Privacy Policy

## Last Updated April 14, 2026

1. Introduction

PaxMoney ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how the PaxMoney app and the paxmoney.app website collect, use, and safeguard your information. By using PaxMoney, you agree to the processing described here.

2. Data minimization

We collect and process only the data necessary to operate the app, provide features, and maintain security. We do not collect data unrelated to the product's purposes.

3. Legal bases (where applicable)

Depending on your location (e.g., GDPR/LGPD), we process data based on: - Contract performance (to operate the app and deliver features) - Consent (when you choose to use import/AI features and submit content for processing) - Legitimate interests (security, fraud prevention, error monitoring, and reliability improvements)

4. International transfers

Because we use global providers (e.g., Google Firebase, Google Gemini, and Sentry), your data may be processed and stored in countries other than yours. We use recognized providers and security measures to reduce risks related to these transfers.

5. Third-Party Data Processing

  • **Market Providers:** To provide updated quotes and asset history, PaxMoney may send anonymous technical identifiers (such as stock tickers or crypto symbols) to integrated data providers. No personally identifiable information (PII) is shared with these market services during these queries.
  • **Infrastructure Services:** The app uses cloud services and processing APIs to perform complex calculations and securely store portfolio data. By using the app, you agree to the technical processing required to deliver these functionalities through our technology partners.
  • **Error Monitoring (Sentry):** We use Sentry to capture error and crash reports from the app. Data collected may include: device type, operating system version, app version, error stack traces, and session identifier. This data is used exclusively to identify and fix technical issues.
  • **Device Integrity Verification:** The app may perform device integrity checks to detect compromised environments. These checks process technical device data and do not collect personally identifiable information.

6. Data We Collect

6.1 Account and contact information When you create or access your account, we may collect: - Name and email (depending on the sign-in method) - Profile photo (when signing in with Google) - Account identifier (Firebase UID) used for authentication and to organize your data

6.2 Financial information you provide You voluntarily provide data needed for app functionality, including: - Portfolios - Transactions - Dividends/distributions - Categories and accounts - Events (including travel/expense-style events, if you use this feature) - Balances - Corporate actions (e.g., splits, reverse splits, mergers, spin-offs)

6.3 Imported content (optional) If you use import features, you may provide: - PDF - CSV - Images (JPEG/PNG)

6.4 Subscription data (in-app purchases) To validate your Premium access, we collect: - transactionId and/or productId from Apple App Store / Google Play - Subscription/entitlement status linked to your UID Important: - We do not collect or store credit card numbers, banking details, or payment credentials.

6.5 Technical support data (when you contact support) When you contact support inside the app, we may include in the support email body: - System (iOS/Android) - App version - Language

6.6 Debug sessionId The app may generate a per-run sessionId for internal debug logs. - This is not a hardware device identifier (not IMEI/IDFA).

6.7 Biometric authentication data (optional) If you enable biometric login (Face ID / Touch ID / Android biometrics): - The app generates a cryptographic secret stored securely on your device (Keychain/Keystore) - Only a hash (SHA-256) of this secret is stored on our server - No biometric data (fingerprint, face) is collected, transmitted, or stored by PaxMoney. Biometric processing occurs entirely on your device's operating system.

6.8 Automatically collected technical data The app may automatically collect: - Error and crash reports (via Sentry), including stack traces, device type, OS version, and app version - Device integrity verification data (to detect compromised environments) - This data is used exclusively for maintenance, security, and service improvement

7. Data we do NOT collect

  • Credit card numbers, payment credentials, or banking details (payments are handled by Apple/Google stores)
  • Advertising identifiers (IDFA) or ad SDKs to track you across apps
  • Biometric data (fingerprint, face) — biometric processing occurs entirely on your device
  • Browsing history or data from other apps

8. How We Use Your Data

8.1 App functionality We use your data to: - Store and sync portfolios - Calculate portfolio results and metrics - Display transactions, dividends, and corporate actions - Maintain your account and session state

8.2 Shared dashboards (if used) If you use shared features: - Sharing is handled via invitations and authorized member lists - Your data is shown only to permitted members - You can revoke access as available within the feature - You are responsible for choosing who you invite

8.3 Imports and AI (Google Gemini) When you use import and AI features: - The app may convert parts of documents to base64 and send them to Google Gemini API for analysis - AI may be used for transaction/dividend extraction, CSV column mapping, category icon suggestions, and dividend forecasts - AI outputs may be inaccurate ("hallucinations") and should be verified by you against your original documents before use

8.4 Market data The app uses third-party providers to fetch public market data. - We send only asset tickers and currency codes - We do not send your personal identity to these providers

8.5 Subscription validation We use transactionId/productId to: - Validate your Premium access - Store subscription status linked to your UID

8.6 Email communications We may send emails for: - Password reset (when requested by you) - Security notifications (e.g., data breach alerts or critical changes) - Service communications (important updates, changes to terms) - Promotional communications (news and features) You can unsubscribe from promotional emails at any time by clicking the "Unsubscribe" link in each email or by contacting us.

