Privacy Policy
Last updated · April 22, 2026
Ramnn ("Ramnn", "we", "us", or "our") operates the website ramnn.com and the accompanying web application at app.ramnn.com (together, the "Service"). The Service is a personal finance platform that helps you connect your bank accounts, track spending, monitor investments, and plan budgets.
Because we work with sensitive financial information, we take privacy seriously. This Policy explains what we collect, why we collect it, who we share it with, and the rights you have over your data. By using the Service, you agree to this Policy and to our Terms of Service.
Who we are
Ramnn is the data controller for the personal information processed through the Service. If you are based in the European Economic Area (EEA) or the United Kingdom, you can reach our privacy team at privacy@ramnn.com.
What we collect
We only collect what is necessary to run the Service. Data falls into the following categories:
| Category | What it includes | Source |
|---|---|---|
| Identity | Name, email, profile picture, preferred language, timezone, country, and base currency. | You and Google (when you sign in). |
| Authentication | OAuth tokens, session tokens, IP address, and user-agent string associated with each login. | Collected automatically when you sign in. |
| Banking data | Connected institutions, account names, balances, IBAN or masked account references, and transactions (date, amount, currency, counterparty, description). | Retrieved from your bank through Enable Banking (see Subprocessors). |
| Portfolio & investments | Holdings, trades, instruments you track, and manually entered positions. | You and, when you enable it, market data providers. |
| Documents | Receipts, statements, or other files you upload to the Service. | You. |
| Usage data | Pages viewed, features used, errors, device type, browser, and approximate location derived from IP. | Collected automatically. |
| Derived data | Category labels for transactions, anomaly scores, recurring-payment flags, and vector embeddings used for search. | Computed by us from the data above. |
Sensitive categories we do not collect
We do not ask for government IDs, social-security numbers, or biometric data. We do not store your bank password: authentication happens on your bank's side through the Enable Banking PSD2 interface.
How we use your data
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide the core features you ask for — syncing accounts, showing balances, categorizing transactions, rendering charts, sending notifications. | Performance of a contract. |
| Automatically categorize transactions, detect anomalies, and power semantic search. | Performance of a contract / legitimate interest. |
| Send transactional emails (security notices, connection issues, weekly digests you opt into). | Performance of a contract / consent. |
| Understand product usage in aggregate so we can fix bugs and improve the Service. | Legitimate interest. |
| Meet legal, tax, accounting, or fraud-prevention obligations. | Legal obligation. |
Banking data and Enable Banking
When you connect a bank account, we use Enable Banking Oy (a licensed PSD2 Account Information Service Provider authorised by the Finnish Financial Supervisory Authority) to establish the connection with your bank. You authenticate directly on your bank's website or app — Ramnn never sees your banking credentials. Enable Banking returns, on your behalf, the account metadata, balances, and transaction history that you explicitly consent to share.
PSD2 consents are limited in time. When a consent expires you will be prompted to renew it. You can revoke a bank connection at any moment from the Service (Settings → Connected accounts), which instructs Enable Banking to close the session and removes the banking data we hold about that connection, subject to the retention rules below.
AI features
Several features rely on Google Gemini: automatic transaction categorization, semantic-search embeddings, the in-app assistant, voice-note transcription, AI-assisted CSV imports, and the weekly and daily email digests. For news aggregation, we also use Perplexity, which only receives public instrument symbols — no personal data is sent.
When we call these models we send only the minimum data needed to complete the request — for a category suggestion, that is the merchant name and amount; for the assistant, it is the question you typed plus any summaries you choose to share. Under the Gemini API terms of service, your data is not used to train Google's foundation models.
If you would rather not use AI features, contact support@ramnn.com and we will disable them on your account.
