Privacy Policy.

GoodBreach Technologies Ltd ("we", "our", or "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the GoodBreach mobile application and related services (together, the "Services").

We operate in partnership with Finexer Limited, a regulated Account Information Service Provider (AISP) under PSD2. PSD2 Article 4(30) defines an AISP as "a payment service provider providing online account information services that provide consolidated information on one or more payment accounts held by a payment service user." Finexer holds the regulated AISP license under the FCA, enabling GoodBreach to access your transaction data securely and lawfully.

GoodBreach is committed to ensuring privacy, transparency, and user trust are foundational to how we design and deliver our Services. We comply with UK GDPR, the Data Protection Act 2018, and FCA Consumer Duty requirements. If you have questions about this policy, please contact us at founder@goodbreach.com.

Transparency: We are clear about what data we collect and why User Control: You retain full control over your data and can withdraw consent anytime Protection: We use industry-standard security to protect your information Consumer Duty Aligned: Our data practices support proactive harm prevention

A. Information You Provide Directly

Account details: Name, email address, phone number, and secure password Profile information: Photo, username, savings goals, and preferences Feedback: Responses to in-app surveys, user testing, and support inquiries

B. Information Accessed via Open Banking

When you connect your bank account through our regulated Open Banking partner (Finexer), we securely access: Account balance and transaction history Merchant information and spending categories Frequency and amount of discretionary spending This data is used solely to identify behavioral patterns, deliver personalized savings guidance, and provide financial insights. We do NOT initiate, authorize, or execute any transactions on your behalf.

C. Automatically Collected Data

We automatically collect limited behavioral data through the GoodBreach mobile application: Device identifiers and IP address App usage metrics: Feature interactions, session duration, and timestamps Behavioral analytics: Which nudges you engage with, which savings goals you interact with Crash and error logs: To identify and fix technical issues We do NOT collect special category data (health, biometric, or philosophical belief information). We also do NOT use location tracking or persistent device identifiers.

We process your personal data to: Deliver behavioral intercepts: Provide timely, personalized reminders of your savings goals Generate financial insights: Identify spending patterns and savings opportunities Measure intervention effectiveness: Track which nudges help you achieve your goals Enable community features: Allow you to participate in challenges and view aggregated community progress Communicate updates: Send notifications about product improvements and feedback opportunities Ensure compliance: Meet regulatory obligations and prevent misuse We will NEVER sell, rent, or trade your personal information to third parties.

We process personal data under the following legal bases:

Consent

You explicitly consent to connect your bank account, share spending data, and receive personalized behavioral guidance. You can withdraw this consent anytime.

Contractual Necessity

We process your data to provide the Services you signed up for, including account management and goal tracking.

Legitimate Interest

We have a legitimate interest in operating, improving, and securing the platform, and in understanding how users interact with our services.

Legal Obligation

We process data to comply with UK regulatory requirements, including Anti-Money Laundering (AML) and Know Your Customer (KYC) obligations under the Money Laundering Regulations 2017. These obligations require us to verify your identity and monitor your account for suspicious activity. Records related to AML/KYC compliance are retained for 7 years after account closure.

We share your data only when necessary and under strict confidentiality agreements with:

Our Open Banking Partner: Finexer Limited

Finexer is our regulated AISP. We share your Open Banking consent records and transaction data only for the purpose of retrieving your account and transaction information. Finexer operates under PSD2 and is regulated by the FCA.

Cloud Infrastructure Providers

Amazon Web Services (AWS) securely hosts our encrypted data. All data is encrypted in transit (TLS 1.3) and at rest (AES-256-GCM encryption). AWS operates data centers in the UK and EU.

Analytics & Monitoring Services

Sentry, PostHog, and Firebase receive hashed, anonymized usage data to help us improve platform performance. No personally identifiable information is shared with these services.

All partners are required to comply with UK GDPR and execute Data Processing Agreements (DPAs) with us.

We retain your data only as long as necessary to: Operate your account and deliver personalized services Comply with regulatory obligations, including AML/KYC (up to 7 years) Resolve disputes and prevent fraud

Specific Retention Periods

Raw transaction data from Open Banking: Retained for 90 days, then anonymized for trending purposes Account registration data: Retained while your account is active Behavioral effectiveness scores: Anonymized and retained indefinitely for product improvement AML/KYC records: Retained for 7 years after account closure (regulatory requirement)

Under UK GDPR, you have the right to:

Right of Access

Request a copy of your personal data and learn how we use it.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your data ("right to be forgotten"), except where we have legal obligations to retain it.

Right to Restrict Processing

Ask us to limit how we use your data while we address your concerns.

Right to Data Portability

Request your data in a portable format so you can transfer it to another service.

Right to Object

Object to our processing of your data based on legitimate interest.

Right to Withdraw Consent

Withdraw your consent to Open Banking data sharing anytime. You can do this in the app under Settings > Data Privacy > Manage Permissions.

To exercise any of these rights, contact us at founder@goodbreach.com. We will respond within 30 days.

We implement technical and organizational safeguards to protect your data: Encryption in Transit: All data transmitted to GoodBreach is protected using TLS 1.3, the highest security standard for data in transit Encryption at Rest: All stored data is encrypted using AES-256-GCM, military-grade encryption Access Controls: Role-based access; only authorized staff can access personal data on a need-to-know basis Multi-Factor Authentication (MFA): Required for all staff accessing data systems Continuous Security Monitoring: Real-time monitoring via AWS CloudTrail to detect unauthorized access attempts Regular Penetration Testing: Security audits and penetration testing conducted quarterly by external security specialists AWS WAF (Web Application Firewall): Protects against common web vulnerabilities and DDoS attacks However, no system is completely secure. We cannot guarantee absolute security, but we are committed to maintaining industry-standard protections.

If we discover a data breach that affects your personal information, we will: Notify the Information Commissioner's Office (ICO) within 72 hours (as required by UK GDPR Article 33) Notify you directly if your data is likely to result in high risk to your rights and freedoms Investigate the breach, implement remedial measures, and provide updates on the resolution

We primarily store and process your data within the United Kingdom and European Economic Area (EEA). When international transfers occur: We use Standard Contractual Clauses (SCCs) to ensure adequate protections Data is encrypted in transit and at rest Access is restricted to essential personnel on a need-to-know basis

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will: Post the updated policy on our website Update the "Effective Date" at the top of this policy Request your consent if required by law Your continued use of GoodBreach after policy updates constitutes your acceptance of the changes.

If you have questions about this Privacy Policy or how we handle your data, please contact us: Email: founder@goodbreach.com Address: 943, 12 Baltimore Wharf, E14 9FG, London, UK If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk.