Privacy Policy

When creating an account and using our services, you provide us with:

• Registration Data: Name, email address, WhatsApp number; We do not request a password, email registration is through a temporary verification link.
• Social Authentication Data: If you choose to log in via Google, we collect your name, email and profile photo provided by the provider;
• Financial Data: Transactions (description, amount, date, category, notes), custom categories, tags, bank accounts (name and institution - we do not collect account numbers or any banking information), credit cards (name, limit, closing and due dates - we do not collect or request card numbers or any sensitive information);
• Payment Data: Processed exclusively by Stripe (PCI-DSS certified third party). We do not store complete credit card data;
• Documents and Images: Images of invoices, receipts or bank statements sent for AI analysis (temporary processing, not permanent storage).

When you use our platform, we automatically collect:

• Navigation Data: IP address, browser type, operating system, pages visited, time spent;
• Usage Data: Features used, access frequency, interactions with the platform;
• Cookies and Similar Technologies: We use essential cookies for authentication and preferences (e.g., light/dark theme, sidebar state).

We use your personal data for the following purposes:

2.1. Service Provision

• Create and manage your account on the platform in a unique and secure way;
• Process and store your financial transactions only with data provided by you;
• Generate reports, charts and personalized analyses;
• Allow data export in CSV and Excel formats;
• Process payments through Stripe (PCI-DSS certified third party);
• Provide technical support and answer your questions.

2.2. Artificial Intelligence Analysis

• Process images of financial documents sent by you through AI models (GPT-4 Vision) to extract structured data (amount, date, description, category);
• Suggest automatic categorizations based on transaction content;
• Process Excel/CSV spreadsheets through AI models (GPT-4) for batch transaction import
• Generate personalized financial insights and suggestions (future feature).

2.3. Improvements and Communication

• Analyze usage patterns to improve the platform;
• Send transactional emails (registration confirmation, password recovery, notifications);
• Communicate important updates about the platform (with opt-out option);
• Detect and prevent fraud, abuse and malicious activities.

2.4. Legal Compliance

• Comply with legal and regulatory obligations;
• Respond to requests from competent authorities;
• Protect our legal rights.

Processing of your personal data is carried out based on the following legal grounds:

• Contract Performance (Art. 7, V): For provision of contracted services;
• Consent (Art. 7, I): For optional features such as AI analysis of voluntarily submitted documents;
• Legitimate Interest (Art. 7, IX): For platform improvements, security and fraud prevention;
• Legal Obligation Compliance (Art. 7, II): For compliance with legal requests.

Your personal data is not sold to third parties. We may share it only in the following situations:

4.1. Service Providers (Processors)

• Supabase: PostgreSQL database, authentication and storage (AWS cloud infrastructure - configurable region);
• Stripe: Payment processing and subscription management (PCI-DSS Level 1 certified);
• OpenAI: Image and document processing through AI models (GPT-4, GPT-4 Vision). Important: OpenAI does not use data sent via API for model training;
• Vercel: Web application hosting and edge computing infrastructure;
• Resend: Transactional email sending (registration confirmation, password recovery).

All service providers are contractually obligated to protect your data and use it only for the specific purposes for which it was shared.

4.2. Legal Requests

We may disclose personal data when required by law, court order or request from competent authority.

4.3. Business Transfer

In case of merger, acquisition or asset sale, your data may be transferred to the new controller, who must maintain the same privacy commitments.

• Database: Supabase (PostgreSQL) - servers may be located outside Brazil (AWS);
• Files: sent images are temporarily processed and not permanently stored;
• Web Application: Vercel (global edge network with presence in Brazil).

International Transfer: Your data may be transferred and stored on servers located outside Brazil. We ensure that all service providers adhere to adequate data protection standards.

We implement the following technical and organizational measures:

• Encryption: All data is encrypted in transit (HTTPS/TLS) and at rest;
• Row Level Security (RLS): Complete data isolation between users in the PostgreSQL database;
• Secure Authentication: Passwords encrypted with bcrypt, JWT tokens with expiration, support for multi-factor authentication (MFA) via social providers;
• Automatic Backups: Performed regularly by Supabase;
• Monitoring: Access logs and detection of anomalous activities;
• Restricted Access: Only authorized personnel have access to personal data, under confidentiality obligation.

Despite all efforts, no system is 100% secure. We recommend that you keep your access credentials confidential.

• Active Account Data: Maintained while you use the platform;
• After Account Termination: You will have 30 days to export your data. After this period, all personal data will be permanently deleted;
• Payment Data: Retained by Stripe according to legal and tax requirements (usually 7 years);
• Security Logs: Retained for up to 12 months for audit and security purposes.

• Essential Cookies: Necessary for authentication and basic platform operation (Supabase session, JWT tokens);
• Preference Cookies: Store your interface preferences (light/dark theme, sidebar state, language);
• Analytics Cookies: Vercel Analytics to understand usage patterns and improve the platform (aggregated and anonymous data).

We do not use: Advertising cookies or third-party tracking for marketing purposes.

You can manage cookies through your browser settings. However, disabling essential cookies may affect platform functionality.

According to the General Data Protection Law (LGPD), you have the following rights regarding your personal data:

• Confirmation and Access (Art. 18, I and II): Confirm whether we process your data and access it free of charge;
• Correction (Art. 18, III): Correct incomplete, inaccurate or outdated data directly in platform settings (In development);
• Anonymization, Blocking or Elimination (Art. 18, IV): Request anonymization, blocking or deletion of unnecessary or non-compliant data;
• Portability (Art. 18, V): Export your data in structured format (CSV or Excel) through the platform's export functionality (In development);
• Elimination (Art. 18, VI): Request deletion of data processed based on consent (Manual process performed by support);
• Information about Sharing (Art. 18, VII): Know which public and private entities we share your data with (see section 4);
• Revocation of Consent (Art. 18, IX): Revoke consent for data processing at any time;
• Opposition (Art. 18, § 2): Oppose data processing carried out based on legitimate interest.

How to Exercise Your Rights

To exercise any of these rights, you can:

• Access your account settings on the platform (for correction, export or deletion of data, or, if not available on the platform, send an email to support);
• Send an email to: contato@finansaas.ai

We will respond to your request within 15 business days, as established by LGPD.

The platform is intended for people over 18 years of age. We do not intentionally collect data from minors.

If you are under 18 years of age, you may only use the platform with the consent and supervision of your parents or legal guardian.

If we become aware that we have collected data from minors without proper authorization, we will immediately delete such information.

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements.

Significant changes will be notified via email or prominent notice on the platform with at least 7 days' advance notice.

The date of the last update is always indicated at the top of this page.

Continued use of the platform after changes constitutes acceptance of the new policy.

We have designated a Data Protection Officer (DPO) to act as a communication channel between you, FinanSaas.ai and the National Data Protection Authority (ANPD).

For questions related to data protection, contact:

• DPO Email: contato@finansaas.ai

If you believe your privacy rights have been violated, you have the right to file a complaint with the National Data Protection Authority (ANPD). Contact support to proceed with the complaint:

• Email: contato@finansaas.ai

For questions, suggestions or requests related to this Privacy Policy:

• Privacy Email: contato@finansaas.ai
• Website: https://finansaas.ai