Privacy Policy

Last updated: April 17, 2026

This Privacy Policy describes how Egor Diachenko ("we", "developer") collects, uses, and protects information in connection with the Why Pay?! mobile and desktop application ("App") and the website at whypay.ru ("Website").

1. Information We Collect

If you use the App without registration (guest mode), all data — tasks, notes, categories, and settings — is stored locally on your device only. We do not collect or transmit any personal data in this case.

If you create an account, we collect and store on our servers:

• Username (login) you choose
• Email address (optional, used for password recovery and account verification)
• Password (stored only as a bcrypt hash with cost factor 10 — we never store or have access to your plaintext password)
• Your tasks, notes, categories, and app settings
• Date and time of account creation and data updates
• Device push notification token (if you enable notifications)
• Server access logs, which may contain your IP address and request timestamps (retained up to 30 days, used for security and debugging)

2. How We Use Your Information

• To provide and sync your data across your devices
• To send push notifications and password-reset emails you request
• To protect the service against abuse, fraud, and unauthorized access
• To improve the App based on aggregated, non-personal usage patterns

We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not use your data to train AI models or for targeted advertising.

3. Data Storage, Security, and International Transfers

Where your data is stored. Account data is stored on servers physically located in Sofia, Bulgaria. Bulgaria is a member state of the European Union, and data processing there is subject to the EU General Data Protection Regulation (GDPR). If you access the App from outside the EU (including from the United States), by creating an account you consent to the transfer of your personal data to, and its storage and processing in, Bulgaria.

Security measures we apply:

• Transport encryption: All communication between the App/Website and our servers is protected by TLS (HTTPS) using certificates from Let's Encrypt with modern cipher suites (TLS 1.2 and above).
• Password storage: Passwords are hashed using bcrypt with a work factor of 10. Plaintext passwords are never stored or logged.
• Access control: Server access is restricted to the developer via key- and password-authenticated SSH; database access is restricted to the application on the same host.
• Isolation: Account data is stored in a relational database on a dedicated virtual server. Database files reside on the server's filesystem; we do not currently apply full-disk encryption at rest, so we rely on physical and network access controls as the primary safeguard.
• Backups: We may keep short-term backups for disaster recovery; they are kept on the same server or trusted infrastructure within the EU and are subject to the same retention and deletion rules as live data.

No method of transmission or storage is 100% secure. While we work to protect your data, we cannot guarantee absolute security, and you use the App at your own risk.

4. Sensitive Personal Information We Do NOT Collect

We do not collect, process, or store the following categories of "sensitive personal information" as defined by the California Privacy Rights Act (CPRA) and comparable US state laws:

• Government-issued identifiers (Social Security Number, driver's license, passport, etc.)
• Precise geolocation (more accurate than city level)
• Racial or ethnic origin, religious beliefs, or union membership
• Health, biometric, or genetic data
• Financial account, payment card, or credentials
• Contents of your email, text messages, or phone calls
• Sexual orientation or information about your sex life

The App itself does not request access to your microphone, camera, contacts, photos, precise location, or calendar.

5. Cookies and Analytics

Our Website uses Yandex.Metrica to collect anonymous visitor statistics. Yandex.Metrica uses cookies to analyze user behavior on the Website. This data does not contain personal information and is used solely to improve the Website.

You can disable cookies in your browser settings without affecting the App. If your browser sends a Global Privacy Control (GPC) signal or a "Do Not Track" header, we treat it as a request to opt out of any sharing of personal information. Because we do not sell or share personal information for advertising in the first place, this signal does not change how we handle your data, but we respect it as your opt-out preference.

6. Third-Party Services

The App and Website use the following third-party services:

• Apple Push Notification Service (APNs) and Google Firebase Cloud Messaging (FCM) — deliver push notifications. They receive your device token and notification payload metadata, but no account credentials.
• Let's Encrypt — issues the TLS certificate for whypay.ru.
• Yandex.Metrica — visitor analytics on the Website (cookies).
• Google Fonts — typography on the Website (font files may be served from Google's CDN, which sees your IP address).
• Apple / Google / RuStore — the app stores from which you download the App operate under their own privacy policies and may collect download and usage telemetry outside our control.

7. Data Retention

We retain your account data for as long as your account is active.

