Privacy Policy

The data controller is Firestarter, contactable at privacy@firestarter.app. This Privacy Policy describes how we collect, use, store and protect the personal data of Platform users, in compliance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679), the UK GDPR, and where applicable, the Brazilian General Data Protection Law (LGPD — Law No. 13,709/2018).

We collect: email address, financial data entered voluntarily (income, expenses, savings, portfolio — never direct banking data), age, country of residence, language preference. Automatically collected data: anonymised IP, browser type, OS, pages visited. Payment data processed exclusively by Stripe — we do not store card data.

We process data on the basis of: contract performance (provision of the Service); legitimate interest (security, fraud prevention, Service improvement); consent (marketing, non-essential cookies — withdrawable at any time); legal obligation (tax and accounting records).

We use essential cookies (required for operation), analytics cookies via PostHog (with consent, anonymised data) and Stripe cookies for payments. We do not use cookies for behavioural advertising. We do not sell data to advertising networks.

We share data only with: Supabase (storage, EU servers), Stripe (payments), Anthropic (AI processing), Resend (transactional emails), PostHog (anonymous analytics). We do not sell personal data. We do not share data with advertising networks. We comply with lawful authority requests and notify Users where legally permitted.

Some suppliers are based in the USA. Transfers outside the EEA are made under Standard Contractual Clauses approved by the European Commission (Art. 46 GDPR). UK Users benefit from equivalent protections under UK GDPR.

Account data: for the duration of the account and 30 days after cancellation. Financial data: deleted within 30 days of account cancellation. Tax and payment records: 10 years (legal obligation). Anonymous analytics data: may be retained indefinitely as it does not constitute personal data. Security logs: 90 days.

Under GDPR and UK GDPR, you have the right to: access your data; rectify inaccurate data; erasure ("right to be forgotten"); restriction of processing; data portability; object to processing based on legitimate interest; not be subject to solely automated decisions. Exercise your rights at: privacy@firestarter.app. You may also lodge a complaint with: ICO (UK): www.ico.org.uk | CNPD (Portugal): www.cnpd.pt

We implement appropriate technical and organisational measures including: encryption in transit (TLS 1.2+) and at rest; role-based access control; multi-factor authentication for internal systems; security monitoring and audit logs; periodic penetration testing. In the event of a personal data breach posing risk to Users, we will notify the relevant supervisory authority within 72 hours and affected Users without undue delay.

The Service is not directed at children under 16. We do not knowingly collect data from children under 16. If you believe we have collected a child's data, contact us at privacy@firestarter.app.

We may update this Policy periodically, with 30 days' advance notice for material changes. Contact: privacy@firestarter.app | ICO: www.ico.org.uk | CNPD: www.cnpd.pt | ANPD: www.gov.br/anpd