Privacy Policy

Last updated: 7 June 2026

In short

Gibbon helps you understand your own money. We use read-only Open Banking access, keep most of your data on your device, encrypt sensitive tokens, never sell your data, and let you delete everything at any time.

Contents 1. Who we are 2. Data we collect 3. How we use it 4. Legal basis 5. Open Banking 6. Email access 7. Where data lives 8. Who we share with 9. Retention 10. Your rights 11. Security 12. Contact

1. Who we are

Gibbon ("we", "us", "the app") is a personal finance app for people in the United Kingdom. The data controller is [LEGAL_ENTITY], contactable at [SUPPORT_EMAIL], registered address [BUSINESS_ADDRESS]. This policy explains what we collect, why, and your rights under the UK GDPR and Data Protection Act 2018.

2. Data we collect

Account and identity

When you sign in with Apple, we receive an Apple user identifier and, if you allow it, your name and an email address (which may be a private relay address). We do not receive your Apple password.

Bank and card data (via Open Banking)

If you connect a bank, our Open Banking provider (TrueLayer) shares, with your consent, your account details, balances, card details, transactions, direct debits and standing orders. This is read-only data. Gibbon cannot initiate payments or move money.

Email data (optional)

If you choose to connect an email account (Gmail or another inbox via app password), Gibbon reads messages only to detect subscription receipts, price changes and cancellations. We look for purchase and billing emails. We do not read unrelated messages for any other purpose, and you can disconnect email at any time.

Usage and device data

To run the app and send alerts we process a device push token, basic device information, and in-app settings you choose (budgets, goals, categories, preferences).

3. How we use your data

To show your balances, transactions, net worth, budgets, goals and subscriptions.
To categorise and score transactions and calculate what is safe to spend.
To detect recurring charges, price rises and likely-cancelled subscriptions.
To send the notifications you turn on (for example low balance or a large purchase), including when the app is closed.
To operate, secure and improve the app.

We do not sell your personal data. We do not use your bank or email data for advertising.

4. Legal basis for processing

Consent for connecting your bank through Open Banking and for connecting email. You can withdraw consent at any time by disconnecting.
Contract to provide the features you ask for.
Legitimate interests to keep the app secure and working, balanced against your rights.

5. Open Banking

Bank connections are provided by TrueLayer, an account information service provider authorised and regulated by the Financial Conduct Authority. When you connect a bank you authorise access directly with your bank, and you can revoke that access at any time from within Gibbon or through your bank. Access is read-only. Gibbon is not a bank and does not provide regulated financial advice.

6. Email access

Email connection is entirely optional and exists only to improve subscription detection. Gibbon requests the minimum access needed to scan for billing and receipt emails. If you connect Gmail, our use complies with the relevant Google API user data policies, including the limited use requirements. You can disconnect email at any time, which stops further access.

7. Where your data lives

Most of your financial data (transactions, budgets, goals, snapshots) is stored locally on your device. Authentication tokens are kept in the device secure store.

To send notifications while the app is closed, we store a limited set of data on our servers (hosted on Cloudflare): an encrypted Open Banking refresh token and minimal bookkeeping needed to avoid duplicate alerts. Refresh tokens are encrypted at rest. Server data is processed in line with this policy.

We use a small number of trusted service providers (sub-processors) strictly to run the app:

TrueLayer - Open Banking connectivity.
Apple - Sign in with Apple and push notification delivery.
Google or your email provider - only if you connect email.
Cloudflare - backend hosting and storage for alerts.

We share data with these providers only as needed to deliver the features above. We do not sell or rent your data to anyone.

9. Data retention

On-device data stays until you delete it or remove the app. Server-side data (such as your encrypted refresh token) is kept while your connection is active and is deleted when you disconnect the bank, delete your account, or after a period of inactivity. When you delete your account we remove the data we hold on our servers.

10. Your rights

Under UK GDPR you have the right to access, correct, delete, restrict, and port your data, and to withdraw consent. In Gibbon you can:

Disconnect any bank or email connection at any time.
Delete your account and associated data from the app settings.
Contact us to exercise any other right.

You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

11. Security

We use device secure storage, encryption of sensitive tokens at rest, and transport encryption. No system is perfectly secure, but we take reasonable steps to protect your information and limit what we store.

Children

Gibbon is not intended for anyone under 18 and we do not knowingly collect data from children.

Changes to this policy

We may update this policy. Material changes will be reflected by the date above and, where appropriate, surfaced in the app.

12. Contact

Questions or requests: [SUPPORT_EMAIL].

Back to home