Privacy Policy

At ControlarGastos we handle your personal data with the care it deserves. This policy explains in detail what we collect, why, with whom we share it and how you can exercise your rights.

Last updated:

1. Data controller

The controller of the personal data collected through this website is ControlarGastos, hereinafter "the Service".

For any query relating to privacy or the exercise of your rights you can write to us at [email protected].

2. Data we process and why

We only collect what is strictly necessary for the Service to work. These are the data we persist and the purpose of each:

2.1 User account

  • Email — unique account identifier, transactional communications (verification, password recovery).
  • Name — personalisation within the Service.
  • Password — stored exclusively as a bcrypt hash; never in plain text and not recoverable.
  • Language and currency — display preferences.
  • Verification status, lock status and reason — access control and anti-fraud.
  • Temporary password-recovery token — valid for a limited period and deleted after use.
  • Interface preferences — your personal UI configuration, stored in JSON format.

2.2 Sessions and sign-in

  • User-Agent of the browser and device used to sign in.
  • SHA-256 hash of the IP address — we use a hash, not the plain IP, to detect token reuse and possible security incidents without storing the original address.
  • Refresh token hash and expiry or revocation dates.

2.3 Waiting list

  • Email and the plan of interest you indicate.
  • IP address at the time of subscription, kept to prevent automated abuse.

2.4 AI assistant and receipt analysis

  • The messages you send to the assistant and the generated responses, together with a model identifier and aggregated cost metrics.
  • Receipt images you upload so that the system can automatically extract their data.
  • IP address associated with the use of these features, for quota control and abuse prevention.

2.5 Financial data you enter

Expenses, income, debts, purchase items, amounts, tags, merchants and any other data you choose to record in the Service. This data belongs to you, is private, is not monetised, is not shared with third parties for commercial purposes and is not used to train artificial intelligence models.

3. Legal bases (GDPR art. 6)

PurposeLegal basis
Create and manage your account, provide the ServicePerformance of a contract (art. 6(1)(b))
Store and display your financial dataPerformance of the contract (art. 6(1)(b))
Subscription to the waiting listConsent (art. 6(1)(a))
AI assistant and receipt analysisImplied consent when using the feature (art. 6(1)(a))
Detection of fraudulent use, quota control, security logsLegitimate interest (art. 6(1)(f))
Strictly technical cookiesPerformance of the contract (art. 6(1)(b))

4. Processors

To provide the Service we rely on providers that act as processors under contract and with adequate safeguards:

  • Shared hosting provider in the European Union — hosting of the application, database and backups.
  • Cloudflare, Inc. (United States) — anti-bot protection via Cloudflare Turnstile on public forms. Transfer covered by the Standard Contractual Clauses (SCC) approved by the European Commission.
  • OpenRouter, Inc. (United States) — artificial intelligence model gateway used for the assistant and receipt analysis. Transfer covered by SCC.
  • Transactional email provider based in the European Union — sending verification, password-recovery and waiting-list notification emails (service currently being activated; this policy will be updated when it goes live).

5. International transfers

Some processors (Cloudflare, OpenRouter) are established outside the European Economic Area. These transfers are carried out under the Standard Contractual Clauses approved by the European Commission (Decision 2021/914), with additional technical measures such as encryption in transit.

6. Retention periods

  • User account and financial data — while the account is active. After voluntary cancellation, we keep the data for 30 days as a grace period for recovery; after that period it is permanently deleted.
  • Waiting-list subscription — until the corresponding plan launches or until you ask to be removed.
  • Application logs — daily rotation with a maximum of 14 days.
  • Session tokens — deleted on expiry or 30 days after revocation.
  • Assistant messages and receipt analysis — kept as personal history in your account until you delete them or cancel your account.

7. Your rights

You can exercise the following rights recognised by the GDPR at any time:

  • Access — request a copy of the personal data we process about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request the deletion of your data when it is no longer necessary.
  • Objection — object to processing based on legitimate interest.
  • Restriction — ask us to restrict processing in specific cases.
  • Portability — receive your data in a structured, machine-readable format.
  • Withdrawal of consent — where processing is based on it, without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, write to us at [email protected] indicating the right you wish to exercise and, where necessary, any information that allows us to verify your identity as the account holder.

8. Complaint to the supervisory authority

If you believe that the processing of your data does not comply with the regulations, you can lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, www.aepd.es), although we would be grateful if you would first give us the opportunity to resolve the matter directly.

9. Security

We apply reasonable technical and organisational measures to protect your data:

  • Encryption in transit using TLS for all communications.
  • Storage of passwords as a bcrypt hash, with no possibility of recovery.
  • SHA-256 hashing of the IP addresses associated with sessions, instead of the plain IP.
  • Rotation of session tokens and automatic revocation upon detected reuse attempts.
  • Internal access restricted to strictly necessary personnel.

No system is infallible: if we detect a security breach affecting your data, we will notify you without undue delay and within the timeframes set out by the regulations.

10. Minors

The Service is not directed at children under 14. If you are under that age, you must not register or provide us with personal data. If we detect an account belonging to a child under 14, we will close it.

11. Changes to this policy

We may update this Privacy Policy to reflect changes in the Service or in the applicable regulations. When the changes are substantial we will notify you by email or via a prominent notice within the Service. The date of the last update appears at the top of this page.