1. Data controller
• Controller: NeoCapita • Privacy contact: privacidad@neocapita.app You can exercise your GDPR rights by writing to that address.
2. Data we collect
NeoCapita only collects the data needed to provide the service: ACCOUNT DATA • Email address (for authentication via Firebase Auth) • Username (optional, chosen by the user) FINANCIAL DATA ENTERED BY THE USER • Income and expense transactions • Bank account balances • Loans and debts • Recurring and fixed expenses • Savings goals ARTIFICIAL INTELLIGENCE FEATURES • Photos of purchase receipts captured with the camera, sent to the Google Gemini API for analysis. NeoCapita does not store these images once processed. • Text from expense descriptions, financial-assistant queries and monthly summaries, processed via the Groq API to categorize transactions and generate analysis. Only the necessary text is sent, never your identity or credentials. All calls to these AI services are made through our secure servers (Firebase Cloud Functions); the access keys are never in the app. TECHNICAL DATA • Firebase session data for the proper functioning of the service. • A device identifier managed by OneSignal, solely to send you push notifications (e.g. alerts when your partner records an expense). • Anonymous usage and crash-diagnostics data (Firebase Analytics and Crashlytics) to improve the app's stability. BETA FORM DATA (web) • If you request access to the beta from our website, we collect your name and email for the sole purpose of inviting you to the TestFlight or Google Play beta.
3. Purpose and legal basis
• Service provision and cloud sync → legal basis: performance of a contract (art. 6.1.b GDPR) • AI features (receipt analysis, expense categorization, assistant and summaries) → legal basis: the user's explicit consent (art. 6.1.a GDPR). Only processed when the user starts the feature voluntarily. • Push notifications (OneSignal) → legal basis: consent (art. 6.1.a GDPR). You can revoke it at any time from your device settings. • Handling the beta request → legal basis: consent of the data subject (art. 6.1.a GDPR). • Security and fraud prevention → legal basis: legitimate interest (art. 6.1.f GDPR)
4. Storage and international transfers
Your data is stored on Google Firebase (Firestore) servers, hosted in the European Union. Firebase is GDPR compliant and provides adequate safeguards (standard contractual clauses) for data transfers outside the EEA when necessary. The AI features use the Google Gemini and Groq APIs, and push notifications use OneSignal; their servers may be located outside the EEA. These providers act as data processors under the standard contractual clauses approved by the European Commission.
5. Retention period
• Account data and financial data: while you keep your account active, plus an additional period of 30 days after a deletion request (for potential recovery). • Receipt images and text sent to the AI: not stored on any NeoCapita server. They are sent to Google Gemini or Groq, the response is processed and the content is discarded. • Beta form data: kept for the duration of the testing period and deleted when the beta ends.
6. Data sharing
NeoCapita does not sell or share your personal data with third parties for commercial purposes. Data is only shared with: • Google Firebase: storage, authentication and cloud functions (data processor) • Google Gemini API: analysis of receipt images (data processor) • Groq API: expense categorization, financial assistant and monthly summaries (data processor) • OneSignal: sending push notifications (data processor) • Members of the same "shared household": if the user voluntarily enables this feature, the household's financial data will be visible to all invited members.
7. Your GDPR rights
As a user, you have the right to: • Access: request a copy of the data we process about you • Rectification: correct inaccurate data • Erasure ("right to be forgotten"): request the deletion of your data • Portability: receive your data in a structured, machine-readable format • Objection and restriction: object to certain processing or request its restriction • Withdrawal of consent: at any time, without affecting the lawfulness of prior processing To exercise any of these rights, write to us at privacidad@neocapita.app. We will respond within a maximum of 30 days. If you believe the processing is not compliant, you may lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).
8. Security
NeoCapita implements appropriate technical and organizational measures to protect your data against unauthorized access, loss or disclosure, including: • Secure authentication via Firebase Authentication • Encrypted communications in transit (HTTPS/TLS) • Firestore security rules so that only the household owner can access their data • Encrypted local storage on the device (SharedPreferences with OS-level encryption)
9. Minors
NeoCapita is not directed at children under 16 and we do not knowingly collect data from minors. If you are a parent or guardian and believe your minor child has created an account, contact us at privacidad@neocapita.app and we will delete their data immediately.
10. Device permissions
NeoCapita may request the following permissions: • Camera: only to photograph purchase receipts when the user starts the AI scan feature. The gallery is not accessed without an explicit request. • Notifications: for payment reminders of fixed expenses and debts. You can revoke this permission at any time from your device settings. No permission is requested without an explicit user action that justifies it.
11. Changes to this policy
We may update this Privacy Policy occasionally. When we do, we will update the date at the top of the document and, if the changes are significant, we will notify you through the app or by email.
Contact and exercise of rights
For any questions about this policy or to exercise your GDPR rights:
privacidad@neocapita.app
Spanish Data Protection Agency
www.aepd.es