Home Blog Pricing Couples Refer

Privacy Policy

Last updated: July 4, 2026. Effective as of 04/07/2026.

Note: This is a translation provided for your convenience. In case of any discrepancy between this translation and the Portuguese version, the Portuguese version shall prevail.

Your privacy is important to us. This Privacy Policy explains how Monely ("we", "our" or "app") collects, uses, stores and protects your personal information when you use our personal finance management app.

The processing of your personal data described in this Policy is carried out by CHARLES BERTI TECNOLOGIA DA INFORMAÇÃO LTDA, registered under CNPJ No. 66.037.451/0001-01, headquartered at Rua Pais Leme, 215, conjunto 1713, Pinheiros, São Paulo/SP, CEP 05424-150, as the controller of your personal data. References to "Monely", "we" or "our" designate that company. The channels for exercising rights and contacting the Data Protection Officer (DPO) are indicated in section 11.

This Policy describes how we process your personal data during your use of Monely. We recommend that you read this document carefully.

Monely does not connect to financial institutions or to Open Finance or Open Banking systems. All financial data is entered by you: manually in the app, by scanning a receipt (OCR), by importing a file (CSV, XLS, XLSX or OFX) or by a message sent to our assistant on WhatsApp.

Legal bases (LGPD): we process your data on the basis of the performance of the contract (to provide the service), your consent (for the artificial intelligence features), legitimate interest (for usage analytics, measurement of our own outreach campaigns, security and fraud prevention, always with the right to object, as described in section 5) and compliance with legal obligations. The legal basis applicable to each purpose is indicated throughout this document.

1. Information We Collect

1.1 Information you provide

  • Registration data: name, email address and profile photo (optional).
  • Financial data: information about accounts, income, expenses, categories, labels and goals that you voluntarily enter in the app.
  • WhatsApp messages: texts, audio and images you send to our AI assistant to record financial transactions.
  • In-app AI chat: messages, images, audio and financial data (amounts, categories, dates) that you share with the AI assistant within the app, subject to your explicit consent.
  • Referral data: referral code, history of referrals made and conversion status.
  • Communications: messages sent through the contact form or support.

1.2 Information collected automatically

  • Device data: device model, operating system, app version and unique identifiers.
  • Usage data: information about how you interact with the app, such as screens accessed and features used.
  • Error logs: technical information to identify and fix problems in the app.

1.3 Information from third parties

  • Authentication: if you choose to sign in with Google or Apple, we receive your name, email and profile photo (if available) from these platforms. Authentication is based on the performance of the contract, as it is necessary to provide you with the Service.

1.4 Analytics, measurement and advertising identifier data

To understand how the app is used and to measure the effectiveness of our own outreach campaigns, we collect the data described below, only after the creation of your account and acceptance of these terms. Before that, collection remains disabled.

  • Analytics events (Firebase Analytics, from Google): we record usage milestones, such as account creation (sign_up), session start (login), first record entered (first_record), initial setup steps (onboarding) and subscription events (begin_trial, purchase). These events indicate the action and the method used (for example, sign-up by email, Google or Apple) and do not include the content of your financial transactions.
  • Product telemetry (PostHog): we record interface actions (for example, screens opened, use of filters and access to features) to improve the app. These events describe interactions with the interface and do not include amounts, categories or the content of your financial transactions. This telemetry may include session recordings (session replay) with masking of sensitive text and images.
  • Advertising identifier (AD_ID, on Android): we use the device's advertising identifier, together with Google's consent signals (Consent Mode v2), exclusively to measure the conversion of Monely's own campaigns on Google Ads (for example, to attribute an install or a sign-up to an ad we ran). We do not use the identifier for ad personalization or remarketing: the personalization signal remains disabled. Monely does not display ads on any plan: the identifier serves only to measure our campaigns, not to show ads within the app.

Legal basis (LGPD): the analytics events, product telemetry and the conversion measurement of our campaigns are processed on the basis of legitimate interest (Art. 7, IX, and Art. 10 of Law No. 13.709/2018), with the right to object at any time (section 5).

