
Privacy Policy
The short version: your financial data is yours. Read-only access, encrypted, hosted in the EU, and never sold.
Last updated: June 4, 2026
Introduction
lait.finance ("we", "us", "our") is a personal finance and portfolio management platform operated from Barcelona, Spain. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service at lait.finance.
Data Controller
The data controller responsible for your personal data is Carlos Muñoz, contactable at privacy@lait.finance. As a European-based service, we comply with the General Data Protection Regulation (GDPR) and applicable Spanish data protection laws.
Data We Collect
We collect the following categories of personal data:
- Account data: Email address, name, and authentication credentials (managed by Clerk, our authentication provider).
- Financial data: Bank account balances, transaction history, portfolio holdings, and asset valuations — collected through read-only Open Banking connections (via Enable Banking), manual entries, and CSV imports.
- Usage data: Pages visited, features used, and interaction patterns to improve our service.
- Technical data: IP address, browser type, and device information for security and abuse prevention.
How We Collect Data
- Open Banking (PSD2): When you connect a bank account, we use Enable Banking as our licensed Account Information Service Provider (AISP). Connections are read-only — we can never initiate payments or move your money. You explicitly consent to each bank connection through your bank's own authorization flow.
- Manual input: Data you enter directly (trades, assets, savings accounts).
- CSV imports: Bank statement files you upload voluntarily.
- API integrations: Read-only connections to crypto exchanges and wallets using API keys you provide.
Legal Basis for Processing
We process your data based on:
- Consent: You explicitly authorize each bank connection and data source.
- Contract: Processing necessary to provide the service you signed up for.
- Legitimate interest: Security monitoring, abuse prevention, and service improvement.
How We Use Your Data
Your financial data is used exclusively to:
- Aggregate and display your portfolio, net worth, and financial overview.
- Categorize transactions using AI-assisted classification (see section 7).
- Generate personalized insights and answer your questions through our AI advisor.
- Calculate performance metrics, allocation breakdowns, and historical trends.
We do not use your data for advertising, profiling, or credit scoring.
AI Processing
Some features rely on third-party AI providers. We use them only when you trigger the feature, and we send the minimum data needed:
- Transaction categorization: we use OpenAI to classify transaction descriptions that our automatic rules cannot match. Rule-based matching runs first, so we send only the descriptions that fail it — not all your transactions.
- AI advisor (chat) & monthly insights: when you use the advisor or open AI insights, we send the relevant portfolio context to the AI provider you selected — OpenAI, Anthropic, or Google (for web-search-grounded answers).
- Asset valuation estimates & research briefs: when you request an estimate or research a ticker, the asset details or ticker are sent to Google.
- News headline translation: public market-news headlines are translated via Google.
Where a selected provider is unavailable, a request may fall back to another of the providers named above. Transaction categorization does not produce fully automated decisions that affect your legal or material rights — you can manually correct any AI-assigned category at any time, and your corrections improve future accuracy for your account only.
Data Storage & Security
- Infrastructure: All data is hosted on European infrastructure (Neon Postgres database in EU region, Vercel EU edge network).
- Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
- API credentials: Exchange API keys are encrypted before storage and are never exposed in API responses.
- Access control: Each user can only access their own data. Admin access is restricted to the platform operator.
- Read-only access: All bank and exchange connections use read-only permissions. We cannot move, transfer, or modify your funds.
Sub-processors
We share data only with the following third-party processors, each strictly necessary to provide the service:
- Clerk (authentication) — processes your email, name, and login data.
- Enable Banking (Open Banking / PSD2) — facilitates read-only bank connections; processes balances and transactions.
- SnapTrade (brokerage connections) — facilitates read-only connections to your brokerage accounts; processes holdings and balances.
- Neon (database) — hosts your financial data in the EU.
- Vercel (hosting & infrastructure) — serves the application and, via Vercel Analytics and Speed Insights, processes anonymized usage and performance metrics.
- OpenAI — processes transaction descriptions for categorization, and portfolio context when you use the AI advisor.
- Anthropic — processes portfolio context when you use the AI advisor.
- Google — processes ticker/asset details for research and valuation estimates, news headlines for translation, and queries for web-search-grounded AI answers.
- Sentry — receives application error reports and diagnostic data for debugging and stability (we configure it not to send default personal-data fields).
Each processor is bound by a Data Processing Agreement. Some (OpenAI, Anthropic, Google, Sentry, Clerk) process data in the United States; these transfers are governed by the EU Standard Contractual Clauses included in each provider's DPA. SnapTrade processes brokerage-connection data in Canada, which the EU recognizes as providing an adequate level of data protection.
We do not sell, rent, or share your personal data with advertisers, data brokers, or any other third parties.
Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion.
- Financial data: Retained while your account is active. You can delete individual records at any time.
- Bank connections: OAuth consent is valid for up to 90 days (per PSD2). Expired consents are not renewed without your explicit re-authorization.
- AI categorization data: Stored as part of your transaction records. Deleted when you delete the corresponding transactions.
Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access: Request a copy of all personal data we hold about you.
- Rectification: Correct any inaccurate data.
- Erasure: Request deletion of your data ("right to be forgotten").
- Portability: Receive your data in a structured, machine-readable format.
- Restriction: Limit how we process your data.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Revoke any bank connection or data permission at any time through Settings.
- Lodge a complaint: File a complaint with your data protection supervisory authority — in Spain, the Agencia Española de Protección de Datos (AEPD, aepd.es) — if you believe we have not respected your rights.
To exercise these rights, contact us at privacy@lait.finance, or use the data export and account-deletion tools in Settings. We will respond within 30 days.
Children
lait.finance is not intended for users under 18 years of age. We do not knowingly collect data from minors.
Changes to This Policy
We may update this Privacy Policy from time to time. Significant changes will be communicated via email or in-app notification. The "Last updated" date at the top reflects the most recent revision.
Contact
For any questions about this Privacy Policy or your personal data, contact us at privacy@lait.finance.