Privacy Policy for Hi Monday
Last updated: 27 May 2026 Effective date: 27 May 2026
This Privacy Policy describes how the Hi Monday mobile application (“Hi Monday”, “the app”, “we”, “us”) collects, uses, stores, and discloses your personal data. Hi Monday is operated by Theptai Intathep (“the Developer”), an individual developer based in Thailand, acting as the data controller for the purposes of Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).
If you have questions about this policy, contact: pandyin@gmail.com
1. What Hi Monday does
Hi Monday is a personal finance tracking app that lets you record transactions (buy/sell of cash, crypto, and other assets), assign tags and notes, and view your holdings. The app is available on Android, iOS, and Web.
2. Data we collect
2.1 Account data (from sign-in)
When you sign in with Google or Apple, we receive the following from your identity provider via Firebase Authentication:
- A unique Firebase user ID
- Your email address
- Your display name (if provided by the SSO provider)
- An authentication token used to verify your identity on subsequent requests
You do not provide a password to us. Authentication credentials are handled by Google and Apple. If you sign in with Apple and choose “Hide My Email”, we only receive the Apple-provided relay address.
2.2 Financial data you enter
The app stores the transaction and holdings data you enter, including:
- Asset code or symbol (e.g., a currency or crypto ticker)
- Amount, price, and currency
- Transaction type (buy or sell)
- Date and time of the transaction
- Fees, tags, and free-text notes you add
This data is stored both on your device (in a local SQLite database) and, for sync and backup, in Google Firestore under a record keyed to your Firebase user ID.
2.3 Diagnostic and usage data
- Crash reports (Android only): If the app crashes, Firebase Crashlytics collects a stack trace, device model, OS version, and a Crashlytics-generated installation ID. Crashlytics does not collect your transactions, notes, or account email.
- Analytics events (Android only): Firebase Analytics records non-identifying events such as
login,logout,error, andreport_missing_asset, along with limited context (e.g., the asset code searched or the error type). Analytics is disabled on iOS in the current build.
2.4 Information we do NOT collect
- We do not collect your location.
- We do not access your contacts, camera, microphone, photos, or device storage.
- We do not collect or process advertising identifiers; the app contains no ads and no advertising SDKs.
- We do not collect biometric data.
- We do not collect data from children. Hi Monday is not directed at children under 13.
3. How we use your data
| Purpose | Data used | Lawful basis (PDPA s.24) |
|---|---|---|
| Authenticate you and provide the app’s core features | Account data, financial data | Performance of a contract / consent |
| Sync your data across your devices | Financial data | Performance of a contract |
| Fetch reference market data (e.g., exchange rates, stock prices) | Auth token (not your financial data) | Legitimate interest |
| Diagnose crashes and fix bugs | Crash reports | Legitimate interest |
| Understand which features are used | Analytics events | Consent (where required) |
We do not sell your personal data. We do not use your data for targeted advertising or profiling.
4. Where your data is stored and processed
- Identity and authentication: Google Firebase Authentication (processed by Google LLC; Firebase data may be stored in multiple Google data centers globally).
- Your financial data: Google Firestore, under Google Cloud project
hello-monday-496211. - Reference data API: A backend service we operate on Google Cloud Run in the
asia-southeast1(Singapore) region. This service serves reference data (stock lists, exchange rates) — it does not store your financial transactions. - Crash reports and analytics: Google Firebase (Crashlytics, Analytics).
Because Google’s services may transfer and store data outside Thailand, your data may be processed in jurisdictions whose data protection laws differ from Thailand’s. We rely on Google’s contractual safeguards (Standard Contractual Clauses where applicable) for these transfers, consistent with PDPA s.28.
5. Third-party services
The following third-party services process data on our behalf:
| Service | Provider | Role | Privacy policy |
|---|---|---|---|
| Firebase Authentication | Google LLC | Sign-in | https://firebase.google.com/support/privacy |
| Cloud Firestore | Google LLC | Database | https://firebase.google.com/support/privacy |
| Firebase Analytics | Google LLC | Usage events (Android only) | https://firebase.google.com/support/privacy |
| Firebase Crashlytics | Google LLC | Crash diagnostics (Android only) | https://firebase.google.com/support/privacy |
| Sign in with Apple | Apple Inc. | Sign-in (iOS) | https://www.apple.com/legal/privacy/ |
| Google Cloud Run | Google LLC | Hosting our backend API | https://cloud.google.com/terms/cloud-privacy-notice |
6. How long we keep your data
- Account and financial data: retained for as long as your account exists. If you request deletion, we remove your Firestore records and revoke your Firebase Auth account within 30 days.
- Crash reports: retained by Firebase Crashlytics for up to 90 days per Google’s defaults.
- Analytics events: retained by Firebase Analytics for up to 14 months per Google’s defaults.
- Local data on your device: stored until you uninstall the app or sign out and clear local storage.
7. Your rights under the PDPA
Under the Personal Data Protection Act, you have the right to:
- Access the personal data we hold about you and request a copy.
- Rectify inaccurate or incomplete data.
- Erase your data (“right to be forgotten”).
- Restrict or object to processing in certain circumstances.
- Port your data to another service in a machine-readable format.
- Withdraw consent at any time where processing is based on consent (this does not affect prior lawful processing).
- Lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand.
To exercise any of these rights, email pandyin@gmail.com. We will respond within 30 days. You can also delete your account in-app, which removes your Firestore data and Firebase Auth record.
8. Security
We rely on Google Cloud’s encryption-at-rest and encryption-in-transit for data stored in Firestore and transferred to our backend. Authentication tokens are stored using the platform’s secure storage (Android Keystore-backed storage / iOS Keychain via Firebase SDK). The local SQLite database is not separately encrypted at the application layer; it is protected by the operating system’s app sandbox. We recommend you use a device lock (PIN, biometric) to protect access to the app.
No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
9. Children’s privacy
Hi Monday is not directed at children under the age of 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.
10. Changes to this policy
We may update this policy from time to time. Material changes will be communicated in the app or by email. The “Last updated” date at the top of this document reflects the most recent revision. Continued use of the app after a change indicates acceptance of the updated policy.
11. Contact
Data controller: Theptai Intathep Email: pandyin@gmail.com Location: Thailand
For PDPA-related complaints you may also contact the Personal Data Protection Committee Office (PDPC), Ministry of Digital Economy and Society, Thailand.