Privacy
Privacy Policy
This policy explains how Chiaro processes personal data when you use the application to manage wealth, expenses, assets, currencies, company contexts, imports, reports, and connected financial services.
Last updated: 22 May 2026
1. Data controller
Chiaro is the data controller for personal accounts and for the public website.
When a company or organization provides your workspace, that organization may be the controller for data it asks you to enter, and Chiaro may process that data as a processor under a separate agreement.
If a Data Protection Officer or EU representative is appointed, their contact details will be made available in this policy or in your workspace agreement.
Privacy requests can be sent to: gp@giovannipatruno.com
2. Personal data processing
We *do not process* any of your personal data for analysis. We might see your stored data only for technical purposes (e.g., big database migrations and refactors)
Chiaro does not intentionally request special-category data. Financial records can still reveal sensitive information.
| Data category | Examples |
|---|---|
| Account and identity data | Name, email address, authentication identifiers, roles, workspace membership, and user preferences. |
| Financial workspace data | Wallets, bank accounts, transactions, income, expenses, assets, valuations, categories, notes, currencies, and reports. |
| Integration data | Connected bank, open banking, VISA, or Tink connection metadata, imported transactions, account balances, provider identifiers, and sync logs. |
| Company context data | Company profiles, ownership information, team membership, company-specific expenses, assets, income categories, and permissions. |
| Technical and security data | IP address, device and browser information, logs, error reports and security events. |
| Communication data | Support requests, feedback, administrative messages, and service communications. |
| Cookie and similar technology data | Authentication, security, session, locale, preference, analytics, and consent records. |
3. Sources of personal data
We collect personal data from the following sources.
- You, when you create an account, configure preferences, enter financial records, or contact support.
- Workspace owners or administrators, when they invite you, assign roles, or manage company contexts.
- Connected providers, banks, open banking services, or payment-network integrations when you choose to enable them.
- Our application, infrastructure, and security tools when you use the service.
4. Purposes and legal bases
Under GDPR, each processing purpose must have a legal basis. The main purposes and bases are listed below.
| Purpose | Legal basis |
|---|---|
| Provide the Chiaro application, including accounts, dashboards, asset tracking, expense tracking, imports, reports, and multi-currency features. | Performance of a contract. |
| Authenticate users, manage access, enforce permissions, and maintain workspace security. | Performance of a contract and legitimate interests. |
| Connect financial providers and import transactions, balances, or related metadata when you enable an integration. | Performance of a contract and consent, depending on the integration flow. |
| Protect the service, prevent abuse, detect errors, investigate incidents, and maintain audit trails. | Legitimate interests and legal obligation where applicable. |
| Respond to support requests, troubleshoot issues, and communicate about your account or workspace. | Performance of a contract and legitimate interests. |
| Comply with legal, tax, accounting, regulatory, court, or authority requests. | Legal obligation. |
5. Sharing of personal data
We do not share any personal data.
We do not sell personal data.
- Hosting, database, storage, and infrastructure providers.
- Authentication and identity providers, including Identity Provider.
- Financial integration providers, open banking providers, banks, VISA, Tink, or similar services when you enable a connection.
- Email, support, monitoring, logging, analytics, and security providers.
- Workspace owners, administrators, and authorized members when data belongs to a company or shared context.
- Professional advisers, courts, regulators, law enforcement, or public authorities where required or permitted by law.
6. International transfers
All personal data is stored and processed exclusively within the European Economic Area. No data is transferred outside European data centers.
Because all processing happens inside the EEA, we do not rely on international transfer mechanisms. Should processing arrangements change, we will update this policy and adopt appropriate safeguards such as Standard Contractual Clauses or equivalent lawful mechanisms.
7. Retention
We keep personal data only for as long as needed for the purposes in this policy, unless a longer retention period is required by law. The user can autonomously delete his account and immediately *hard delete* his/her data.
| Record type | Typical retention |
|---|---|
| Active account and financial workspace data | For as long as the account or workspace remains active. |
| Deleted account or workspace data | Deleted or anonymized within a reasonable period after closure, unless retention is needed for legal, security, or dispute purposes. |
| Security, audit, and application logs | Normally up to 12 months, unless a longer period is needed to investigate incidents or comply with legal duties. |
| Support and communication records | Normally up to 3 years after the last interaction. |
| Billing, tax, accounting, and legal records | For the period required by applicable law, which may be up to 10 years in some jurisdictions. |
| Backups | Deleted or overwritten according to the backup cycle and not used for ordinary processing. |
8. Your rights
Where GDPR applies, you may exercise the following rights, subject to legal conditions and exceptions.
We will respond within the timeframes required by GDPR and may need to verify your identity before acting on a request.
- Access your personal data and receive information about how it is processed.
- Correct inaccurate or incomplete personal data.
- Request deletion of personal data where the legal conditions are met.
- Request restriction of processing in certain situations.
- Object to processing based on legitimate interests.
- Receive a portable copy of data processed on the basis of consent or contract.
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with your local data protection supervisory authority.
9. Cookies and similar technologies
We use strictly necessary cookies and similar technologies for authentication, security, session management, locale preferences, and core application functionality.
Optional analytics or marketing technologies are used only where permitted by law and, where required, after you have given consent. You can withdraw consent through the cookie or preference controls when available.
10. Security
We use technical and organizational measures designed to protect personal data, including access controls, encryption in transit, least-privilege permissions, logging, monitoring, backups, and security review.
11. Automated decision-making
Chiaro does not make decisions based solely on automated processing that produce legal or similarly significant effects on users.
12. Children
Chiaro is not intended for children under 16, and we do not knowingly collect personal data from children.
13. Changes to this policy
We may update this policy from time to time. Material changes will be communicated through the application, by email, or by another appropriate method.
14. Contact
For privacy questions, requests, or complaints, contact us at:
gp@giovannipatruno.com