Legal
Privacy Policy
How Inali collects, uses, protects, shares, and retains information for the app, website, and related support services.
Inali does not sell personal information, does not share personal information for cross-context behavioral advertising, and does not use app advertising SDKs or cross-app tracking. The website uses limited first-party analytics and experiments only as described in this policy and the Cookies & Analytics Notice.
Legal Identity And Contact
Inali is operated by Giuliano Rasper. The operator's legal entity or owner name is Giuliano Rasper, represented by Giuliano Rasper. The mailing address is Riviere Stella 201, 1-25-10 Nakamuraminami, Nerima-ku, Tokyo 176-0025, Japan.
Privacy requests can be sent to [email protected]. Product support requests can be sent to [email protected].
Scope And Product Boundaries
Inali is a manual budgeting and shared-expense app. Inali records, organizes, syncs, and calculates information that users enter. Inali does not connect to bank accounts, initiate payments, hold funds, process card details, provide lending or credit, provide investment advice, support crypto, run a marketplace, or provide public user-generated content features.
Paid features, if offered, are purchased through Apple's App Store in-app purchase system. Inali does not operate a direct web checkout.
Information We Collect
| Category | Examples | Source |
|---|---|---|
| Account and identity data | Sign-in identifiers, account identifiers, display name, profile settings, support identity details. | You, Apple, and the app. |
| Shared-expense app content | Wallet names, membership, roles, transaction amounts, dates, categories, splits, settlements, recurring rules, invite status, and descriptions or memos entered by users. | You and other wallet members. |
| Subscription and entitlement data | App Store purchase state, subscription entitlement, renewal/cancellation state available through Apple or the app. | Apple and the app. |
| Support and privacy request data | Messages, request type, verification information, correspondence, and operational notes needed to answer a request. | You and support operations. |
| Device, security, and diagnostic data | Technical logs, sync/security metadata, app version, build, device context, and error information needed to operate and protect the service. | The app and service infrastructure. |
| Website analytics data | Page path, locale, CTA source, section, experiment variant, engagement bucket, campaign token, and request metadata processed by Cloudflare. | The website and Cloudflare. |
| Camera permission data | QR invite code scanned by the device camera. | Your device. Inali is not designed to retain camera photos or video. |
How We Use Information
- Provide, sync, secure, troubleshoot, and improve the app and website.
- Authenticate users and manage account/session controls.
- Operate shared wallets, member access, exports, deletion, and support workflows.
- Maintain App Store subscription entitlement and support Apple IAP issues.
- Respond to support, privacy, legal, security, and incident requests.
- Measure website performance, download intent, and experiments when analytics consent is available where required.
- Comply with law, enforce terms, prevent abuse, and maintain operational records.
Shared Wallet Visibility And Indirect Collection
Shared wallet members can see shared transaction details, shared recurring rules, settlement history, wallet membership, invite/member status, shared descriptions or memos, and retained anonymized history after account deletion. Do not enter information about another person unless you have a lawful reason to do so and are comfortable with the relevant wallet members seeing it.
Information about you may be entered by another wallet member, for example when that person adds a transaction, description, split, invite, or support request involving you. Inali uses this policy, in-app shared-wallet context, and support channels to explain why that information is collected, who can see it, and how to contact us.
Account Deletion And Anonymization
Signed-in users can start account deletion in the app. Because the request is made from the signed-in session, Inali uses that session to verify that the request belongs to the account holder. Deletion removes account access and direct account identifiers and anonymizes retained expense records.
Inali may keep transaction, recurring-rule, category, settlement, and wallet records as expense or accounting records after account deletion. Those retained records are detached from your account by removing membership access, replacing account links with a non-identifying deleted-user label, and replacing applicable descriptions with "Removed for privacy". Shared wallet history may remain visible to remaining members in that anonymized form.
Backup and recovery safeguards are designed so completed account deletions are not undone during system recovery.
Access, Correction, Export, Objection, And Complaints
Inali provides an in-app export for signed-in users. You can also contact [email protected] for access, correction, deletion, complaint, opt-out, objection, or export help in edge cases where we can verify your identity and account ownership or where shared data requires manual review.
We make the privacy controls described in this policy available to users regardless of location unless a request cannot be fulfilled because of legal, security, identity-verification, other-person privacy, or service-integrity reasons. Some laws may provide additional rights or require different response steps.
| Region or law | Practical response timing |
|---|---|
| EU/EEA, UK, and similar GDPR-style requests | Generally one month, with extensions where allowed. |
| United States state privacy requests | Generally 45 days, with extensions where allowed; opt-out requests handled faster where required. |
| Canada/PIPEDA and many Caribbean access requests | Generally 30 days, with extensions where allowed. |
| Taiwan PDPA | Access/copy requests within 15 days, extendable once by 15 days; correction, cessation, or deletion requests within 30 days, extendable once by 30 days. |
| Bahamas access/direct marketing requests | Generally 40 working days where the Bahamas DPA applies. |
| Bermuda PIPA | Generally 45 days, with a possible 30-day extension where allowed. |
Vendors, Recipients, And International Processing
Information may be processed in Japan, Europe, the United States, and other countries where our service providers operate. We use contractual, organizational, and technical safeguards with service providers where appropriate. You may request information about applicable safeguards by contacting the privacy email above.
