← Back

VELKO

Privacy Policy

Last updated: May 12, 2026

Velko is built by Luca Matea, a solo developer in Romania. This policy explains what data Velko collects, why, and what your rights are — for both Velko Web (the PWA at velkoapp.me) and Velko Mobile (the iOS and Android apps).

We aim for plain language over legal boilerplate. If anything here is unclear, email us at support@velkoapp.me.

Two products, two privacy stories

Velko comes in two flavors. The web app is local-only — your data never leaves your device. The mobile app uses a private account so you can sync between devices. The rest of this policy mostly covers the mobile app; the web app collects nothing.
If you use both, the data each one holds is separate. The web app does not share data with the mobile app, and vice versa.

What we collect — Velko Web

Nothing. No analytics, no cookies, no accounts.
The web app stores your transactions, categories, and settings in your browser's IndexedDB. If you clear browser data or uninstall the PWA, your transactions are deleted along with it — we have no copy and cannot recover it.

What we collect — Velko Mobile

To sign you in and sync your data, the mobile app collects:
  • Account email — used only to sign you in. Stored encrypted at rest on our servers.
  • Transaction data — amounts, categories, notes, dates, and (optionally) mood tags you add. Stored in your private database row.
  • Usage analytics (opt-in only) — if you opt in during onboarding, we collect anonymous events like "transaction added" or "settings opened." We never collect the contents of your transactions (no amounts, no notes, no descriptions). You can change your mind anytime in Settings.

Who we share data with

Velko Mobile relies on a few third-party services to function:
  • Supabase — stores your account and data (EU region). Row-level security ensures no other user can read your data. Privacy policy.
  • PowerSync — syncs your data between your device and Supabase in the background. Privacy policy.
  • RevenueCat (when subscriptions launch) — handles subscription status. We never see your card details. Privacy policy.
  • PostHog (only if you opt in) — receives anonymous usage events. EU-hosted. Privacy policy.
  • Apple / Google — handle payment and subscription billing if you subscribe to Velko Pro.

What we do not do

  • We do not sell your data.
  • We do not share data with advertisers.
  • We do not train AI models on your data.
  • We do not access your transactions for support or any other reason unless you explicitly share them with us (e.g. by emailing an exported file).

Why we collect this

  • Account email lets you sign in across devices and recover access if you change phones.
  • Transaction data is the actual product — it has to live somewhere to sync.
  • Opt-in analytics tells us which features get used and where bugs happen, so we can prioritize fixes. Never linked to your identity.

How long we keep your data

  • Web: as long as you keep it on your device. We have no copy.
  • Mobile: until you delete your account. Tap Settings → Delete Account and your data is removed from our active systems within 30 days. Backups roll off within 90 days. After that, nothing remains.

Your rights (GDPR)

You have the right to:
  • Access — tap Settings → Export Data to download your transactions as JSON.
  • Correction — edit or delete any transaction directly in the app.
  • Deletion — Settings → Delete Account permanently removes everything.
  • Objection — toggle optional analytics off in Settings any time.
  • Portability — the export is JSON, so you can move it anywhere.
  • Complaint — lodge one with your local data protection authority. In Romania, that's ANSPDCP.

Children

Velko isn't intended for users under 16. We don't knowingly collect data from anyone under 16. If you believe a child has signed up, email support@velkoapp.me and we'll delete the account.

Where your data lives

Velko Mobile data is stored in EU regions (Supabase EU, PostHog EU). If this changes in the future, we'll update this page and notify mobile users.

Security

  • All connections use HTTPS.
  • Supabase encrypts data at rest and in transit.
  • Row-level security means even other Velko users cannot read your data — only your authenticated session can.

Changes to this policy

If we change anything material — adding a new third-party service, changing what we collect — we'll update the "Last updated" date above and tell mobile users on next launch. We won't apply changes retroactively to data already deleted.

Contact

Email: support@velkoapp.me
Operator: Luca Matea, Romania
For GDPR or data-subject requests, use the same email — we'll respond within 30 days.