Privacy Policy
Last updated: May 2026
Chat Your Finances helps you track and discuss your personal finances. This policy explains what we collect, why we collect it, how we protect it, and the rights you have over your data.
1. What we collect
- Account data: email, password (hashed by Supabase Auth, never stored in plaintext), full name, country, currency.
- Profile data you provide: phone number, tax ID, monthly income / expenses, savings goals, risk tolerance, the name you choose for your assistant.
- Financial data you upload: documents (statements, payslips, receipts), parsed transactions, bank / mobile-money connection metadata.
- Chat content: messages you send the assistant and its replies.
- Audit log: sign-ins, password changes, two-factor events, account deletion. We use this to detect abuse and to give you a record of your security events.
2. How we protect it
- Encryption in transit: all traffic is HTTPS / TLS.
- AES-256 protected sensitive fields: phone, tax ID, profile goal text, bank-connection tokens, chat message content, goal text, tax identifiers, employer / business names, and transaction description / merchant / account-reference fields are encrypted with AES-256-GCM at the application layer using a key stored only in our server environment. The database sees ciphertext for these fields.
- Operational reporting fields: some fields such as transaction amounts, dates, currencies, and categories remain readable by the system so reports, budgets, duplicate detection, and AI answers can work correctly.
- Row-level isolation: the database enforces, on every query, that one user can only read or modify their own rows.
- Two-factor authentication: available via any standard authenticator app. Required for sensitive actions like account deletion or bulk chat-history wipe.
- Access controls: our internal admin tooling uses a server-only credential never exposed to the browser.
3. How we use it
- To provide the core service — store and analyse your finances.
- To generate AI-assistant responses. Relevant context (transactions, profile fields you've supplied) is sent to our AI infrastructure partners per request. We do not sell or share your data with third parties for advertising.
- To send transactional emails (account confirmation, password reset) via Resend.
- To process subscription payments via Paystack, when you opt in to a paid tier.
4. Your rights
- Read your data: available via the dashboard and the data-export endpoint.
- Delete individual messages or transactions: anywhere they appear in the UI; deletion is immediate and permanent.
- Bulk-delete chat history: from settings; gated behind a fresh authenticator code.
- Delete your entire account: from settings; gated behind a fresh authenticator code. All your rows in our database are removed via cascade, and uploaded files are purged from object storage.
5. Sub-processors
We rely on the following providers to deliver the service. Each is contractually bound to handle your data securely:
- Supabase (database, authentication, file storage)
- Vercel (application hosting)
- AI infrastructure partners (LLM-backed assistant + retrieval)
- Resend (transactional email)
- Paystack (subscription payments)
- Upstash (rate-limit state)
- Sentry (error monitoring; PII redacted)
6. Data retention
We keep your data for as long as your account is active. When you delete your account, all personal data is purged within seven days, including database rows, file storage, and AI search index entries. Audit-log entries are retained for one year from the event date for security investigations, then deleted.
7. Children
Chat Your Finances is not directed at users under 18. We do not knowingly collect data from children.
8. Contact
For privacy questions or to exercise the rights above, email privacy@pneumalabs.org.