extmoney

Data Processing Agreement

Effective date: 05 Jul 2026 · Last updated: 07 Jul 2026


1. Parties and Scope

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between the customer ("Customer", the controller) and Zanket operating ExtMoney ("ExtMoney", the processor). It applies where ExtMoney processes personal data on the Customer's behalf in providing the Service. Where ExtMoney is the controller (individual consumer accounts), the Privacy Policy governs instead. If this DPA conflicts with the Terms, this DPA prevails for data-protection matters.

2. Definitions

"Personal data", "processing", "controller", "processor", "sub-processor", "data subject", and "personal data breach" have the meanings in the EU/UK GDPR. "Applicable Data Protection Law" means the GDPR, UK GDPR, Canadian PIPEDA, and Québec Law 25, as applicable.

3. Processing Details

ExtMoney processes personal data only as described in Annex 1 (subject matter, duration, nature and purpose of processing, types of personal data, and categories of data subjects).

4. ExtMoney's Obligations (Art. 28(3) GDPR)

ExtMoney will:

  1. process personal data only on the Customer's documented instructions (including the Terms and this DPA), and inform the Customer if an instruction infringes Applicable Data Protection Law;
  2. ensure persons authorised to process personal data are under an appropriate duty of confidentiality;
  3. implement the technical and organisational security measures in Annex 3 (Art. 32);
  4. respect the conditions in §5 for engaging sub-processors;
  5. assist the Customer, by appropriate measures, to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection);
  6. assist the Customer with security, breach notification, data-protection impact assessments, and prior consultation (Arts. 32–36);
  7. at the Customer's choice, delete or return all personal data on termination and delete existing copies, unless retention is legally required (§8); and
  8. make available information necessary to demonstrate compliance and allow for and contribute to audits (§9).

5. Sub-processors

The Customer gives general authorisation for ExtMoney to engage sub-processors listed in Annex 2. ExtMoney will impose data-protection obligations on each sub-processor equivalent to those in this DPA and remains liable for their performance. ExtMoney will give at least 30 days' advance notice of any intended addition or replacement of a sub-processor, and the Customer may object on reasonable data-protection grounds.

6. International Transfers

Where processing involves transferring personal data outside the EEA/UK to a country without an adequacy decision, the transfer is made under Standard Contractual Clauses (EU Commission / UK IDTA) and/or a valid transfer mechanism, which are incorporated by reference. ExtMoney's primary storage is in the EU (Germany); certain sub-processors operate in the United States (Annex 2).

7. Personal Data Breach

ExtMoney will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's data, with the information the Customer reasonably needs to meet its own notification duties (GDPR Art. 33; Law 25 CAI notification).

8. Return and Deletion

On expiry or termination of the Service, ExtMoney will delete or return the Customer's personal data as the Customer chooses, within 30 days, except where longer retention is legally required (e.g. tax records). The Customer's own account deletion controls (irreversible hard delete; free export) remain available.

9. Audit

ExtMoney will make available the information necessary to demonstrate compliance with Art. 28 and allow audits (including inspections) by the Customer or an auditor it mandates, on reasonable notice, no more than once per year except where required by a supervisory authority or after a breach, subject to confidentiality and without compromising other customers' security.

10. Liability and Precedence

Each party's liability under this DPA is subject to the limitations of liability in the Terms. Nothing in this DPA limits either party's obligations to data subjects or supervisory authorities under Applicable Data Protection Law.


Annex 1 — Details of Processing

  • Subject matter: provision of the ExtMoney personal-finance service to the Customer.
  • Duration: for the term of the Customer's subscription, plus any legally required retention.
  • Nature and purpose: storing, organising, displaying, backing up, and analysing the financial records the Customer and its authorised users create or import; optional AI features where enabled.
  • Types of personal data: account/identity data (email, name), financial and transaction records, and — where the relevant feature is used — voice recordings, receipt images, usage/device data. No special categories are required; users are asked not to upload them.
  • Categories of data subjects: the Customer's authorised users / team members.

Annex 2 — Approved Sub-processors

As listed in the Privacy Policy (§6), currently including: Hetzner (hosting, EU); Stripe (payments); Apple / Google Play (in-app purchases); AssemblyAI and Google Cloud/Vertex (voice, EU); OpenRouter, Google, OpenAI, Anthropic (receipt OCR / AI insights, US); Google/Firebase (push + mobile analytics); Cloudflare (contact-form anti-spam); Telegram (optional notification delivery). Error monitoring is self-hosted on ExtMoney's own EU infrastructure and is not a sub-processor.

Annex 3 — Technical and Organisational Measures (Art. 32)

Encryption in transit and at rest; hashed passwords; role- and team-scoped access controls with server-side enforcement; least-privilege administrative access; encrypted backups; self-hosted error monitoring with personal-data scrubbing; data minimisation to sub-processors; and prompt deletion of voice/receipt media after processing.