Nossas Finanças

Privacy Policy

Last updated: July 2026

Who is responsible

Nossas Finanças (nossasfinancas.com.br), operated by Marcelo Salgado Caliman (an individual), is the party responsible (controller) for processing your personal data. To exercise any right below or to talk about privacy, write to contato@nossasfinancas.com.br.

How we protect your data

Your financial data is encrypted on your device (E2EE) with a key derived from your password. The server receives and stores only ciphertext — never your values in the clear, nor your password, nor the key.

What data we process

Email — to create the account, authenticate and send essential emails (confirmation, password reset).

Encrypted vault — the blob with your financial data, already encrypted on your device. To us it is unreadable text.

Minimal technical metadata — approximate vault size, sync dates/versions and the provider's security logs. No behavioral profiles, no tracking cookies, no ads.

Market quotes — to convert currencies and show references like gold and bitcoin, our server fetches public prices using only currency pairs and public symbols (e.g., EUR/BRL, XAU, BTC). None of your data — neither your assets nor your values (which stay encrypted) — is sent or stored.

Support messages — if you open a ticket (in the app or via the contact form), we store your email and the message content in readable text (not encrypted like the vault), because we need to read them to reply. For that reason, do not include your password, recovery code or account numbers in those messages. Images you attach are reachable via an unlisted (unguessable) link — avoid attaching sensitive content.

Pro subscription (if you subscribe) — status, plan and subscription dates, plus Stripe identifiers. Never your card details (those stay only with Stripe). This is metadata, not the vault's financial data.

Legal basis and purpose

We process your email and the encrypted vault to provide the service you signed up for when creating the account (LGPD art. 7, V / GDPR art. 6(1)(b)) and, when you consent, based on your consent. The sole purpose is to make the app work and sync — nothing beyond that.

Who we share with

We use providers that operate solely to deliver the service, under contract:

Supabase — authentication and storage of the encrypted vault.

Vercel — hosting of the app and the function that fetches quotes.

Resend — sending our emails (confirmation, password reset and support notifications). Receives only your email and the message content.

Exchange & market-reference APIs (Frankfurter, Coinbase) — receive only currency pairs and public symbols (e.g., gold, bitcoin), never personal or financial data. We do not sell your data.

Stripe — processes Pro plan payments. Your card details go straight to Stripe (encrypted); we never see or store them. On our side we keep only the subscription status (active/canceled) and Stripe identifiers — metadata, not the vault's financial data.

International transfer

These providers may process data on servers outside Brazil/the EU. Because the financial content always travels encrypted, it remains unreadable wherever it is stored.

How long we keep it

For as long as your account exists. When you delete your account, the encrypted vault and the registration are erased; provider backups expire on their own cycles. Payment/subscription records (at Stripe and the identifiers on our side) may be kept for the applicable legal/tax period, even after cancellation.

Cookies

Only what is essential to keep you logged in (the authentication session). We do not use marketing cookies, invasive analytics or cross-site tracking.

Usage metrics (anonymous)

To understand usage and improve the product, we record non-identifiable events (e.g., a landing visit, sign-up, app open), the approximate country (the IP is never stored) and the device type. It is first-party analytics, without cookies and never tied to your account — there is no individual profile, nor financial data. An anonymous count of open sessions may appear as “online now”, without identifying anyone. Legal basis: legitimate interest (LGPD art. 7, IX / GDPR art. 6(1)(f)); you may object.

Your rights (LGPD/GDPR)

You own your data and may, at any time: access and port it (Settings → Data → Export/CSV), correct it (by editing in the app), delete your account (Settings → Account, which erases the vault forever) and withdraw consent. For the other rights (confirmation, objection, review) or questions, write to the contact above — we reply within the legal deadlines. You may also complain to a data protection authority: the ANPD (Brazil) or, if you are in the European Union, your country's authority.

Honest limits (please read)

• E2EE protects the copy on the server, not your device: in your browser the data is readable while the vault is unlocked.

• The login password travels to the authentication provider over TLS (standard model).

• Residual risk of malicious code in the browser (XSS) — mitigated by a strict security policy, not eliminated.

Losing your password AND your recovery code = unrecoverable data. That is what makes the app truly private. The only way to recover the vault is the recovery code — there is no email recovery of the encrypted data.

© 2026 Nossas Finanças · nossasfinancas.com.br · Terms of Service