8.7 Push notifications The app may send push notifications for administrative alerts and announcements. You can disable push notifications at any time in your device settings (iOS: Settings > Notifications > PaxMoney / Android: Settings > Apps > PaxMoney > Notifications).

8.8 Aggregated and anonymous data We may create aggregated and anonymized data from collected information for internal analysis and service improvement. Aggregated data does not personally identify you and may be used without restriction.

9. Data Sharing

We do not sell, rent, or trade your personal data. We share only what is necessary to operate the service:

9.1 Google Firebase - Authentication - Firestore (storage/sync) - Cloud Functions (backend processing) - Infrastructure required for app operation

9.2 Google Gemini (AI) - Processing of data you submit when using import/AI features

9.3 Market data providers - Provide public prices/metadata based on tickers/currency codes

9.4 Sentry (error monitoring) - Receives technical error reports for issue identification and resolution - Does not receive personal financial data

9.5 Email provider (SMTP) - We use an email provider to send transactional and service communications - Only your email address is shared with the provider for message delivery purposes

9.6 Vercel (website hosting) - The paxmoney.app website uses Vercel Analytics to collect anonymous website usage data, including: pages visited, referrer, device type, and country. This data does not personally identify you.

10. Imported files (PDF/CSV/Images)

  • Imported files are not permanently stored on our servers
  • They are processed for data extraction and discarded after analysis
  • Parts of the content may be temporarily sent to the Google Gemini API during processing

11. Security

We apply measures to protect your data, including: - Encryption in transit (TLS/SSL) - Access controls and database security rules restricting access by UID and by authorized members for shared features - Device integrity validation to detect compromised environments - Server-side signature verification (Apple/Google) for purchase validation - Cryptographic hashing (SHA-256) for biometric secrets — the plaintext secret is never stored on our server - Real-time error monitoring to identify and fix vulnerabilities quickly - Practices to reduce unauthorized access Note: no system is 100% secure, but we work continuously to reduce risks.

12. Retention and deletion

12.1 Retention We retain your data according to the following criteria: - Account and portfolio data: while your account is active - Error reports (Sentry): up to 90 days - Debug logs: per session, discarded when the app closes - Subscription data: as long as necessary for validation and as required by law - Email communication records: sending logs retained for up to 12 months

12.2 Account deletion You can delete your account within the app. - The process removes the authentication record and includes logic to delete Firestore data linked to your UID, including: portfolios, transactions, dividends, accounts, categories, events, balances, and settings. Note: backups and technical logs (if any) may persist for a limited period before expiring as part of operational cycles. Anonymized/aggregated data may be retained indefinitely.

13. Your rights

Depending on your location (e.g., GDPR/LGPD), you may have rights to: - Access and confirm processing of your data - Correct inaccurate or incomplete data - Request deletion of your data - Request portability where applicable - Withdraw consent where applicable - Object to processing based on legitimate interests - Not be discriminated against for exercising your rights

To exercise your rights, email: - contact@paxmoney.app Suggested subject: "Privacy Request" We will respond within 15 business days.

14. Children's privacy

PaxMoney is not intended for children under 13 (or 16 in the EU/UK) and we do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete that information as quickly as possible. If you believe a child has provided us with personal data, please contact: contact@paxmoney.app.

15. Cookies and tracking technologies (website)

The paxmoney.app website may use: - Essential cookies for basic functionality (language preference) - Vercel Analytics for anonymous website usage data collection We do not use advertising, remarketing, or cross-site tracking cookies. The mobile app does not use cookies.

16. Changes

We may update this Policy periodically. For material changes, we will notify you via email or in-app notice. The latest version will be available on this page with an updated date. Continued use after changes constitutes acceptance.

17. Contact

Privacy questions: - contact@paxmoney.app