← Back to sign in

Privacy Policy

Last updated: March 2025. This policy describes how El Diario collects, uses and protects your personal data in line with the EU General Data Protection Regulation (GDPR).

1. Who we are

El Diario ("we", "our") is the data controller for the personal data you provide when using our service. If you have questions about this policy or your data, contact us at the address given at the end of this document.

2. Data we collect

We may collect and process:

  • Account data: email, first name, last name, password (stored in hashed form), and — if you sign in with Google — profile picture and provider identifier.
  • Workspace and content: workspace names and descriptions, transaction records (amounts, dates, categories, comments), pages and their content that you create or edit.
  • Technical and session data: refresh tokens for authentication, session data necessary to keep you logged in.
  • Voice input (optional): if you use voice-to-text, audio is sent to our transcription provider (OpenAI Whisper) to produce text; we do not store the audio itself.
  • AI chat: messages you send in the in-app AI chat may be processed by our AI provider (OpenAI) to answer requests; conversation history in the current product is not stored permanently in our databases.

3. Purposes and legal basis (GDPR Art. 6)

  • Performance of a contract: account creation, authentication, workspaces, transactions, and pages — to provide the service you signed up for.
  • Consent (where applicable): optional features such as voice transcription or marketing communications, if we offer them and you opt in.
  • Legitimate interests: security, fraud prevention, and operation of the service (e.g. necessary logging without storing unnecessary personal data).

4. How long we keep your data

We keep your account and related data (workspaces, transactions, pages) for as long as your account is active. When you delete your account, we remove your profile and associated data from our systems; cascaded deletion applies to sessions, avatars, and workspace memberships. Backups may retain data for a limited retention period as needed for operational recovery; we do not use backups to restore deleted user data for purposes other than disaster recovery.

5. Sharing and third parties

We do not sell your personal data. We may share data with:

  • Google: when you sign in with Google, we receive your email, name and profile picture from Google according to their privacy policy and your Google account settings.
  • OpenAI: for AI chat and voice transcription, relevant content (e.g. messages or audio) is sent to OpenAI; their processing is subject to their privacy policy and, where applicable, data processing terms. Data may be transferred to the United States under appropriate safeguards (e.g. Standard Contractual Clauses) where required.

We require processors to protect your data and use it only as we instruct. Where we transfer data outside the EEA, we ensure suitable safeguards are in place.

6. Your rights (GDPR)

You have the right to:

  • Access (Art. 15): obtain a copy of your personal data we hold.
  • Rectification (Art. 16): correct inaccurate data (e.g. via your profile settings).
  • Erasure (Art. 17): request deletion of your data; you can delete your account from your profile page.
  • Data portability (Art. 20): receive your data in a structured, machine-readable format (we aim to provide an export feature for this).
  • Restriction (Art. 18): limit how we process your data in certain cases.
  • Object (Art. 21): object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time.
  • Complain: lodge a complaint with a supervisory authority in your country (e.g. in the EU/EEA).

To exercise these rights, contact us using the details below. We will respond within the time limits set by applicable law.

7. Cookies and local storage

We use strictly necessary cookies to provide the service:

  • accessToken and refreshToken: stored in HTTP-only cookies to keep you signed in and to refresh your session; they are essential for authentication and are not used for tracking.

You can remove these cookies by signing out or deleting your account. If we introduce optional cookies (e.g. analytics), we will ask for your consent before using them and describe them in this policy.

8. Security

We use industry-standard measures to protect your data: passwords are hashed (bcrypt), authentication uses JWT in HTTP-only cookies, and we apply security headers and CORS. We do not log personal data (such as emails) in plain text in production logs.

9. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will be revised. Continued use of the service after changes constitutes acceptance of the updated policy. For material changes, we may notify you via email or a notice in the app.

10. Contact

For any questions about this Privacy Policy, your personal data, or to exercise your rights, please contact us:

Email: ruslanzakharov90@gmail.com