• Inactive accounts: An account is considered inactive after 24 consecutive months without signing in. We may delete inactive accounts and their associated data after that period. We will attempt to notify you via your registered email before deletion, if one is on file.
• Account deletion by you: You may delete your account at any time from the Profile section of the App. Upon deletion, all of your personal data is permanently removed from our live servers within 30 days, and from backups within the next backup rotation (no more than 60 days).
• Server logs: Access logs containing IP addresses are retained for up to 30 days.

8. Children's Privacy

The App is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13, in accordance with the US Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has provided us with personal data, please contact info@whypay.ru and we will delete it promptly. Users aged 13–16 in the EU should have a parent or guardian review this policy with them.

9. Your Rights

Regardless of where you live, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Request deletion of your data
• Export your data in a portable format
• Object to certain uses of your data

Country- and state-specific rights are described in the sections below.

10. How to Submit a Privacy Request (and How We Verify It)

Send your request to info@whypay.ru from the email address associated with your account, and describe the right you wish to exercise.

Verification. To prevent unauthorized disclosure or deletion of your data, we verify requests by at least one of the following methods:

• You submit the request from the email address registered to the account, and confirm the request by clicking a one-time link we send back to that email; or
• You sign in to the App and submit the deletion request from the Profile section while authenticated.

If we cannot verify the request, we will tell you what additional information is needed or, if we cannot verify you, we will decline the request. We do not require more information than is reasonably necessary to verify identity.

Authorized agents. California and some other states allow you to use an authorized agent to submit requests on your behalf. The agent must provide written permission signed by you and, if requested, proof of registration with the California Secretary of State. We may still ask you to verify your own identity directly.

Response times. We respond to verified requests within 30 days under GDPR and within 45 days under US state privacy laws (extendable once by an additional 45 days with notice, where permitted). There is no fee for a first request in any 12-month period.

Non-discrimination. We will not deny you service, charge different prices, or provide a lower-quality product because you exercised a privacy right.

11. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you specific rights. The categories of personal information we have collected in the preceding 12 months, the sources, the purposes, and the recipients are:

• Identifiers (username, email, IP address, device push token) — collected from you when you create an account or use the App, used to operate the service, shared only with infrastructure providers (hosting, APNs/FCM).
• Internet or network activity information (server access logs, App version) — collected automatically, used for security and debugging, not shared externally.
• User-generated content (tasks, notes, categories) — collected from you, used only to provide and sync the service, not shared.

In the preceding 12 months we have not sold and have not "shared" for cross-context behavioral advertising any personal information, and we have not disclosed any sensitive personal information (because we do not collect it — see §4).

Your CCPA/CPRA rights:

• Right to know what personal data we collect, use, disclose, and retain, and for what purposes
• Right to delete personal data we hold about you
• Right to correct inaccurate personal data
• Right to opt out of the sale or sharing of personal data (not applicable — we do not sell or share)
• Right to limit the use of sensitive personal information (not applicable — we do not collect it)
• Right to non-discrimination for exercising your rights

Submit requests as described in §10, or contact info@whypay.ru.

12. Other US State Privacy Laws

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), or another US state with a comprehensive consumer privacy law, you have rights substantially similar to those listed for California: to access, correct, delete, and port your personal data, and to opt out of targeted advertising, sale, or certain profiling. We do not engage in targeted advertising, sale of personal data, or profiling with legal or similarly significant effects.

Appeals. In states that provide an appeal right (including Virginia, Colorado, Connecticut, and Texas), if we decline your request you may appeal our decision by replying to our response email with the subject line "Privacy Request Appeal". We will respond within 60 days. If the appeal is denied, you may contact your state attorney general.

Submit requests as described in §10.

13. European Union & United Kingdom Residents (GDPR / UK GDPR)

If you are located in the European Union, the European Economic Area, or the United Kingdom, you have rights under the GDPR (or UK GDPR):

• Right of access to your data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to lodge a complaint with your local supervisory authority (e.g., the Bulgarian Commission for Personal Data Protection, since our data is stored in Bulgaria)

The legal bases for data processing are: your consent (when creating an account), performance of a contract (providing the App's services to you), and our legitimate interests (protecting the service against abuse).

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page and, where required by law, by in-app notice or email. Continued use of the App after changes take effect constitutes your acceptance of the updated policy.