Privacy Policy

The Money Recipe is a personal finance education platform providing tools, calculators, and guides for personal financial planning globally, with a focus on Africa and the African diaspora.

Data controller: The Money Recipe
Contact: [email protected]
Website: themoneyrecipe.com

A. Data you give us directly

• Email address (newsletter signup)
• First name (optional, for newsletter personalisation)
• Calculator inputs (budget figures, savings amounts, debt levels) — calculator inputs are processed in your browser only and are not stored on our servers unless you explicitly save a plan (feature coming soon)

B. Data collected automatically

• IP address (anonymised after 24 hours)
• Browser type and version
• Device type (mobile, desktop, or tablet)
• Pages visited, time on page, and referrer URL
• Country or region derived from IP address (not stored precisely)
• Cookie data (see Section 4)

C. Data we do NOT collect

• Government ID numbers
• Financial account numbers
• Credit card or payment information
• Precise location (GPS)
• Biometric data

Where the GDPR, UK GDPR, or equivalent legislation applies, we rely on the following legal bases under Article 6:

Email / newsletter

• Legal basis: Consent (Art. 6(1)(a))
• Purpose: To send weekly personal finance content
• You can withdraw consent at any time via the unsubscribe link in any email

Analytics

• Legal basis: Legitimate interests (Art. 6(1)(f))
• Purpose: To understand how people use the site and improve it
• We anonymise IP addresses and do not build individual profiles

Site functionality

• Legal basis: Legitimate interests
• Purpose: To serve the website, remember currency preferences, and prevent abuse

We use three categories of cookies:

Strictly necessary (no consent required)

• Session cookies for site functionality
• Currency preference cookie (tmr-currency)
• Announcement bar dismissal (tmr-ann-dismissed)

Analytics (consent required for EU/UK/Kenya/Nigeria visitors)

• PostHog analytics — anonymised, with a self-hosted option available
• We do not use Google Analytics or any third-party tracking pixels

No advertising or tracking cookies are set. No third-party advertising networks have access to your data.

EU, UK, Kenyan, and Nigerian visitors see a consent banner on first visit. You can withdraw consent at any time via our Cookie Settings link in the footer.

We share data only with the following processors, all of whom have signed Data Processing Agreements:

Supabase (database)

• Location: EU — Frankfurt, Germany (GDPR-compliant)
• Purpose: Storing newsletter subscriber data

Resend (email delivery)

• Location: US — Standard Contractual Clauses apply
• Purpose: Sending newsletter emails

Vercel (hosting)

• Location: Global edge network (GDPR-compliant)
• Purpose: Serving the website

PostHog (analytics)

• Location: EU (optional) or US
• Purpose: Anonymised usage analytics — no personal data exported

We do not sell your personal data to any third party. We do not share your data with advertisers, use your data for automated profiling or individual decision-making, or disclose data for purposes beyond those described in this policy.

We serve users globally. When personal data is transferred outside your jurisdiction, we rely on the following mechanisms:

• EU/EEA and UK: EU Standard Contractual Clauses (SCCs) for transfers to third countries
• Kenya: Section 48 of the Kenya Data Protection Act 2019 adequacy and contractual provisions
• Nigeria: Chapter 6 of the Nigeria Data Protection Act 2023 cross-border transfer requirements, including data transfer agreements
• South Africa: POPIA Section 72 — transfer only to countries with adequate protection or via binding corporate rules / contractual clauses
• Ghana: Section 43 of the Ghana Data Protection Act 2012

All users

• Know what data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Withdraw consent at any time (does not affect past processing)
• Opt out of our newsletter at any time

EU and UK users (GDPR / UK GDPR)

• Right of access (Art. 15) — receive a copy of your data
• Right to erasure (Art. 17) — the “right to be forgotten”
• Right to restriction (Art. 18) — limit how we use your data
• Right to portability (Art. 20) — receive data in machine-readable format
• Right to object (Art. 21) — object to legitimate interest processing
• Right not to be subject to automated decision-making (Art. 22)
• Lodge a complaint with your national supervisory authority — UK: ico.org.uk · Ireland: DPC · Germany: BfDI

Kenya users (DPA 2019, Sections 26–35)

• Rights include access, rectification, erasure, objection, and data portability
• Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke

Nigeria users (NDPA 2023, Part VI)

• Rights include access, rectification, erasure, restriction, portability, and objection
• Lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng

South Africa users (POPIA, Chapter 2)

• Rights include access, correction, deletion, and objection to processing
• Lodge a complaint with the Information Regulator at inforegulator.org.za

Ghana users (DPA 2012)

• Rights under the Ghana Data Protection Act 2012
• Lodge a complaint with the Data Protection Commission Ghana

California and US users (CCPA / CPRA)

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to opt-out of sale of personal information — we do not sell personal data
• Right to non-discrimination for exercising privacy rights
• Shine the Light Law: we do not share data with third parties for direct marketing purposes

To exercise any right, email [email protected]. We will respond within 30 days (the standard under GDPR, NDPA, and most state laws).

• Newsletter subscriber data: Retained until you unsubscribe, plus 30 days for suppression list maintenance
• Analytics data: 90-day rolling window, then anonymised and deleted
• Server logs: 30 days
• Backup copies: Deleted within 60 days of a deletion request being fulfilled

The Money Recipe is not directed at children under 16 (or under 18 where required by local law, including South Africa under POPIA and Nigeria under NDPA 2023, which introduces age verification requirements for digital services).

We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] immediately and we will delete the data.

We implement appropriate technical and organisational measures to protect your personal data, including:

• HTTPS encryption on all pages and API endpoints
• Encrypted data storage via Supabase
• Access controls limiting who can access subscriber data
• Regular security reviews of our infrastructure and third-party processors

No system is perfectly secure. In the event of a data breach affecting your personal data, we will notify affected users and relevant regulators as required by law: within 72 hours to supervisory authorities under GDPR and Nigeria NDPA, and promptly to Kenya's ODPC and South Africa's Information Regulator.

We will notify newsletter subscribers of material changes by email at least 14 days before they take effect. The “Last updated” date at the top of this page will always reflect the current version of the policy.

Continued use of the Site after changes take effect constitutes acceptance of the updated policy.

Data controller contact:
The Money Recipe
Email: [email protected]

If you have a concern about how we handle your personal data, we encourage you to contact us first — we take all concerns seriously and will respond promptly. You also have the right to lodge a complaint directly with your national data protection supervisory authority at any time.