1. Who we are
This policy applies to the Garzoni web app and related services ("Service"). For data protection purposes, the data controller is Garzoni, United Kingdom. If you are in the European Economic Area (EEA), we may act as controller for personal data processed in connection with the Service.
2. Data we collect
We collect the following categories of data:
- Account data: email address, username, and password hash.
- Profile and preference data: first/last name (if provided), onboarding responses, financial learning preferences, language, reminder settings, and theme settings.
- Learning and product usage data: lessons viewed, progress, streaks, missions, tool usage events, and feature interactions.
- Technical data: IP address, device/browser type, operating system, approximate region, timestamps, crash/error logs, and security logs.
- Cookie and tracking data: consent choices, analytics identifiers, and ad/marketing event data where consent is given.
- Billing metadata: plan, subscription status, and Stripe subscription identifiers. We do not store your full card number.
- User-provided finance inputs: simulated portfolio entries and learning-tool inputs entered by you.
- AI tutor conversation history: messages you send to the AI tutor and the responses generated, stored server-side to provide persistent conversation history across sessions and devices.
- Voice and image data (Pro, mobile): audio recordings you submit via the voice tutor (transcribed by OpenAI Whisper and then deleted) and receipt or statement images you upload for scanning (processed by OpenAI Vision and then deleted). Neither audio nor images are stored on our servers beyond the duration of the request.
3. How we collect data
- Directly from you (registration, onboarding, settings, tools).
- Automatically via app logs, cookies, analytics, and pixels.
- From processors that support our service (for example Stripe for subscription status).
4. Why we process your data and legal bases
- Provide and run your account (contractual necessity).
- Deliver core product features and learning progress (contractual necessity).
- Keep the platform secure and prevent abuse (legitimate interests).
- Improve product quality and performance (legitimate interests).
- Send service communications such as account and billing notices (contractual necessity and legitimate interests).
- Send optional marketing messages (consent, where required).
- Meet legal and tax obligations (legal obligation).
5. Cookies and similar technologies
We use strictly necessary cookies for login/session functions and, when you consent, analytics and marketing cookies.
You can manage consent using our cookie banner and cookie settings. See our Cookie Policy for details.
6. Third-party processors and services
We use third parties to operate the service. Depending on your usage, these may include:
- Stripe (billing and subscription processing).
- Cookie consent (managed on our site; we do not use third-party consent tools).
- Google Analytics / Google Ads tags (with consent).
- Amplitude (product analytics).
- Sentry (error monitoring).
- Hosting and infrastructure providers.
- Email and transactional messaging providers.
- OpenAI (AI tutor responses, voice transcription, receipt/statement scanning — data processed under OpenAI's API data usage policies).
- RevenueCat (in-app purchase management and entitlement verification on iOS and Android).
- Customer.io (transactional email, push notifications, and AI-generated daily nudges).
- Cloudinary (media storage for user-uploaded avatars and assets).
These providers process data under contracts and only for approved purposes.
7. International transfers
Some of our service providers process data outside the UK or the European Economic Area (EEA). Where we do so, we rely on appropriate safeguards: for example UK adequacy regulations, EU adequacy decisions, or standard contractual clauses approved by the UK Secretary of State or the European Commission.
8. Data retention
We keep personal data only as long as needed for service delivery, legal obligations, dispute resolution, and security. Retention periods vary by data type.
9. Your rights
Subject to applicable law (including UK GDPR and, for EEA users, EU GDPR), you may request to:
- Access your personal data.
- Correct inaccurate data.
- Delete your data.
- Restrict or object to certain processing.
- Withdraw consent (where processing is based on consent).
- Receive a portable copy of data you provided.
- Lodge a complaint with a supervisory authority: in the UK, the Information Commissioner's Office (ICO); in the EEA, the data protection authority of your country of residence or place of work.
10. Security
We use technical and organizational safeguards designed to protect personal data. No method of storage or transmission is completely secure.
11. Children
Garzoni is intended for users aged 18 and over. We do not knowingly collect personal data from children under 16. In compliance with the UK Online Safety Act and the Children's Code, we take steps to verify that users are adults and to prevent minors from accessing content relating to complex financial products. If you believe a child has created an account or provided personal data, please contact us and we will promptly investigate and delete the data.
12. Changes to this policy
We may update this policy from time to time. Material changes will be posted in the app or on our website with an updated date.
13. Contact us
Email: [email protected]
Support: [email protected]
Country: United Kingdom
