used solely to improve the product.
Payment data: Billing is handled by Stripe. We never store full card numbers. Stripe's privacy policy governs payment data.
Receipt images: If you use the AI receipt scanning feature, uploaded images are processed by Google's Gemini API and then stored in Supabase Storage. We do not use your receipt data to train models.
3. Legal basis for processing (GDPR)
For users in the European Economic Area, we process your data on the following legal bases: (a) contract performance — to deliver the service you signed up for; (b) legitimate interests — product analytics and fraud prevention; (c) consent — for marketing emails, which you can withdraw at any time.
4. Data retention
Account and financial data is retained for the duration of your account plus 90 days after deletion, after which it is permanently deleted from all systems. You can request immediate deletion by emailing privacy@hustlay.com.
5. Your rights
You have the right to access, correct, export, or delete your personal data at any time. EU/EEA users additionally have rights under GDPR including the right to data portability and the right to object to processing. Contact us at privacy@hustlay.com to exercise any of these rights.
6. Third-party services
We use the following sub-processors: Supabase (database and storage, EU region), Stripe (payments), Resend (transactional email), PostHog (analytics), Sentry (error tracking), Google Gemini API (receipt OCR on Pro/Business plans).
7. Cookies
We use a session cookie for authentication and a single preference cookie for theme (light/dark). We do not use third-party advertising cookies or tracking pixels.
8. Changes to this policy
We will notify active users by email of any material changes to this Privacy Policy at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.