Privacy Policy

Last updated: April 26, 2026

Bravio is a personal finance tool. We take your privacy seriously: we don't sell your data, we don't connect to your bank, and we strip personal identifiers before processing financial documents with AI. This policy explains exactly what we collect, why, and what your rights are.

1. Who we are

Bravio (the "Company", "we", "us") is a personal finance service operating in Mexico. For privacy questions or to exercise your rights, contact us at contacto@bravio.mx.

2. What we collect

We collect only the data needed to operate the service:

• Account data: email address, hashed password, language preference, account creation timestamp.
• Financial data you enter: transactions (date, amount, category, description), assets and liabilities, budget targets, income sources, FX rates you set.
• Imported documents: bank statements (PDF), payroll receipts (CFDI/XML), and Excel files you upload for AI parsing.
• Usage data: page visits, feature usage, error logs, last-active timestamps. We use this to operate and improve the service.
• Payment data: when you subscribe, payment information is collected and processed by our third-party payment processor. We do not store full card numbers.

3. What we do with imported documents

When you upload a bank statement or payroll receipt for AI parsing:

• The file is read in your browser first.
• Personal identifiers — names, addresses, full account numbers (CLABE, card numbers), tax IDs (RFC, CURP), email addresses, phone numbers — are removed before any data leaves your device.
• Only sanitized text (dates, merchant names, amounts, deduction labels) is sent to our AI processing provider for parsing.
• The provider processes the text and returns structured transactions, which are stored in your account. Our AI provider does not use this data to train its models.
• The original file is not stored on our servers after parsing completes.

4. Why we collect it

We use your data to:

• Provide the service: store your transactions, compute your net worth, generate budget reports.
• Operate AI features: parse bank statements and payroll receipts you upload.
• Process payments and manage your subscription.
• Communicate with you about your account, security alerts, and meaningful product updates.
• Improve the service: understand which features are used, fix bugs, prevent abuse.
• Comply with legal obligations.

5. Who we share data with

We share data only with the third-party service providers we need to operate the service. These fall into the following categories:

• Cloud hosting and database providers — store the application code and your data. Data is encrypted at rest and in transit. Providers we use are certified under industry-standard frameworks such as SOC 2.
• AI processing providers — analyze the sanitized text from your statement and payroll uploads (after personal identifiers are removed in your browser). Our AI providers do not use this data to train their models.
• Payment processors — handle subscription billing. Our payment processor is PCI-DSS Level 1 certified, and we do not store full card numbers.
• Email delivery providers — send transactional and security emails (account confirmations, alerts, billing receipts).

We may add or change service providers in any of these categories over time. We do not sell your data to advertisers, data brokers, or any third party. We do not share your financial data with banks or financial institutions.

6. Your rights (ARCO)

Under Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), you have the following rights regarding your personal data:

• Access: request a copy of the data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Cancellation (deletion): request deletion of your data when no longer needed.
• Opposition: object to specific uses of your data.

To exercise any of these rights, email contacto@bravio.mx from the email address associated with your account. We will respond within 20 business days as required by law.

You can also delete your account directly from Settings → Account → Delete account. Deleting your account removes your data from our active systems within 30 days, and from backups within 90 days.

7. Cookies and local storage

We use browser local storage to:

• Keep you logged in (authentication tokens)
• Remember your language preference
• Remember your Privacy Mode toggle and other UI preferences

We do not use third-party tracking cookies. We do not use advertising trackers.

8. Data retention

We retain your data for as long as your account is active. If you cancel your subscription, we keep your data so you can reactivate later. If you delete your account, your data is removed within 30 days. Backups are rotated within 90 days.

We may retain certain data longer if required by law (e.g., billing records for tax purposes).

9. Security

Your data is encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords are hashed with bcrypt. Access to production systems is restricted to authorized personnel and logged. We use database-level Row Level Security so each user's data is isolated from other users at the database level.

No system is perfectly secure. If you detect a security issue, contact contacto@bravio.mx.

10. International data transfers

Some of our service providers are located outside Mexico (United States, primarily). Where we transfer your data outside Mexico, we rely on appropriate safeguards including standard contractual clauses and providers' compliance with international data protection frameworks.

11. Children

Bravio is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email and post a notice in the app at least 15 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For privacy questions or requests:

This policy is governed by the laws of Mexico. Any dispute will be resolved by the competent courts of Mexico City.