Privacy Policy

Last updated: May 22, 2026

Bravio is a personal finance tool. We take your privacy seriously: we don't sell your data, we don't connect to your bank, and we strip personal identifiers before processing financial documents with AI. This policy explains exactly what we collect, why, and what your rights are.

1. Who we are

Bravio (the "Company", "we", "us") is a personal finance service operating in Mexico. For privacy questions or to exercise your rights, contact us at contacto@bravio.mx.

2. What we collect

We collect only the data needed to operate the service:

• Account data: email address, hashed password, language preference, account creation timestamp.
• Financial data you enter: transactions (date, amount, category, description), assets and liabilities, budget targets, income sources, FX rates you set.
• Imported documents: bank statements (PDF), payroll receipts (CFDI/XML), and Excel files you upload for AI parsing.
• Usage data: page visits, feature usage, error logs, last-active timestamps. We use this to operate and improve the service.
• Payment data: when you subscribe, payment information is collected and processed by our third-party payment processor. We do not store full card numbers.

3. What we do with imported documents

When you upload a bank statement or payroll receipt for AI parsing:

• The file is read in your browser first.
• Personal identifiers — names, addresses, full account numbers (CLABE, card numbers), tax IDs (RFC, CURP), email addresses, phone numbers — are removed before any data leaves your device.
• Only sanitized text (dates, merchant names, amounts, deduction labels) is sent to our AI processing provider for parsing.
• The provider processes the text and returns structured transactions, which are stored in your account. Our AI provider does not use this data to train its models.
• The original file is not stored on our servers after parsing completes.

4. Why we collect it

We use your data to:

• Provide the service: store your transactions, compute your net worth, generate budget reports.
• Operate AI features: parse bank statements and payroll receipts you upload.
• Process payments and manage your subscription.
• Communicate with you about your account, security alerts, and meaningful product updates.
• Improve the service: understand which features are used, fix bugs, prevent abuse.
• Comply with legal obligations.

5. Who we share data with

We share data only with the third-party service providers we need to operate the service. These fall into the following categories:

• Cloud hosting and database providers — store the application code and your data. Data is encrypted at rest and in transit. Providers we use are certified under industry-standard frameworks such as SOC 2.
• AI processing providers — analyze the sanitized text from your statement and payroll uploads (after personal identifiers are removed in your browser). Our AI providers do not use this data to train their models.
• Payment processors — handle subscription billing. Our payment processor is PCI-DSS Level 1 certified, and we do not store full card numbers.
• Email delivery providers — send transactional and security emails (account confirmations, alerts, billing receipts).

We may add or change service providers in any of these categories over time. We do not sell your data to advertisers, data brokers, or any third party. We do not share your financial data with banks or financial institutions.

6. Your rights (ARCO)

Under Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), you have the following rights regarding your personal data:

• Access: request a copy of the data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Cancellation (deletion): request deletion of your data when no longer needed.
• Opposition: object to specific uses of your data.

To exercise any of these rights, email contacto@bravio.mx from the email address associated with your account. We will respond within 20 business days as required by law.

You can also delete your account directly from Settings → Account → Delete account. Deleting your account removes your data from our active systems within 30 days, and from backups within 90 days.

7. Cookies, local storage, and analytics

We use browser local storage to:

• Keep you logged in (authentication tokens)
• Remember your language preference
• Remember your Privacy Mode toggle and other UI preferences

We do not use cookies for advertising profiling on Bravio itself. The third-party services described below set their own cookies in your browser, which you can clear at any time from your browser settings.

Product analytics and session recording

To understand how users interact with Bravio and to find and fix usability problems, we use a third-party product-analytics tool (Microsoft Clarity) that records anonymized session data. This includes mouse movements, clicks, scrolls, page navigation, and the timing of these events. The tool does not capture the actual values you enter into Bravio (transactions, amounts, account balances, asset values) — these are masked by default. The tool records what you do in the interface, not the financial content you create.

Sessions are stored anonymized by the analytics provider for up to 12 months and then deleted. We use this data only to improve the product, never for marketing or to identify individual users.

Web analytics

We use Google Analytics 4 to measure aggregate site traffic: how many people visit each page, which sources they come from (search engines, direct links, social media), what country and city they connect from, and which devices and browsers they use. Google Analytics sets first-party cookies in your browser to distinguish unique visitors. We do not send your financial data or any personally identifying account information to Google Analytics.

Advertising and marketing

We use the Meta (Facebook) Pixel on our public marketing pages to measure the effectiveness of advertising campaigns and to show relevant ads to people who have visited Bravio. The Meta Pixel sets cookies and shares limited event data (such as page views, sign-up completion, and trial start) with Meta. We do not share your financial data, transactions, or account contents with Meta. You can opt out of Meta's advertising profiling in your Meta account settings or via tools like the EU's Your Online Choices.

In addition, we use the Meta Conversions API (server-to-server) to report the same conversion events (trial start and purchase) to Meta when the browser pixel cannot run — for example due to ad blockers or iOS restrictions. For this purpose we send Meta's servers your email address and name in SHA-256 hashed (irreversible) form, along with your IP address and browser identifier. Meta uses this data exclusively to match conversion events with advertising profiles and campaign attribution. We do not send financial data, transactions, or account contents through this channel. This transfer is made with your consent upon accepting this privacy notice; you can request that your activity be excluded by emailing contacto@bravio.mx.

You can request that your sessions be excluded from any of the above analytics by emailing contacto@bravio.mx.

8. Data retention

We retain your data for as long as your account is active. If you cancel your subscription, we keep your data so you can reactivate later. If you delete your account, your data is removed within 30 days. Backups are rotated within 90 days.

We may retain certain data longer if required by law (e.g., billing records for tax purposes).

9. Security

Your data is encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords are hashed with bcrypt. Access to production systems is restricted to authorized personnel and logged. We use database-level Row Level Security so each user's data is isolated from other users at the database level.

No system is perfectly secure. If you detect a security issue, contact contacto@bravio.mx.

Breach notification

If a security incident affects your personal data, we will notify you by email as soon as reasonably possible after we become aware of it, in accordance with Article 20 of the LFPDPPP. The notification will describe what happened, what data was involved, what we are doing about it, and what steps you can take to protect yourself.

10. International data transfers

Some of our service providers are located outside Mexico (United States, primarily). Where we transfer your data outside Mexico, we rely on appropriate safeguards including standard contractual clauses and providers' compliance with international data protection frameworks.

11. Children

Bravio is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email and post a notice in the app at least 15 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For privacy questions or requests:

This policy is governed by the laws of Mexico. Any dispute will be resolved by the competent courts of Mexico City.