Refynne
Get the app

Data Protection Compliance Guide

Refynne - Personal Finance Management App
Website: https://refynne.com
Developer: BPS Dynamic (bpsdynamic.com)

Overview

This document outlines how Refynne complies with data protection regulations across different jurisdictions. It serves as a reference for users, regulators, and internal compliance.

Compliance Matrix

RegulationRegionStatusKey Requirements
POPIASouth Africa✅ CompliantConsent, Purpose limitation, Data minimization
GDPREuropean Union✅ CompliantLawful basis, Rights, DPO, Breach notification
UK GDPRUnited Kingdom✅ CompliantSame as GDPR with UK-specific provisions
CCPA/CPRACalifornia, USA✅ CompliantRight to know, delete, opt-out
LGPDBrazil✅ CompliantConsent, Rights, DPO equivalent
Privacy ActAustralia✅ CompliantAPPs, Transparency, Access rights

1. South Africa - POPIA

Protection of Personal Information Act (Act 4 of 2013)

Effective Date: July 1, 2021

Compliance Measures

POPIA ConditionHow Refynne Complies
AccountabilityInformation Officer designated, policies documented
Processing LimitationOnly collect data necessary for service
Purpose SpecificationClear purposes stated in Privacy Policy
Further Processing LimitationData not used beyond stated purposes
Information QualityUsers can update/correct their data
OpennessPrivacy Policy publicly available
Security SafeguardsEncryption, access controls, security audits
Data Subject ParticipationAccess, correction, deletion rights implemented

Information Officer

Designated Information Officer: BPS Dynamic
Contact: privacy@refynne.com

User Rights Under POPIA

  • Right to be notified of data collection
  • Right to access personal information
  • Right to request correction
  • Right to request deletion
  • Right to object to processing
  • Right to lodge complaint with Information Regulator

Information Regulator Contact

Website: https://www.justice.gov.za/inforeg/
Email: inforeg@justice.gov.za
Phone: +27 10 023 5200

2. European Union - GDPR

General Data Protection Regulation (EU 2016/679)

Effective Date: May 25, 2018

Compliance Measures

GDPR PrincipleHow Refynne Complies
Lawfulness, Fairness, TransparencyClear legal basis, transparent processing
Purpose LimitationSpecific, explicit purposes documented
Data MinimizationOnly essential data collected
AccuracyUsers can update their data
Storage LimitationRetention periods defined
Integrity & ConfidentialityEncryption, security measures
AccountabilityDocumentation, DPO consideration

Legal Bases for Processing

Processing ActivityLegal Basis
Account managementContract performance
Financial trackingContract performance
AnalyticsLegitimate interest
MarketingConsent
SecurityLegitimate interest

Data Subject Rights

RightImplementation
AccessIn-app data export, email request
RectificationIn-app editing, support request
ErasureAccount deletion feature
RestrictionSupport request
PortabilityJSON/CSV export
ObjectionSettings toggles, support request
Automated Decision-MakingNo automated decisions made

Data Protection Impact Assessment (DPIA)

A DPIA has been conducted for:

  • Cloud data storage
  • Analytics processing
  • Receipt scanning (OCR)

International Transfers

For data transfers outside the EU:

  • Standard Contractual Clauses (SCCs) in place
  • AWS data processing agreement
  • Adequacy decisions where applicable

3. United Kingdom - UK GDPR

UK General Data Protection Regulation

Effective Date: January 1, 2021 (post-Brexit)

Compliance Measures

UK GDPR requirements mirror EU GDPR. Additional considerations:

RequirementImplementation
UK RepresentativeTo be appointed if required
ICO RegistrationCompleted if applicable
UK-specific SCCsInternational Data Transfer Agreement (IDTA)

ICO Contact

Website: https://ico.org.uk/
Phone: 0303 123 1113

4. United States - CCPA/CPRA

California Consumer Privacy Act & California Privacy Rights Act

CCPA Effective: January 1, 2020
CPRA Effective: January 1, 2023

Compliance Measures

CCPA/CPRA RightImplementation
Right to KnowPrivacy Policy, data disclosure
Right to DeleteAccount deletion feature
Right to Opt-OutWe do not sell data
Right to Non-DiscriminationEqual service regardless of privacy choices
Right to CorrectIn-app editing
Right to Limit UseSettings controls

Categories of Personal Information

CategoryCollectedSoldShared
IdentifiersYesNoNo
Commercial InformationYesNoNo
Internet ActivityYesNoNo
GeolocationNoNoNo
BiometricNoNoNo
ProfessionalNoNoNo
EducationNoNoNo
SensitiveNoNoNo

"Do Not Sell My Personal Information"

Refynne does NOT sell personal information. No opt-out mechanism is required, but we provide one for transparency.

