Privacy policy

1. Data controller

Orienteed S.L.
C/Torreiro nº13, 7ºF — C.P.15003, A Coruña (Spain)
VAT: ESB70494877
Email: hello@gasto.ai

2. Data we collect

When you use Gasto, we collect the following data:

• Account data: email address and hashed password (bcrypt).
• Bank data via PSD2: transaction history, account balances and IBAN, obtained with your explicit consent through Redsys HUB PSD2. We only access data in read-only mode.
• Usage data: categories, budgets and settings you create in the app.
• Technical data: access logs, IP address and device type, for security and diagnostics.

3. Purpose and legal basis

• Service provision — performance of a contract (Art. 6.1.b GDPR).
• Automatic AI classification — performance of a contract; data is sent to Anthropic's API (Claude) for processing.
• PSD2 bank sync — explicit consent (Art. 6.1.a GDPR).
• Security and fraud prevention — legitimate interest (Art. 6.1.f GDPR).
• Legal compliance — legal obligation (Art. 6.1.c GDPR).

4. Recipients and transfers

We do not sell or share your data with third parties for commercial purposes. Sub-processors involved in service delivery:

• Redsys — PSD2 infrastructure for bank connectivity.
• Anthropic (Claude AI) — automatic transaction classification. Data processed in the US under Standard Contractual Clauses.
• Railway — application hosting (US, Standard Contractual Clauses).
• Cloudflare — CDN and DDoS protection (US, DPF).

5. Data retention

We retain your data for as long as your account is active. After account deletion, data is removed within 30 days, except where legally required to retain it longer (maximum 5 years for accounting records).

PSD2 consents expire automatically after 90 days and must be actively renewed.

6. Your rights

You have the right to:

• Access — obtain a copy of your data.
• Rectification — correct inaccurate data.
• Erasure — delete your account and data.
• Objection — object to processing based on legitimate interest.
• Portability — receive your data in a structured format.
• Restriction — restrict processing in certain circumstances.

To exercise your rights, write to hello@gasto.ai. We will respond within 30 days.

If you believe your rights have been infringed, you can lodge a complaint with the Spanish Data Protection Agency (AEPD) at aepd.es.

7. Cookies

Gasto only uses strictly necessary cookies for the service to function (user session). We do not use tracking, advertising or third-party analytics cookies.

8. Security

We apply appropriate technical and organisational measures: JWT authentication with token rotation, bcrypt-hashed passwords, TLS encryption in transit, and restricted data access.

9. Changes to this policy

We will notify you of any material changes by email or in-app notice at least 15 days in advance.