Privacy Policy

Last updated — June 25, 2026

This Privacy Policy describes how TakeControl App collects, uses, stores and shares your personal data when you use our app or website. It has been drafted in compliance with the Brazilian General Data Protection Law (LGPD — Lei 13.709/2018) and the EU General Data Protection Regulation (GDPR — Regulation EU 2016/679).

1. Who We Are (Data Controller)

TakeControl App Contact email: [email protected]

TakeControl is the data controller responsible for processing your personal data as described in this Policy.

2. Data Protection Officer (DPO)

Our Data Protection Officer is available to handle requests and answer questions about personal data processing:

Email: [email protected]

3. Personal Data We Collect

We collect the following data depending on how you use the Service:

3.1 Data you provide

Name and display name
Email address
Profile photo (optional)
Expense, group, participant and settlement data you enter in the app

3.2 Automatically collected data

IP address
Browser type and version or operating system
Device model and device identifier
Pages visited, actions taken in the app and usage time
Date and time of access
Approximate location (derived from IP address)

3.3 Technical data for stability

Error messages, stack traces and diagnostic data collected automatically to identify and fix issues in the app

4. Purposes and Legal Bases for Processing

Purpose	Legal basis (LGPD art. 7)	Legal basis (GDPR art. 6)
Providing the Service and maintaining your account	Performance of contract	Art. 6(1)(b) — performance of contract
Security, fraud prevention and stability	Legitimate interest	Art. 6(1)(f) — legitimate interest
Usage analytics and Service improvement	Legitimate interest / Consent	Art. 6(1)(a)(f) — consent / legitimate interest
Service communications (notifications, support)	Performance of contract	Art. 6(1)(b) — performance of contract
Compliance with legal and regulatory obligations	Legal obligation	Art. 6(1)(c) — legal obligation

5. Account Deletion and Data Retention

5.1 Cascade deletion

You can delete your account at any time, directly in the app. When you do, all data associated with your account is deleted in cascade — including profile, expenses, groups, participations, notes and history. Deletion is permanent and covers the records linked to your account in our database.

5.2 Retention periods

Active account: your data is retained for as long as the account exists.
After deletion: data is removed from our production systems immediately and erased from backups within 30 days.
Technical logs and error data: retained for up to 90 days and then automatically deleted.
Legal obligations: where a specific law requires keeping certain information for longer, we retain only the strictly necessary data, for the applicable legal period. Payment records for PRO subscriptions are kept by Apple (App Store) and Google (Google Play), not by us.

6. Third-Party Service Providers

We share data with the following service providers, solely for the purposes described. We do not sell, rent or share your personal data with third parties for marketing purposes.

6.1 Google Analytics

Operated by: Google LLC (United States) Purpose: Website traffic analysis and user behaviour analytics. Data shared: Anonymous user ID, pages visited, traffic source, approximate location. Privacy policy: policies.google.com/privacy

6.2 PostHog

Operated by: PostHog Inc. (United States) Purpose: Product and user behaviour analytics (usage events, heatmaps and session recordings) to improve the experience. Data shared: Page and app interactions (clicks, navigation), user identifier, usage events. Privacy policy: posthog.com/privacy

6.3 Sentry

Operated by: Functional Software Inc. (United States) Purpose: Error and crash monitoring in the app. Data shared: Error messages, stack traces, app version, device type (no personal identification data). Privacy policy: sentry.io/privacy

6.4 Aikido Security

Operated by: Aikido Security (Belgium, European Union) Purpose: Continuous application security scanning and monitoring. Data shared: Application metadata and infrastructure information (no end-user personal data). Privacy policy: aikido.dev/privacy-policy

6.5 Cloudflare

Operated by: Cloudflare Inc. (United States) Purpose: Content delivery network (CDN), DDoS/WAF protection and DNS security. Data shared: IP address, HTTP headers, connection metadata. Privacy policy: cloudflare.com/privacypolicy

6.6 OpenAI

Operated by: OpenAI, L.L.C. (United States) Purpose: AI processing for app features, such as voice expense logging and automatic receipt reading (OCR). Data shared: Voice audio and receipt images you submit when using these features. We only send the content needed for the feature (the audio or the receipt image) — we do not share your account data, email or expense history with OpenAI. Under OpenAI’s API policy, this data is not used to train their models. Privacy policy: openai.com/policies/privacy-policy