5. Brazil - LGPD

Lei Geral de Proteção de Dados (Law 13.709/2018)

Effective Date: September 18, 2020

Compliance Measures

LGPD PrincipleImplementation
PurposeSpecific purposes documented
AdequacyProcessing matches stated purposes
NecessityMinimum data collected
Free AccessUsers can access their data
QualityData accuracy maintained
TransparencyClear privacy information
SecurityTechnical and organizational measures
PreventionProactive security measures
Non-DiscriminationNo discriminatory processing
AccountabilityDocumentation and compliance evidence

Data Subject Rights Under LGPD

  • Confirmation of processing
  • Access to data
  • Correction of data
  • Anonymization, blocking, or deletion
  • Data portability
  • Information about sharing
  • Consent revocation
  • Complaint to ANPD

ANPD Contact

Website: https://www.gov.br/anpd/
Email: encarregado@anpd.gov.br

6. Australia - Privacy Act

Privacy Act 1988 (Australian Privacy Principles)

Compliance Measures

APPRequirementImplementation
APP 1Open and transparent managementPrivacy Policy published
APP 2Anonymity and pseudonymityOptional account creation
APP 3Collection of solicited informationOnly necessary data collected
APP 4Dealing with unsolicited informationNot applicable
APP 5Notification of collectionPrivacy notice at collection
APP 6Use or disclosureLimited to stated purposes
APP 7Direct marketingConsent-based only
APP 8Cross-border disclosureSafeguards in place
APP 9Adoption of government identifiersNot collected
APP 10Quality of personal informationUser correction available
APP 11Security of personal informationEncryption, access controls
APP 12Access to personal informationIn-app access, export
APP 13Correction of personal informationIn-app editing

OAIC Contact

Website: https://www.oaic.gov.au/
Phone: 1300 363 992

7. Technical Compliance Measures

Data Security

MeasureImplementation
Encryption at RestAES-256
Encryption in TransitTLS 1.3
Password Hashingbcrypt with salt
Access ControlRole-based access
Audit LoggingAll data access logged
BackupEncrypted backups

Data Minimization

Data TypeCollectedJustification
EmailYesAccount identification
NameOptionalPersonalization
Financial dataYesCore service
LocationNoNot needed
ContactsNoNot needed
PhotosOptionalReceipt scanning only

Retention Periods

Data TypeRetentionJustification
Account dataUntil deletion + 30 daysService provision
Financial dataUntil deletion + 30 daysService provision
Support tickets2 yearsQuality assurance
Analytics26 monthsService improvement
Logs90 daysSecurity

8. Breach Response Plan

Notification Timelines

RegulationAuthority NotificationUser Notification
POPIAAs soon as reasonably possibleAs soon as reasonably possible
GDPR72 hoursWithout undue delay
UK GDPR72 hoursWithout undue delay
CCPAN/AMost expedient time possible
LGPDReasonable timeReasonable time
Privacy ActAs soon as practicableAs soon as practicable

Breach Response Steps

  1. Identify - Detect and confirm breach
  2. Contain - Stop ongoing breach
  3. Assess - Determine scope and impact
  4. Notify - Inform authorities and users as required
  5. Remediate - Fix vulnerabilities
  6. Document - Record incident and response
  7. Review - Update procedures to prevent recurrence

9. Contact Information

Privacy Inquiries

Email: privacy@refynne.com
Subject Line: "Privacy Request - [Your Country]"

Data Protection Officer (if applicable)

Email: dpo@refynne.com

General Support

Email: support@refynne.com
Website: https://refynne.com/support

© 2025 BPS Dynamic. All rights reserved.