Privacy Policy
1. Introduction
This Privacy Policy describes how [TO REPLACE: Nova SE Ltda] ("Nova Finance", "we", "us") collects, uses, and protects personal information when you use the Nova Finance financial management application.
We are committed to protecting your privacy and complying with applicable data protection laws, including the Lei Geral de Proteção de Dados (LGPD — Law No. 13.709/2018, Brazil) and the General Data Protection Regulation (GDPR — EU Regulation 2016/679) where applicable.
2. Data We Collect
Account data
- Full name and email address
- Hashed password (we never store your password in plain text)
- Optional: phone number, CPF, gender, profile photo
- Language, currency, and theme preferences.
Financial data
- Transactions (amount, date, description, category, status)
- Accounts (name, type, currency, institution, balance)
- Categories and sub-categories
- Credit card statements and billing cycles
- Balance adjustments and transfer records.
Usage data
- Login timestamps and IP addresses (truncated for privacy)
- Browser/device user agent
- Feature usage events (errors, security events)
- Email delivery logs (sent, bounced).
Cookies and local storage
We use session cookies for authentication and local storage for preferences. See our Cookie Policy for full details.
We do NOT collect: direct access credentials to your bank accounts, open banking data, or any financial information beyond what you manually enter into the Service.
3. How We Use Your Data
- Providing the Service: displaying your transactions, generating reports, sending notifications you have enabled
- Security: detecting suspicious login attempts, enforcing account lockout, audit logging
- Transactional communications: password reset emails, email verification, security alerts, billing notifications
- Service improvement: diagnosing errors and improving reliability (using aggregated, anonymised data)
- Legal compliance: retaining records as required by applicable law.
We do NOT use your data for marketing purposes without your explicit prior consent. We do NOT sell your personal data to third parties.
4. Legal Bases for Processing
Under LGPD (Art. 7) and GDPR (Art. 6), we process your personal data on the following legal bases:
- Performance of contract: processing necessary to provide the Service you subscribed to
- Consent: processing based on your explicit agreement (optional cookies, marketing communications)
- Legitimate interest: security monitoring, fraud prevention, service reliability
- Legal obligation: retaining records required by Brazilian tax and commercial law.
5. Data Sharing
We do not sell, rent, or share your personal data with third-party advertisers or data brokers.
We share data only with the following sub-processors, all bound by data processing agreements:
- [TO REPLACE: Vercel / Railway / hosting provider]: application hosting and infrastructure
- Resend: transactional email delivery (password reset, verification, alerts)
- Vercel Blob: storage of profile avatar images.
We may disclose your data to law enforcement or judicial authorities if required by a valid legal order under Brazilian law.
6. Data Retention
- Active account: retained for as long as your account is active
- Deleted account: all personal data permanently deleted within 30 days of account deletion, except records subject to legal retention requirements
- Security logs (login events, failed attempts): retained for 12 months
- Email logs: retained for 12 months
- Billing records and invoices: retained for up to 5–10 years as required by applicable fiscal law
- Database backups: rolling 30-day retention.
7. Your Rights
Under LGPD (Art. 18) and GDPR (Arts. 15–22), you have the following rights regarding your personal data:
- Access: view all your data via Account → Profile, or request a full export
- Rectification: update your information at any time via Account → Profile
- Erasure (right to be forgotten): permanently delete your account and all data via Account → Profile → Danger zone
- Portability: export your transaction and account data in CSV format via Account → Profile
- Restriction: contact our DPO to request restriction of processing
- Objection: opt out of non-essential notifications via Account → Notifications → Preferences
- Withdraw consent: manage cookie consent at any time via the Cookie preferences link in the footer
- Lodge a complaint: contact the ANPD (Brazil) at www.gov.br/anpd, or your local EU data protection authority.
8. Security Measures
We take the security of your data seriously and implement the following technical and organisational measures:
- Passwords hashed with Argon2id, a memory-hard hashing algorithm resistant to brute-force attacks
- Data encrypted at rest using AES-256
- Data in transit protected by TLS 1.3
- Two-factor authentication (2FA) available for all accounts, using TOTP (RFC 6238)
- 2FA secrets encrypted at rest using AES-256-GCM
- Account lockout after 5 consecutive failed login attempts
- Full audit log of security events (login, password change, 2FA changes)
- IP-based and user-based rate limiting on all sensitive endpoints.
9. International Data Transfers
Nova Finance's infrastructure is hosted on [TO REPLACE: Vercel/Railway — specify region, e.g., EU West, US East]. If personal data is transferred outside Brazil or the European Economic Area, we ensure adequate protection through Standard Contractual Clauses (SCCs) or equivalent mechanisms as required by LGPD and GDPR.
10. Children's Privacy
Nova Finance is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, please contact us immediately at [TO REPLACE: legal@gruponovase.com.br] so we can delete the account.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you at least 30 days in advance via email and/or an in-app notification. The current version and effective date are always shown at the top of this page.
Continued use of the Service after the effective date constitutes acceptance of the revised Policy.
12. Contact & Data Protection Officer
For any questions or requests regarding this Privacy Policy or your personal data:
Legal enquiries: [TO REPLACE: legal@gruponovase.com.br]
Data Protection Officer (DPO): [TO REPLACE: dpo@gruponovase.com.br]
DPO name and contact: [TO REPLACE: Full name and contact details — required under LGPD Art. 41]
Company: [TO REPLACE: Nova SE Ltda] · CNPJ: [TO REPLACE: 00.000.000/0001-00] · [TO REPLACE: full address]