For South Korea, overseas transfer details are summarized below in the form expected for a practical PIPA notice.
| Recipient | Country/region | Data items | Purpose | Transfer method/timing | Retention/use period |
|---|---|---|---|---|---|
| Supabase | Europe for project storage; provider operations and subprocessors may process in other regions. | Account data, app content, technical and security metadata. | Authentication, app database, storage, service infrastructure, and support for deletion/export. | Encrypted network transfer when the app or service uses Supabase. | For the service period and limited operational, backup, security, or legal periods. |
| Apple | Regions operated by Apple. | Authentication metadata, App Store download/subscription metadata, device and crash diagnostics. | Sign in with Apple, App Store distribution, IAP entitlement, device-level account controls. | Through Apple platform services when users use Apple features or App Store purchases. | Controlled by Apple and applicable App Store/account settings. |
| Cloudflare | Global network for website delivery; Europe for deletion-safeguard storage where configured. | Website request metadata, first-party analytics event metadata, limited account-deletion audit metadata. | Website hosting, first-party analytics/experiments, and deletion-recovery safeguards. | When the website is visited or deletion-safeguard records are written. | Website analytics for operational review periods; deletion-safeguard metadata may be retained for long-term audit/recovery safeguards. |
Cookies, Website Analytics, And Marketing
The website uses limited first-party analytics and experiments for landing-page performance, download intent, and A/B testing. These are not app advertising SDKs, retargeting pixels, session replay, or data-sale systems. Nonessential analytics are consent-gated where required. More detail is available in the Cookies & Analytics Notice.
Marketing emails, if used, are sent only with consent or where legally permitted. Every marketing email should include an unsubscribe method. Service, security, privacy, and transactional messages are separate from marketing.
Retention
We retain information only for as long as needed to provide Inali, meet legal obligations, resolve disputes, enforce agreements, maintain backups or security records, answer requests, and protect deletion/recovery integrity.
If we create a temporary server-side export file for a manual response, we will delete it after no more than 7 days unless a longer period is required by law or needed to resolve the request.
Security logs are designed not to store raw memos and are generally kept for up to about one month in Inali-controlled records. Infrastructure vendors may keep platform logs and backups for their own limited operational, security, legal, or contractual periods, and those vendor periods may differ from Inali-controlled retention.
Security And Incidents
We use administrative, technical, and organizational safeguards designed to protect information. No online service can guarantee absolute security.
If we identify a privacy or security incident, we will investigate, preserve relevant evidence, work with vendors where needed, and notify users or regulators when required by applicable law. Local timing can differ, including EU/UK 72-hour regulator notification where required, Singapore notification within 3 calendar days after determining a breach is notifiable, Cayman Islands 5-day breach notification where required, Barbados and Jamaica 72-hour notices where required, and other local thresholds.
Regional Privacy Notes
| Region | Website/legal-page note |
|---|---|
| EU/EEA and UK | GDPR/UK GDPR rights, lawful bases, transfer safeguards, regulator complaint rights, ePrivacy/cookie rules, DSA trader status, and accessibility statements are handled through these legal pages and App Store Connect where required. |
| Switzerland | FADP-style transparency, cross-border processing, high-risk breach/DPIA posture, and FDPIC complaint route are treated alongside the EU/UK baseline. |
| Canada and Quebec | Canada access/correction, breach, and CASL-style marketing controls are covered. Quebec users should receive clear French legal surfaces, responsible-person contact, cross-border disclosure, and consent for identifying/profiling technologies where required. |
| New Zealand | Shared-wallet indirect collection is disclosed for IPP 3A, effective May 1, 2026. |
| Singapore | The privacy contact above acts as the public DPO/privacy request contact; PDPA withdrawal, access/correction, overseas transfer, retention, and breach handling are covered. |
| Japan | Purpose of use, retained personal-data requests, foreign processing, security measures summary, breach wording, and Specified Commercial Transactions Act disclosure are covered through this policy and the Commercial Disclosure page. |
| South Korea | The overseas transfer table provides recipient, country, items, purpose, method/timing, retention/use period, and refusal consequence information for practical PIPA notice. |
| Taiwan | PDPA rights timing is included in the rights timing table. |
| Bermuda, Cayman Islands, Barbados, Jamaica | Local rights and breach timing are reflected in this policy and incident wording. Jamaica registration/OIC assessment remains an operational/legal review item. |
| BVI, Bahamas, Trinidad and Tobago, Anguilla, Turks and Caicos | The generic notice covers practical transparency, rights contact, marketing, security, transfers, and breach-as-required language without overstating local registration duties. |
Children
Inali is not directed to children. If you believe a child provided personal information to Inali, contact us so we can review and delete it where appropriate.
Changes
We may update this policy from time to time. Material updates will be reflected by changing the effective date and, where appropriate, providing additional notice.