← Back to Aqana
Privacy Policy
Last updated: 26 April 2026
1. Who We Are
Aqana ("we", "us", "our") is a personal finance management platform operated in the United Kingdom. We help users aggregate their financial accounts, track spending, and gain insights into their money.
For data protection enquiries, contact us at privacy@aqana.uk.
2. What Data We Collect
We collect and process the following categories of personal data:
Account Information
- Name, email address, and password (hashed) when you register
- Home currency preference and onboarding selections
Open Banking Data (via TrueLayer)
When you connect a bank account through Open Banking, we access the following data with your explicit consent:
- Account information (account name, type, sort code, account number)
- Account balances (current and available)
- Transaction history (up to 90 days on initial connection, then ongoing)
- Transaction details (date, amount, description, merchant name, category)
This data is accessed in read-only mode. We cannot move money, make payments, or modify your bank accounts in any way.
Manually Entered Data
- Transactions, accounts, budgets, and categories you create manually
- Subscription tracking preferences
Usage Data
- How you interact with the app (pages visited, features used)
- Device and browser information for security purposes
3. How We Use Your Data
We use your personal data for the following purposes:
- Account aggregation: displaying your bank accounts, balances, and transactions in one place
- Financial insights: categorising transactions, calculating spending trends, and generating budget reports
- AI-powered features: providing personalised financial insights through our conversational AI assistant
- Subscription detection: identifying recurring payments and potential savings
- Security: authenticating your identity and protecting your account
4. Legal Basis for Processing
Under UK GDPR, we process your data on the following bases:
- Consent: for Open Banking data access (you explicitly authorise each bank connection and can withdraw at any time)
- Contract: to provide the service you signed up for
- Legitimate interest: for service improvement, security, and fraud prevention
5. Open Banking & TrueLayer
We use TrueLayer as our Open Banking provider to securely connect to your bank accounts. TrueLayer is authorised by the Financial Conduct Authority (FCA) as an Account Information Service Provider (AISP).
When you connect a bank account:
- You are redirected to your bank's own authentication page
- We never see or store your bank login credentials
- Your bank grants a time-limited consent (typically 90 days)
- You can disconnect any bank at any time from Settings, which immediately revokes access and deletes stored tokens
For more on how TrueLayer handles your data, see the TrueLayer Privacy Policy.
6. Data Storage & Security
- All data is stored on Google Cloud Platform (GCP) servers in the europe-west1 (Belgium) region
- Open Banking access tokens and refresh tokens are encrypted at rest using AES encryption before storage
- Passwords are hashed using bcrypt and never stored in plain text
- All connections between your browser, our servers, and bank APIs use TLS/HTTPS encryption in transit
- Database access is restricted to authorised services only, with IP whitelisting and IAM controls
7. Data Retention
- Account data: retained for as long as your account is active
- Transaction data: retained for as long as your account is active, to provide historical insights
- Open Banking tokens: automatically expire after ~90 days; deleted immediately when you disconnect a bank
- After account deletion: all personal data is permanently deleted within 30 days of your deletion request
8. Data Sharing
We do not sell your personal data. We share data only with:
- TrueLayer: to facilitate Open Banking connections (as described above)
- Google Cloud Platform: as our infrastructure provider (data processing agreement in place)
- Anthropic: for AI-powered features, using redacted and anonymised data only (no personally identifiable financial data is sent to AI models)
We will never share your identifiable financial data with advertisers, data brokers, or other third parties without your explicit consent.
9. Your Rights
Under UK GDPR, you have the right to:
- Access: request a copy of the personal data we hold about you
- Rectification: ask us to correct inaccurate data
- Erasure: ask us to delete your data ("right to be forgotten")
- Restrict processing: ask us to limit how we use your data
- Data portability: receive your data in a structured, machine-readable format
- Withdraw consent: for Open Banking access, at any time by disconnecting your bank in Settings
- Object: to processing based on legitimate interest
To exercise any of these rights, email privacy@aqana.uk. We will respond within 30 days.
10. Cookies
We use essential cookies only (authentication tokens stored in localStorage). We do not use tracking cookies, analytics cookies, or advertising cookies.
11. Children
Aqana is not intended for individuals under 18 years of age. We do not knowingly collect data from children.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification. The "Last updated" date at the top of this page will always reflect the most recent revision.