Privacy policy

Introduction and data controller

This Privacy Policy explains how Kiskadees ("we", "us", or "our") collects, uses, stores, shares, and protects personal data when you access or use our personal finance platform, including our marketing website, web application, API, and related services (collectively, the "Service").

The data controller responsible for processing your personal data is Kiskadees. If you have questions about this policy, wish to exercise your privacy rights, or need to contact our privacy team, email us at support@kiskadees.com.

We process personal data in compliance with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados — LGPD, Law No. 13.709/2018) and, where applicable, the European Union General Data Protection Regulation (GDPR). By using the Service, you acknowledge that you have read this Privacy Policy.

Data we collect

Account and identity data: when you register, we collect your name, email address, password (stored in hashed form), preferred language, display currency, and optional profile information you choose to provide. If you sign in with Google, Apple, or Facebook, we receive basic profile data (such as name and email) from the provider you choose, in accordance with their privacy policies.

Financial and usage data: to deliver the Service, we process data you enter or import, such as accounts, transactions, categories, budgets, goals, balances, and CSV imports. We also collect technical usage data, including IP address, browser type, device information, pages viewed, session identifiers, and error logs.

Payment data: if you subscribe to a paid plan, billing is handled by Stripe. We receive subscription status, plan type, billing period, and limited payment metadata from Stripe. We do not store full credit card numbers on our servers.

Purposes and legal bases

We use personal data to provide, maintain, and improve the Service; authenticate users; synchronize financial records; process subscriptions; send transactional communications; prevent fraud and abuse; comply with legal obligations; and respond to support requests.

Under the LGPD, processing is based on grounds such as consent (Art. 7, I), performance of a contract (Art. 7, V), compliance with legal obligations (Art. 7, II), and legitimate interests (Art. 7, IX), such as securing the platform and analyzing aggregated usage. Where required, we obtain your consent before processing for optional purposes.

Under the GDPR, where applicable, we rely on legal bases including contract performance (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), legitimate interests (Art. 6(1)(f)), and consent (Art. 6(1)(a)) for non-essential cookies and marketing analytics. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

Third-party service providers

We use trusted processors to operate the Service. Each provider processes data only under our instructions and subject to appropriate safeguards:

Stripe — payment processing, subscription management, invoicing, and fraud prevention. Stripe may process billing name, email, payment method details, and transaction records. See Stripe's privacy policy at https://stripe.com/privacy.

Vercel — hosting and delivery of our marketing website and web frontend, including request logs and performance metrics. See https://vercel.com/legal/privacy-policy. Render — hosting of our API and backend services, including application logs necessary for operation and security. See https://render.com/privacy. Supabase — managed PostgreSQL database hosting where your account and financial data are stored, with encryption in transit and at rest. See https://supabase.com/privacy. Google Tag Manager (GTM) — tag management for analytics and marketing measurement when enabled. See https://policies.google.com/privacy. Google Sign-In, Sign in with Apple, and Meta (Facebook) Login — social authentication when enabled; each provider processes sign-in data under its own policy (https://policies.google.com/privacy, https://www.apple.com/legal/privacy/, https://www.facebook.com/privacy/policy/).

Retention and security

We retain personal data for as long as your account is active and as needed to provide the Service, resolve disputes, enforce agreements, and comply with legal obligations. Backup copies may persist for a limited period after deletion.

When you delete your account or request erasure, we delete or anonymize personal data within a reasonable timeframe, except where retention is required by law or necessary to establish, exercise, or defend legal claims.

We implement technical and organizational measures appropriate to the risk, including encryption in transit (TLS), hashed passwords, access controls, audit logging, and infrastructure security provided by our hosting partners. No method of transmission or storage is completely secure; please use a strong, unique password and keep your credentials confidential.

Your rights as a data subject

Depending on your location, you may have the following rights regarding your personal data: confirmation of processing; access; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary or unlawfully processed data; portability; information about sharing; revocation of consent; and objection to processing based on legitimate interests.

Under the LGPD, you may also request a review of decisions made solely on automated processing that affect your interests. Under the GDPR, where applicable, you may also have the right to restrict processing, object to direct marketing, and lodge a complaint with a supervisory authority in your country of residence.

To exercise your rights, email support@kiskadees.com with sufficient information to verify your identity. We will respond within the timeframes required by applicable law, generally within 15 days under the LGPD or one month under the GDPR, which may be extended where permitted.

International data transfers

Kiskadees may process your data in Canada, the United States, Brazil, the European Union, or other countries where our service providers maintain infrastructure.

When personal data is transferred internationally, we implement safeguards required under Canadian privacy law and other applicable regimes, including contractual clauses and other recognized transfer mechanisms.

By using the Service, you understand that your data may be transferred to jurisdictions with different data protection standards than your province or territory, subject to the safeguards described in this policy.

Cookies and analytics

We use essential cookies and similar technologies necessary for authentication, session management, security, and remembering your language and currency preferences. These cookies do not require consent under most privacy laws because they are strictly necessary for the Service.

With your consent where required, we may use Google Tag Manager to deploy analytics and measurement tags that help us understand how visitors use our marketing pages. You can manage non-essential cookies through your browser settings or any cookie banner we provide.

Most browsers allow you to refuse or delete cookies. Disabling essential cookies may prevent you from using certain features of the Service.

Changes to this policy and contact

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the Service. When we make material changes, we will post the updated policy on this page and update the "Last updated" date.

If changes significantly affect your rights, we may provide additional notice, such as by email or an in-app notification. Continued use of the Service after the effective date of an update constitutes acknowledgment of the revised policy, except where further consent is required by law.

For privacy questions, data subject requests, or complaints, contact us at support@kiskadees.com. We will endeavor to resolve concerns promptly and in accordance with applicable data protection laws.