Back to home
Lait

Privacy Policy

Last updated: April 6, 2026

1. Introduction

lait.finance ("we", "us", "our") is a personal finance and portfolio management platform operated by Carlos Muñoz from Barcelona, Spain. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service at lait.finance.

2. Data Controller

The data controller responsible for your personal data is Carlos Muñoz, contactable at privacy@lait.finance. As a European-based service, we comply with the General Data Protection Regulation (GDPR) and applicable Spanish data protection laws.

3. Data We Collect

We collect the following categories of personal data: • Account data: Email address, name, and authentication credentials (managed by Clerk, our authentication provider). • Financial data: Bank account balances, transaction history, portfolio holdings, and asset valuations — collected through read-only Open Banking connections (via Enable Banking), manual entries, and CSV imports. • Usage data: Pages visited, features used, and interaction patterns to improve our service. • Technical data: IP address, browser type, and device information for security and abuse prevention.

4. How We Collect Data

Open Banking (PSD2): When you connect a bank account, we use Enable Banking as our licensed Account Information Service Provider (AISP). Connections are read-only — we can never initiate payments or move your money. You explicitly consent to each bank connection through your bank's own authorization flow. • Manual input: Data you enter directly (trades, assets, savings accounts). • CSV imports: Bank statement files you upload voluntarily. • API integrations: Read-only connections to crypto exchanges and wallets using API keys you provide.

5. Legal Basis for Processing

We process your data based on: • Consent: You explicitly authorize each bank connection and data source. • Contract: Processing necessary to provide the service you signed up for. • Legitimate interest: Security monitoring, abuse prevention, and service improvement.

6. How We Use Your Data

Your financial data is used exclusively to: • Aggregate and display your portfolio, net worth, and financial overview. • Categorize transactions using AI-assisted classification (GPT-4o-mini). • Generate personalized insights through our AI advisor. • Calculate performance metrics, allocation breakdowns, and historical trends. We do not use your data for advertising, profiling, or credit scoring.

7. AI Processing

We use OpenAI (GPT-4o-mini) to automatically categorize bank transactions. Transaction descriptions are sent to OpenAI for classification purposes only. OpenAI does not use this data for training. You can manually correct any AI-assigned category, and your corrections improve future categorization accuracy for your account only.

8. Data Storage & Security

Infrastructure: All data is hosted on European infrastructure (Neon Postgres database in EU region, Vercel EU edge network). • Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.3). • API credentials: Exchange API keys are encrypted before storage and are never exposed in API responses. • Access control: Each user can only access their own data. Admin access is restricted to the platform operator. • Read-only access: All bank and exchange connections use read-only permissions. We cannot move, transfer, or modify your funds.

9. Data Sharing

We share data only with the following third-party processors, strictly necessary to provide the service: • Clerk (authentication) — processes email and login data. • Enable Banking (Open Banking) — facilitates read-only bank connections under PSD2. • Neon (database) — hosts your encrypted financial data in the EU. • Vercel (hosting) — serves the application. • OpenAI (AI categorization) — processes transaction descriptions for classification. We do not sell, rent, or share your personal data with advertisers, data brokers, or any other third parties.

10. Data Retention

Account data: Retained while your account is active. Deleted within 30 days of account deletion. • Financial data: Retained while your account is active. You can delete individual records at any time. • Bank connections: OAuth consent is valid for up to 90 days (per PSD2). Expired consents are not renewed without your explicit re-authorization. • AI categorization data: Stored as part of your transaction records. Deleted when you delete the corresponding transactions.

11. Your Rights (GDPR)

Under the GDPR, you have the right to: • Access: Request a copy of all personal data we hold about you. • Rectification: Correct any inaccurate data. • Erasure: Request deletion of your data ("right to be forgotten"). • Portability: Receive your data in a structured, machine-readable format. • Restriction: Limit how we process your data. • Objection: Object to processing based on legitimate interest. • Withdraw consent: Revoke any bank connection or data permission at any time through Settings. To exercise these rights, contact us at privacy@lait.finance. We will respond within 30 days.

12. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising, tracking, or analytics cookies. No cookie consent banner is needed as we only use strictly necessary cookies.

13. Children

lait.finance is not intended for users under 18 years of age. We do not knowingly collect data from minors.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email or in-app notification. The "Last updated" date at the top reflects the most recent revision.

15. Contact

For any questions about this Privacy Policy or your personal data, contact: Carlos Muñoz Barcelona, Spain privacy@lait.finance