Subprocessors
We rely on a small number of trusted subprocessors to run the Service. Each is bound by a data-processing agreement and contractual confidentiality obligations.
| Subprocessor | Role | Region |
|---|---|---|
| Enable Banking Oy | PSD2 bank-account aggregation. | EU (Finland). |
| Google LLC | OAuth sign-in and Gemini models for transaction categorization, semantic-search embeddings, the in-app assistant, voice transcription, AI-assisted CSV imports, and email digests. | EU / US (SCCs). |
| Perplexity AI, Inc. | Aggregation of financial news from public web sources (only public instrument symbols are sent — no personal data). | US. |
| Cloudflare, Inc. (R2) | Storage of documents and receipts you upload. | EU / US. |
| Resend | Delivery of transactional email. | EU / US. |
| Trigger.dev | Scheduling and execution of background jobs. | EU / US. |
| Sentry | Error and crash-report aggregation (diagnostic data, stack traces, request metadata). | EU / US (SCCs). |
| Vercel / Railway | Hosting of the website, web app, and API. Vercel also runs cookieless Web Analytics for aggregate audience measurement. | EU / US. |
| Financial Modeling Prep, Yahoo Finance | Market data for stocks, ETFs, crypto, and FX rates (no personal data is sent to these providers). | US. |
We will post an update at least 30 days before adding a new subprocessor that handles personal data.
Cookies and tracking
We use a small number of first-party cookies strictly needed to keep you signed in and to remember interface preferences (theme, locale). We do not use advertising trackers, pixels, or any form of cross-site tracking.
For audience measurement we use Vercel Web Analytics, which is cookieless: it records aggregate page views and visitor counts without storing cookies, without recording your IP address, and without building a profile across sites. Under the CNIL's and EDPB's exemption for anonymous audience measurement, this does not require consent.
You can clear cookies at any time from your browser — you will simply be asked to sign in again.
Sharing and disclosure
We share personal data only in the following situations:
- With the subprocessors listed above, strictly to operate the Service.
- To comply with a legal obligation, a lawful request from a public authority, or to defend our rights.
- In connection with a merger, acquisition, or sale of assets, in which case the acquirer will be bound by commitments at least as protective as this Policy.
We never sell or rent your data, and we do not share banking or transaction data with advertisers or data brokers.
International transfers
Our core infrastructure is hosted in the EU. Some subprocessors (notably Google, Perplexity, and Cloudflare) may process data in the United States. Those transfers are governed by the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.
Retention
We retain your account data for as long as your account is active. When you delete your account:
- Your bank connections, accounts, transactions, holdings, budgets, notifications, and uploaded documents are deleted within 30 days.
- Authentication, audit-log, and security records may be kept up to 12 months to detect fraud and to satisfy legal obligations.
- Aggregated, non-identifying usage statistics may be retained indefinitely.
Specific retention periods may be extended where required by applicable law (for example, tax or anti-money-laundering regulations).
Security
We use TLS everywhere, encrypt data at rest, scope access to staff on a need-to-know basis, rotate credentials regularly, and keep a complete audit log of administrative actions. We maintain a responsible-disclosure channel at security@ramnn.com. No online service can guarantee absolute security — please keep your Google account safe and enable two-factor authentication.
Your rights
Depending on where you live, you may have the right to access, rectify, export, delete, restrict, or object to the processing of your personal data, and to withdraw any consent you have given. You can exercise most of these rights directly in the app:
- Access & export. Settings → Privacy → Export my data produces a machine-readable archive of your account.
- Delete your account. Settings → Privacy → Delete my account removes your account and all attached data (subject to the retention rules above).
- Revoke a bank connection. Settings → Connected accounts → Disconnect.
- Email preferences. Any email we send includes an unsubscribe link; you can also tune notifications under Settings → Notifications.
For anything else, write to privacy@ramnn.com. EEA residents may also lodge a complaint with their local data-protection authority.
Children
The Service is not directed to children under 16, and we do not knowingly collect data from them. If you believe a child has created an account, contact us and we will delete it.
Changes to this Policy
We will post material changes on this page and notify account holders by email at least 30 days before they take effect. Non-material updates (clarifications, typo fixes) are effective as soon as they are posted. The "Last updated" date above always reflects the most recent change.
Contact
Ramnn
Email: privacy@ramnn.com
Support: support@ramnn.com