Legal document

Privacy Policy

This Policy describes how Thor collects, uses, stores, and protects your personal data — globally.

🇪🇺 GDPR 🇺🇸 CCPA 🇧🇷 LGPD 🌍 Worldwide
Version 2.0 · Last updated: May 24, 2026 · Effective immediately
Quick summary: We collect only what's needed for you to organize your finances. We use OpenAI for AI processing, Supabase for storage, and Stripe for payments (when Premium launches). We don't sell your data — ever. You have full rights under GDPR, CCPA, and LGPD. Contact us at privacy@meuthor.com.br for any request.

1. Data Controller

The Data Controller responsible for your personal data is:

The Data Protection Officer (DPO) — also serving as our point of contact under GDPR (Art. 37) and LGPD (Art. 41) — is Bruno Osorio Gonçalves, reachable at the privacy email above.

2. Personal Data We Collect

2.1. Registration data (provided by you)

  • Name (optional);
  • Email address (authentication and service communications);
  • Preferences (language, currency, region).

2.2. Content you submit

  • Audio recordings for expense logging;
  • Images (receipt photos, invoice screenshots, chat screenshots);
  • Free-text input describing your transactions;
  • Personal financial data extracted from the above: amounts, dates, categories, descriptions, counterparties (e.g., "Uber Eats", "Whole Foods").

2.3. Payment data (Premium subscribers only)

  • Stripe handles all payment processing. We never see or store your full card number, CVV, or bank credentials.
  • We receive only: last 4 digits of card, brand (Visa, Mastercard, etc.), country, subscription status, and transaction history (for receipts and tax compliance).

2.4. Automatically generated data

  • Technical logs (date/time of access, device type, app version, OS);
  • Device identifiers (for push notifications, if enabled);
  • Internal account identifier (UUID);
  • Approximate location derived from IP (country/region only, for currency and compliance).

2.5. Data we do NOT collect

  • Bank account numbers, credit card numbers, or financial institution passwords;
  • Open Banking / Open Finance connections to your bank;
  • Biometric data;
  • Precise GPS location;
  • Contacts, calendar, photos library, or device files (beyond what you explicitly send).

3. Purposes of Processing

We process your personal data to:

  • Enable account creation, authentication, and access to the Service;
  • Process inputs (audio, images, text) via AI to generate extraction suggestions;
  • Store your financial records so you can view and consult them;
  • Generate dashboards, insights, and goal tracking;
  • Operate the chat assistant feature;
  • Process subscription payments (Premium tier);
  • Send essential service notifications (and optional ones with your consent);
  • Detect, prevent, and investigate fraud, abuse, and security incidents;
  • Comply with applicable legal and regulatory obligations;
  • Improve the Service through aggregated, anonymized analytics (when applicable).

Under the EU/UK General Data Protection Regulation (GDPR Article 6) and the Brazilian General Data Protection Law (LGPD Article 7), we rely on the following legal bases:

  • Contract performance (GDPR 6(1)(b) / LGPD 7(V)): for everything necessary to deliver the Service you signed up for.
  • Consent (GDPR 6(1)(a) / LGPD 7(I)): for optional push notifications and processing the content you voluntarily submit.
  • Legitimate interest (GDPR 6(1)(f) / LGPD 7(IX)): for product improvement, security, fraud prevention, and technical diagnostics. You can object at any time — see Section 8.
  • Legal obligation (GDPR 6(1)(c) / LGPD 7(II)): to comply with court orders, tax law, and other legal duties.

We do not rely on legitimate interest where it is overridden by your fundamental rights.

5. Recipients (Sub-Processors)

We never sell your data. We share with the following sub-processors strictly to operate the Service:

5.1. OpenAI, L.L.C.

Provides the AI models for audio transcription, image vision, and structured extraction from free text. Submitted content is transmitted to OpenAI exclusively for real-time processing.

5.2. Supabase Inc.

Provides database, file storage, and authentication infrastructure.

  • Privacy policy: supabase.com/privacy
  • Country: United States (with regional selection: EU available for European users).

5.3. Stripe, Inc.

Processes Premium subscription payments. Stripe is PCI-DSS Level 1 certified.

  • Privacy policy: stripe.com/privacy
  • Country: United States (with regional entities in EU, UK, BR).

5.4. Apple Inc.

App Store distribution, push notifications via APNs, optional Sign in with Apple, and (for App Store purchases) Apple's standard billing.

5.5. Public authorities

We may disclose data in response to a valid court order, subpoena, or other legal request from a competent authority, after assessing the legitimacy of the request. We publish a transparency report annually.

6. International Data Transfers

As noted above, sub-processors are primarily located in the United States. Cross-border transfers are made under the following safeguards:

  • For EU/UK users: Standard Contractual Clauses (SCC) approved by the European Commission, supplemented where needed by additional technical measures (encryption, pseudonymization).
  • For US transfers specifically: Reliance on the EU-US Data Privacy Framework (DPF) when applicable, plus SCC as backup.
  • For Brazilian users (LGPD Art. 33): Transfer based on contract performance (33-II) and adoption of contractual safeguards with operators.
  • Encryption in transit and at rest applies to all transferred data.

