Privacy policy

1. Data controller

Orienteed S.L.
C/Torreiro nº13, 7ºF — C.P.15003, A Coruña (Spain)
VAT: ESB70494877
Email: hello@gasto.ai

2. Data we collect

When you use Gasto, we collect the following data:

• Account data: email address and hashed password (bcrypt).
• Bank data via PSD2: transaction history, account balances and IBAN, obtained with your explicit consent through Redsys HUB PSD2. We only access data in read-only mode.
• Usage data: categories, budgets and settings you create in the app.
• Technical data: access logs, IP address and device type, for security and diagnostics.

3. Purpose and legal basis

• Service provision — performance of a contract (Art. 6.1.b GDPR). Providing your email address is mandatory to create an account; without it the service cannot be delivered.
• Automatic AI classification — performance of a contract; transaction descriptions are sent to Anthropic's API (Claude) for categorisation. This classification is purely informational and does not produce legal effects or significant decisions affecting the user within the meaning of Art. 22 GDPR. Users can modify or reject any assigned category at any time.
• PSD2 bank sync — explicit consent (Art. 6.1.a GDPR). This is voluntary; you can use the service via manual file import without granting this access.
• Web analytics (Google Analytics 4) — explicit consent (Art. 6.1.a GDPR), only if you accept via the cookie banner. You may withdraw this consent at any time.
• Security and fraud prevention — legitimate interest (Art. 6.1.f GDPR).
• Legal compliance — legal obligation (Art. 6.1.c GDPR).

4. Recipients and transfers

We do not sell or share your data with third parties for commercial purposes. Sub-processors involved in service delivery:

• Redsys — PSD2 infrastructure for bank connectivity.
• Anthropic (Claude AI) — automatic transaction classification. Data processed in the US under Standard Contractual Clauses.
• Railway — application hosting (US, Standard Contractual Clauses).
• Cloudflare — CDN and DDoS protection (US, DPF).

5. Data retention

We retain your data for as long as your account is active. After account deletion, data is removed within 30 days, except where legally required to retain it longer (maximum 5 years for accounting records).

PSD2 consents expire automatically after 90 days and must be actively renewed.

6. Your rights

You have the right to:

• Access — obtain a copy of your data.
• Rectification — correct inaccurate data.
• Erasure — delete your account and data.
• Objection — object to processing based on legitimate interest.
• Portability — receive your data in a structured format.
• Restriction — restrict processing in certain circumstances.

To exercise your rights, write to hello@gasto.ai. We will respond within 30 days.

If you believe your rights have been infringed, you can lodge a complaint with the Spanish Data Protection Agency (AEPD) at aepd.es.

7. Cookies and analytics

This website uses two types of cookies:

• Strictly necessary cookies — user session. These do not require consent.
• Analytics cookies — Google Analytics 4 (Google LLC, US), only if you give explicit consent via the cookie banner. IP anonymisation is enabled. Google acts as a data processor under the EU–US Data Privacy Framework (DPF).

You may withdraw your consent at any time by clearing your browser cookies or contacting hello@gasto.ai. We do not use advertising or behavioural tracking cookies.

8. Security

We apply appropriate technical and organisational measures: JWT authentication with token rotation, bcrypt-hashed passwords, TLS encryption in transit, and restricted data access.

9. Changes to this policy

We will notify you of any material changes by email or in-app notice at least 15 days in advance.