Legal
The data controller for the personal data collected through the VolcanoTracker application and the backend service at api.volcanotracker.volcanointeractive.com is:
Gaetano Cerrito
Via Santa Maria della Catena 95 Sc. E, 95124 Catania CT, Italia
Given the nature and scale of our data processing activities, we are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. For all privacy-related enquiries, please contact us directly at the email address above.
We collect only the data necessary to provide the VolcanoTracker service. Below is a complete description of every category of personal data we process, together with the purpose and legal basis for each.
| Category | Data collected | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Account data | Name, email address, hashed password | Authentication and account identification | Performance of a contract (Art. 6.1.b) |
| Financial data | Transactions, accounts, balances, budgets, categories you create | Core functionality of the app — tracking and analytics | Performance of a contract (Art. 6.1.b) |
| Device data | An anonymous device identifier (UUID generated on device) | Enabling multi-device sync without conflicts | Performance of a contract (Art. 6.1.b) |
| Preferences | Preferred reporting currency; device language (e.g. "it", "fr", "de") read at registration time | Displaying balances and analytics in your chosen currency; sending transactional emails (email verification) in your device language | Performance of a contract (Art. 6.1.b) |
All personal data is collected directly from you when you register for or use the service. We do not collect data from third-party sources.
We do not collect location data, contacts, browsing history, IP addresses, device identifiers beyond the anonymous sync UUID, or any other data not listed above.
Your data is used exclusively to provide the VolcanoTracker service. Specifically:
it, fr, de). This code is stored in your account record solely for this purpose. We support 20 languages; if your language is not among them, the email is sent in English.We do not use your data for advertising, profiling, behavioural tracking, marketing communications, or any purpose beyond operating the service.
Providing your name, email address, and password is a contractual requirement necessary to create an account and use the VolcanoTracker service. Without this data, we cannot provide the service.
Financial data (transactions, accounts, budgets) is entered voluntarily by you and is necessary for the app to perform its core function. You are free to add or delete financial data at any time.
There is no statutory obligation to provide any of this data. However, refusing to provide account data means the service cannot be used.
Your data is stored on a secure server operated by Volcano Interactive, hosted within the European Union (AWS eu-south-1, Milan), and protected by the following measures:
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Articles 33–34.
Your personal data is stored and processed exclusively within the European Economic Area (EEA). Our server infrastructure is located in Italy (AWS eu-south-1, Milan).
We do not transfer your personal data to any country outside the EEA. Should this change in the future, we will ensure appropriate safeguards are in place (such as Standard Contractual Clauses or an adequacy decision) and update this policy accordingly.
VolcanoTracker does not share, sell, rent, or otherwise disclose your personal data to any third party. There are no recipients of your personal data other than Volcano Interactive.
The only external service the backend communicates with is open.er-api.com, a public exchange rate API used to fetch currency conversion rates. This request contains no personal data whatsoever — it is a simple HTTP GET request for a publicly available list of exchange rates.
Infrastructure provider: Our server is hosted on Amazon Web Services (AWS). AWS acts as a data processor under a GDPR-compliant Data Processing Agreement. AWS does not access or process your application data — it only provides the underlying compute and network infrastructure.
We may be required to disclose data to law enforcement or regulatory authorities if compelled by a valid legal order. We will notify you of any such request where legally permitted to do so.
VolcanoTracker includes an optional AI Receipt Scanning feature that allows you to photograph a purchase receipt and have the app automatically extract the transaction details (merchant name, amount, date, and category).
The feature works in two stages, both executed locally on your iPhone:
The receipt image and raw OCR text never leave your device and are discarded as soon as the transaction is confirmed. The final transaction record is then synced to our server under the same terms as any other transaction you create — see Section 2 and Section 5 for details on how that data is stored and protected.
You are free to use or not use this feature entirely at your discretion. Declining to use it has no effect on any other functionality of the app.
We retain your data for as long as your account is active. If you delete your account, all data associated with your account — including your profile, transactions, accounts, budgets, categories, and alerts — is permanently and irreversibly deleted from our servers within 30 days.
You may also delete specific data items (such as individual transactions or accounts) at any time through the app without deleting your account.
Server access logs (which do not contain personal data) may be retained for up to 90 days for security and debugging purposes.
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data under the General Data Protection Regulation (GDPR) and UK GDPR:
To exercise any of these rights, please contact us at info.volcanotracker@volcanointeractive.com. We will respond within 30 days. If the request is complex, we may extend this period by a further two months, and will inform you accordingly.
If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection supervisory authority. In Italy, this is the Garante per la protezione dei dati personali.
The VolcanoTracker website (volcanotracker.volcanointeractive.com) does not use cookies, local storage, web beacons, analytics services, or any form of browser tracking.
The VolcanoTracker iOS app does not use any third-party analytics SDKs, crash reporting services, or advertising frameworks.
VolcanoTracker is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16 years of age. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it promptly.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you through the app or by email.
We encourage you to review this policy periodically. Continued use of VolcanoTracker after changes have been posted constitutes your acceptance of the updated policy.
If you have any questions about this Privacy Policy or how we handle your personal data, or if you wish to exercise any of your rights, please contact the data controller:
Gaetano Cerrito
Via Santa Maria della Catena 95 Sc. E, 95124 Catania CT, Italia