7. Data Retention

  • Account data and financial records: retained while your account is active.
  • Original audio and images: retained for the time necessary for processing and possible re-audit; may be auto-deleted after extraction confirmation per your settings.
  • Technical logs: retained for up to 6 months (Brazilian Internet Civil Framework Art. 15; comparable elsewhere).
  • Payment records: retained as required by tax law (typically 5-7 years).
  • After account deletion: personal data is erased within 30 days, except where retention is required by law or for the establishment, exercise, or defense of legal claims (GDPR Art. 17(3) / LGPD Art. 16).

8. Your Rights Under GDPR (EU/UK)

If you are in the European Union, European Economic Area, United Kingdom, or Switzerland, you have the following rights:

  • Right of access (Art. 15): obtain a copy of your data.
  • Right to rectification (Art. 16): correct inaccurate data.
  • Right to erasure / "right to be forgotten" (Art. 17): delete your data.
  • Right to restriction (Art. 18): limit how we process your data.
  • Right to data portability (Art. 20): receive your data in structured, machine-readable format (CSV/JSON).
  • Right to object (Art. 21): especially to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)): at any time, without affecting prior processing.
  • Right not to be subject to automated decision-making (Art. 22): including profiling that produces legal effects (we don't do this — AI suggestions always require your manual confirmation).
  • Right to lodge a complaint with your local data protection authority — list at edpb.europa.eu/members.

To exercise any of these rights, email privacy@meuthor.com.br with subject "GDPR Request — [your request]". We respond within 30 days (extendable by 60 days for complex requests per Art. 12(3)).

9. Your Rights Under CCPA/CPRA (California)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know: what personal information we collect, use, disclose, and sell.
  • Right to delete: request deletion of personal information.
  • Right to correct: request correction of inaccurate personal information.
  • Right to opt out of sale: not applicable — we do not sell personal information as defined by the CCPA.
  • Right to opt out of sharing for cross-context behavioral advertising: not applicable — we do not engage in such sharing.
  • Right to limit use of sensitive personal information: we don't process sensitive info beyond what's necessary for the Service.
  • Right to non-discrimination: we won't deny service, charge different prices, or provide a different quality of service for exercising your rights.

To exercise CCPA rights, email privacy@meuthor.com.br with subject "CCPA Request — [your request]". We verify your identity before fulfilling requests. Response within 45 days (extendable by 45 days). You may also file a complaint with the California Privacy Protection Agency at cppa.ca.gov.

"Do Not Sell My Personal Information": Since we don't sell, no opt-out mechanism is needed, but you can confirm this status by writing to the email above.

10. Your Rights Under LGPD (Brazil)

If you are in Brazil, you have all rights set out in LGPD Article 18:

  • Confirmation of processing existence;
  • Access to data;
  • Correction of incomplete, inaccurate, or outdated data;
  • Anonymization, blocking, or deletion of unnecessary or non-compliant data;
  • Portability to another service provider;
  • Deletion of data processed with consent;
  • Information about data sharing with public/private entities;
  • Information about the possibility of refusing consent and its consequences;
  • Revocation of consent at any time.

Email privacy@meuthor.com.br with subject "LGPD Request — [your request]". Response within 15 days per LGPD. Complaints to the Brazilian National Data Protection Authority (ANPD): gov.br/anpd.

11. Information Security

We implement technical and administrative measures appropriate to the risk:

  • Encryption in transit: TLS 1.2+ on all client-server communication.
  • Encryption at rest: AES-256 for stored data.
  • Row-Level Security (RLS) in the database for strict account isolation.
  • Least-privilege access control for internal team.
  • Multi-factor authentication required for all administrative access.
  • Audit logging of administrative actions and security events.
  • Periodic backups with limited retention.
  • Vendor security review for all sub-processors.

In the event of a personal data breach involving risk to data subjects, we notify the competent supervisory authority within 72 hours (GDPR Art. 33 / LGPD Art. 48 / state breach notification laws) and affected users without undue delay.

12. Cookies and Local Storage

This website (meuthor.com.br) uses only strictly necessary cookies and local storage for basic operation. We do not use:

  • Advertising or marketing cookies;
  • Cross-site tracking;
  • Third-party analytics that profile individual users.

Therefore, no cookie consent banner is required under GDPR Recital 30, the ePrivacy Directive, or comparable laws.

The iOS App does not use browser cookies but may use the system Keychain and local storage for session data and preferences.

13. Children

Thor is not directed to children under 18. We do not knowingly collect data from minors:

  • Under 13 (US — COPPA);
  • Under 16 (EU — GDPR Art. 8, varying by Member State);
  • Under 18 (Brazil — LGPD Art. 14 plus our internal policy).

If we learn we have collected data from a minor without verified parental consent, we will delete it promptly. Parents or guardians who believe their child has provided personal data may contact privacy@meuthor.com.br.

14. Changes to this Policy

We may update this Policy from time to time. The current version is always available at meuthor.com.br/privacy with the date of last update at the top.

For material changes, we notify users at least 30 days in advance via in-app notice and email. Continued use after the effective date constitutes acceptance.

15. Contact

Privacy questions, requests, or complaints:

Supervisory authorities: