Privacy Policy

This Policy describes how MyGuita collects, uses, shares, and protects your personal information when you use our mobile app, website, and related services (collectively, the “Service”).

Data controller: MyGuita, located in Argentina.

Contact: support@myguita.com

By creating an account or using MyGuita, you accept this Policy. If you do not agree, please do not use the Service.

MyGuita is intended for users 13 years or older (16 in the European Union). We do not knowingly collect data from minors. If you believe a minor has sent us information, contact us at support@myguita.com and we will delete it.

Account and identity data: email, name, authentication ID (Firebase UID). If you sign up with Google, we receive your email and public Google profile.

Financial data you upload: transactions (income and expenses) with amount, description, category, date, and currency; PDF files of bank and credit card statements; images you attach; payment methods (type, brand, last 4 digits — never the full number); recurring transaction rules.

Preferences: language, theme (light/dark), primary currency, preferred exchange rate, notification settings.

Device data: push notification token, device type, operating system, crash and technical error information.

Data we do NOT collect: we do not ask for or store your national ID, tax ID, full credit card number, online banking credentials, location, contacts, or calendar.

• Providing the Service (contract performance): authenticate you, store your transactions, process statements, show you your finances, and send notifications you requested.

• AI processing (explicit consent): categorize transactions, extract data from bank statements, reply in chat, and generate forecasts and alerts. We ask for your consent in-app before the first use of the AI chat; we store it at the account level and you can revoke it at any time from Settings.

• Security and fraud prevention (legitimate interest): detect unauthorized access, duplicates, and abuse.

• Improving the product (legitimate interest): understand how the app is used through aggregated metrics and error reports.

• Legal compliance (legal obligation): respond to lawful requests from competent authorities when required.

MyGuita uses external AI providers to categorize transactions, extract information from bank statements, and respond in chat. This section is important: we tell you exactly what we do.

Providers we use:

• OpenAI (GPT models): we process chat messages, dictated audio (transcription), and context from your transactions to generate responses and suggestions.

• Google Gemini: we process PDF files of bank statements and images to extract transactions and categorize them automatically.

• Langfuse: technical observability of AI calls (latency, errors, tokens); may contain snippets of inputs and outputs for debugging.

What we send them: your chat message content, transactions relevant to the context, available categories, your language, and the PDF/image when you upload a statement.

What we do NOT send them: your password, session tokens, full card numbers, or third-party credentials.

Provider retention: we use these services’ APIs with configurations where data is not used to train models. OpenAI retains API data for up to 30 days for abuse monitoring; Google Gemini applies similar policies.

Automated decisions: MyGuita does not make legally significant decisions about you automatically. Categories and predictions are suggestions that you can always edit.

You can revoke your consent any time from **Settings → AI processing**. If you disable it, the MyGuita AI chat and automatic statement parsing become unavailable, but the rest of the app keeps working normally.

We do not sell your data. We only share it with providers that help us operate the Service, and only to the extent necessary.

We may also share data when required by law, a court order, or to protect the rights, property, or safety of MyGuita or its users.

Some providers are located outside of Argentina, primarily in the United States. By using MyGuita you accept that your data will be transferred to these countries. We ensure providers apply adequate protection standards (standard contractual clauses and equivalent measures where applicable).

We protect your data with reasonable technical and organizational measures:

• Encryption in transit: all communication uses HTTPS/TLS.

• Authentication: Firebase Auth with short-lived tokens; email/password passwords protected with bcrypt.

• Access control: only authorized personnel access systems; accesses are logged.

• Face ID / biometrics: processed locally on your device and never sent to our servers.

• Private storage: PDFs you upload are stored in private buckets and are not publicly accessible.

No system is 100% secure. If we detect a security incident that affects you, we will notify you as required by law.

Account and transaction data: while your account is active.

Bank statements (PDFs): until you delete them manually or delete your account.

Technical and error logs: up to 90 days.

On account deletion: we erase your personal data and files within 30 days, except data we must retain by legal obligation (e.g., accounting or anti-fraud records).

Wherever you live, you can exercise the following rights over your data:

• Access: request a copy of the data we hold about you.

• Rectification: correct inaccurate or incomplete data.

• Erasure: request that we delete your information.

• Object: object to certain processing (such as AI processing).

• Portability: receive your data in a structured format to take to another service.

• Withdraw consent at any time (without affecting prior processing).

To exercise any of these rights, email us at support@myguita.com. We respond within 10 business days (Argentina) or 30 days (GDPR/CCPA). You can also delete your account directly from the app.

California residents (CCPA/CPRA): you have the right to know, delete, correct, limit the use of sensitive data, and not be discriminated against for exercising your rights. We do not sell or share data for cross-context targeted advertising.

The app requests these permissions only for the indicated features. You can revoke them from your operating system settings at any time.

• Camera: capture receipts and tickets.

• Microphone: dictate transactions by voice in the chat.

• Photo library: attach images from your device.

• Face ID / Touch ID: protect app access. Biometric data never leaves your device.

• Notifications: send you alerts and reminders.

Our website uses strictly necessary cookies for authentication. If we enable analytics (PostHog or others) we will inform you and ask for your consent where applicable.

MyGuita is not designed for users under 13 (16 in the EU). We do not knowingly collect data from minors. If you notice a minor created an account, let us know and we will delete the account and its data.

We may update this Policy. If we make material changes, we will notify you by email or through an in-app notification before they take effect. The “Effective” date at the top indicates the last update.

If you believe we mishandle your data, you can file a complaint with the appropriate authority:

• Argentina: Agencia de Acceso a la Información Pública (AAIP) — argentina.gob.ar/aaip.

• European Union: the data protection authority of your country of residence.

• California, USA: California Privacy Protection Agency (CPPA) or Attorney General.

For any questions about this Policy or your data, email us at support@myguita.com.