6.7 Supabase

Operated by: Supabase, Inc. (United States) Purpose: Database hosting and backend infrastructure — account storage, authentication and expense data. Data shared: The account and usage data you enter in the app (name, email, expenses, groups), stored securely and encrypted. Privacy policy: supabase.com/privacy

7. International Data Transfers

Some of our service providers are located outside Brazil and the European Economic Area (primarily in the United States). In particular, the database where your data is stored (Supabase) is hosted in the United States. These transfers are made with appropriate safeguards:

For Brazilian data subjects (LGPD): transfers are carried out on the basis of standard contractual clauses or where the destination country provides an adequate level of protection (art. 33, LGPD).
For EU/EEA data subjects (GDPR): transfers are supported by Standard Contractual Clauses approved by the European Commission (art. 46 GDPR) or other appropriate transfer mechanisms.

8. Your Rights as a Data Subject

Rights under the LGPD (art. 18)

Confirmation of the existence of processing of your data;
Access to the data we hold about you;
Correction of incomplete, inaccurate or outdated data;
Anonymisation, blocking or deletion of data that is unnecessary, excessive or processed unlawfully;
Portability of your data to another service provider (the app lets you export your data in CSV format);
Deletion of data processed based on your consent;
Information about the entities with which we share your data;
Information about the option not to provide consent and the consequences;
Withdrawal of consent at any time without prejudice to processing already carried out;
Review of automated decisions that affect your interests.

Restriction of processing while a dispute is pending (art. 18 GDPR);
Objection to processing based on legitimate interests (art. 21 GDPR);
Data portability in a structured, commonly used and machine-readable format (art. 20 GDPR);
Right to lodge a complaint with the supervisory authority in your country of residence.

To exercise any of these rights, please send your request to [email protected]. We will respond within 15 business days (LGPD) or one month (GDPR), with possible extension depending on the complexity of the request.

9. Data Security

Protecting your data is a priority. We implement industry-recognised technical and organisational measures, including:

Encryption of all traffic (TLS/HTTPS) between the app, the website and our servers;
Encryption of data at rest in the database, protecting information while stored;
Passwords protected with secure hashing, so they are never stored in plain text;
Restricted access: only authorised people access the infrastructure, under confidentiality obligations;
Continuous security monitoring and automated vulnerability scanning.

In the event of a security incident that may pose a relevant risk or harm to data subjects, we will notify affected individuals and the competent authorities:

In Brazil: the National Data Protection Authority (ANPD) and affected data subjects, within 3 (three) business days, in accordance with ANPD Resolution CD/ANPD No. 15/2024;
In the European Union: the competent supervisory authority, within 72 (seventy-two) hours, in accordance with art. 33 of the GDPR.

The notice will include a description of the incident, the types of data involved, the risks and the measures taken to mitigate them.

Essential processing (maintaining your account and processing your expenses) is based on the performance of the contract. Usage analytics, on the other hand, depend on your consent, requested in the website’s cookie banner.

Your consent is free, informed and specific.
You can withdraw it at any time, without affecting how the app works.
Declining analytics cookies does not limit your use of TakeControl.

11. Cookies and Similar Technologies

We use cookies and similar technologies to improve your experience on the website. For more details on cookie types, purposes and how to manage them, see our Cookie Policy.

12. Children’s Data

The Service is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. In Brazil, the minimum age is 14 under the LGPD. If we discover that data from a minor has been inadvertently collected, we will delete it immediately.

13. Policy Updates

We may update this Policy periodically to reflect changes in our practices or applicable legislation. For material changes, we will notify you at least 30 days in advance by email or in-app notice. The date of the last update will always be shown at the top of this page.

14. Contact and Supervisory Authorities

Questions, requests or exercising rights: [email protected]

Brazilian data subjects — National Data Protection Authority (ANPD): gov.br/anpd

EU/EEA data subjects: You may lodge a complaint with the data protection supervisory authority in your country of residence or establishment.