Legal

Privacy Policy

Last updated: 13 April 2026

1. Data Controller

Raydar Ltd ("Raydar", "we", "our") is the data controller responsible for your personal data. If you have questions about this policy or how we handle your data, contact us at support@raydarhq.com.

2. Information We Collect

We collect only what is necessary to provide the service:

  • Account data — your name and email address when you register.
  • Gmail OAuth token — an access token issued by Google, encrypted at rest. We store this to query your inbox on an ongoing basis. We never see or store your Google password.
  • Email metadata — the sender address, subject line, and date of emails from senders you configure. Retained for audit purposes for 7 days, then automatically deleted.
  • Extracted transaction data — the amount, merchant name, date, and category parsed from those emails. This is the core dataset powering your dashboard.
  • Usage data — anonymised app activity (e.g. features used, error events) used to improve the service.

What we never collect: raw email body content, bank account numbers, bank credentials, or any data from senders you have not configured.

3. Gmail Access

This section is required by Google's API Services User Data Policy and explains exactly how Raydar uses your Gmail access.

Scope: Raydar requests the gmail.readonly OAuth scope. This is a restricted scope that gives read access to your mailbox. Google displays a warning about this on the consent screen — this warning reflects Google's policy for all apps using this scope, not Raydar's specific behaviour.

What we actually query: We use Gmail's search API with a sender filter, e.g. from:(alerts@chase.com). Only emails matching senders you explicitly configure are ever fetched. Emails from all other senders are never accessed — not even their metadata.

Raw email content: Email bodies are parsed in memory to extract transaction fields. The raw content is never written to disk or stored in our database.

Processing audit log: You can view exactly which emails Raydar accessed and what was extracted, directly in the app.

Revoking access: You can disconnect Gmail at any time from within Raydar, or by visiting myaccount.google.com/permissions and removing Raydar from the list of connected apps.

Sharing of Google user data: We do not transfer or disclose your Google user data to third parties except as described here. Stripped transaction text (with all personally identifiable information removed — no email addresses, names, or account numbers) may be sent to OpenAI solely to categorise transactions where our template parser cannot identify a format. Raw email content is never transmitted to any third party. Google user data is not sold to or shared with any other party for any purpose.

Data obtained via the Gmail API is used solely to provide the Raydar service to you. It is not used for advertising, sold to third parties, or used to train machine learning models.

4. How We Use Your Data

  • Service delivery — to build and display your spending dashboard.
  • AI categorisation — to classify transactions into spending categories.
  • Security — to detect suspicious activity and protect your account.
  • Legal obligations — to comply with applicable law, including responding to lawful requests from regulators.

Legal basis (GDPR): processing is based on your consent given during sign-up, and on our legitimate interest in providing and improving the service.

5. Third-Party Processing

OpenAI — we use OpenAI's API to categorise transactions where our template parser cannot identify a format. Before sending any text to OpenAI, we strip all personally identifiable information (email addresses, account numbers). Only the minimum necessary text snippet is transmitted. Per OpenAI's API data usage policy (effective March 2023), data sent via the API is not used to train OpenAI models. OpenAI Privacy Policy ↗

Resend — we use Resend to deliver transactional emails (account verification, password reset). Your email address is passed to Resend for this purpose only.

We do not sell your personal data to any third party.

In the event of a merger, acquisition, or sale of assets, Google user data will only be transferred to the acquiring entity after obtaining your explicit prior consent.

6. Data Storage & Security

All data is stored on secure cloud infrastructure. We apply the following technical measures:

  • AES-256-GCM encryption at rest for all sensitive fields.
  • TLS 1.3 for all data in transit.
  • Passwords hashed with Argon2id (OWASP recommended).
  • OAuth tokens encrypted and stored server-side — never exposed to the client.
  • Row-level database access controls ensuring you can only access your own data.

7. Data Retention

  • Email metadata (subject, sender, date) — 7 days, then automatically deleted.
  • Extracted transaction data — retained until you delete your account.
  • Account data — retained until you delete your account, plus a 30-day grace period to allow for account recovery.
  • Usage data — anonymised, retained for up to 12 months.

8. Cross-Border Data Transfers

Your data is stored on infrastructure within a secure cloud region. When transaction text is sent to OpenAI for categorisation, this constitutes a cross-border transfer to the United States. We mitigate this by stripping all PII before transmission and obtaining your explicit consent to AI processing during onboarding.

For users in Rwanda, cross-border transfers are conducted in accordance with Rwanda Law No. 048/2018 and any applicable authorisations from the National Cyber Security Authority.

9. Your Rights

To exercise any of these rights, email support@raydarhq.com. We target a response time of 48 hours.

Under GDPR (EU/UK users):

  • Right of access — obtain a copy of your personal data.
  • Right to rectification — correct inaccurate data.
  • Right to erasure — delete your account and all associated data.
  • Right to data portability — export your data as JSON or CSV.
  • Right to restrict processing — limit how we use your data.
  • Right to object — object to processing based on legitimate interest.
  • Right to withdraw consent — at any time, without affecting prior processing.

Under Rwanda Law No. 048/2018:

  • Right to access and data portability.
  • Right to correction of inaccurate data.
  • Right to lodge a complaint with the Rwanda Data Protection Authority (RDPA).

Under CCPA (California residents):

  • Right to know what personal information is collected and how it is used.
  • Right to delete personal information.
  • Right to opt out of the sale of personal information. Raydar does not sell personal information.
  • Right to non-discrimination for exercising your privacy rights.

10. Cookies

Raydar uses session cookies only — these are strictly necessary to keep you logged in and expire when you close your browser. We do not use tracking cookies, advertising cookies, or third-party analytics at this time.

11. Children's Privacy

Raydar is not directed at anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We will notify you of material changes to this policy at least 30 days before they take effect, via email or an in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For any privacy-related questions or to exercise your rights, contact us at support@raydarhq.com.

If you are unsatisfied with our response, you have the right to lodge a complaint with your relevant supervisory authority — the Rwanda Data Protection Authority (RDPA) for Rwandan residents, or your national data protection authority for EU/UK residents.