2. How We Use Your Information

We use your information to:

  • Provide the service: allow you to record, organize and view your personal finances.
  • AI message processing: analyze texts, transcribe audio and extract information from images (OCR) sent via WhatsApp to automatically record transactions.
  • In-app AI features: generate personalized financial insights and intelligent responses through the AI chat, based on your financial data, subject to your prior explicit consent (see section 7.1).
  • Personalize the experience: adapt the app to your preferences (language, theme, settings).
  • Synchronization: keep your data synchronized across devices.
  • Referral program: manage your referral code, track referrals and apply bonuses.
  • Communication: send notifications about scheduled payments, important updates and respond to your messages.
  • Service improvement: analyze app usage to identify problems and develop new features.
  • Measurement of our campaigns: assess the effectiveness of Monely's own outreach campaigns (for example, how many installs or sign-ups came from an ad we ran), as detailed in section 1.4.
  • Security: protect against fraud, abuse and unauthorized activities.
  • Social features: display your username and profile photo in rankings and other community features of the app, visible to other users.

The table below summarizes the main categories of data, their purposes and the corresponding legal bases:

DataPurposeLegal basis
EmailLogin and account identificationPerformance of the contract
Financial dataOrganizing your financesPerformance of the contract
Data sent to AIInsights, chat and receipt scanning (OCR)Consent
Analytics and telemetryImproving the productLegitimate interest
Advertising identifier (AD_ID)Measurement of our campaignsLegitimate interest

3. Information Sharing

We do not sell your personal information. We may share data only in the following situations:

  • With your consent: when you explicitly authorize sharing.
  • Shared expenses: if you use the shared group feature, group members will have access to records marked as shared.
  • Rankings and social features: by participating in rankings or community features, your username and profile photo will be displayed to other users of the app. By using these features, you authorize the display of this information. Detailed financial data (amounts, transactions, categories) is never shared in rankings.
  • Service providers: we use third-party services for:
    • Authentication and abuse protection (Firebase Authentication and Firebase App Check, from Google)
    • Storage of the database on secure servers and of files you upload, such as profile photos and receipts (Firebase Storage / Google Cloud Storage)
    • Sending transactional emails, such as access codes and invitations (SMTP2GO)
    • Push notifications (Firebase Cloud Messaging, from Google)
    • Usage analytics and product telemetry (Firebase Analytics, from Google, and PostHog)
    • Error and performance monitoring (Sentry)
    • AI processing: Google Cloud Vertex AI (primary provider, hosted in us-central1, Iowa, United States) and OpenAI (alternative provider, also in the United States, used only as a fallback when the primary provider is unavailable)
    • WhatsApp and chat integration and support: technical messaging gateways (partly hosted on our own infrastructure and partly operated over Meta's official API), the Meta/WhatsApp platform as the final transport of the messages, and Chatwoot for managing conversations and human support
    • Validation of purchases and subscriptions (Google Play and Apple App Store)
    These providers are contractually obligated to protect your information and to process it only in accordance with our instructions.
  • Legal obligations: when required by law, court order or to protect our rights.

4. Storage and Security

4.1 Where your data is stored

We store your data at rest within Brazilian territory. Artificial intelligence processing is performed in the United States, as detailed below and in section 9 (International Data Transfer).

  • Main database: secure servers located in São Paulo, Brazil.
  • AI processing (Vertex AI): us-central1 region (Iowa, United States). Requests sent to the AI are processed on demand in the United States and are not stored by the provider after the response is returned. History storage at rest continues to take place in São Paulo.
  • Backups: performed in the same data center as the main database, with encryption.
  • Auxiliary services (Firebase Authentication, push notifications, error tracking) may use international data centers of trusted providers. These services do not store detailed financial data.

4.2 Security measures

We implement various measures to protect your information:

  • Encryption of data in transit (HTTPS/TLS)
  • Encryption of data at rest, using the mechanisms provided by the storage infrastructure
  • Secure authentication and session management through modern mechanisms
  • Optional biometric lock processed locally on the device: verification uses the operating system's native feature and no biometric data is collected, transmitted or stored by us
  • Protection against common attacks (SQL injection, XSS, CSRF)
  • Continuous security monitoring
  • Regular backups

4.3 Data Retention and Deletion

We keep your data as long as your account is active. When you request account deletion, we apply a two-step process, in compliance with Art. 17 of the LGPD:

  • Immediate deactivation (soft delete): your account is deactivated as soon as you request it. Your data becomes inaccessible through the app and you lose access to features.
  • 30-day grace period: during this period, you may request the reversal of the deletion through support. This period also accommodates any legal retention obligations.
  • Permanent deletion (hard delete): after 30 days, an automated process permanently erases all your personal data, transactions, accounts, custom categories, session tokens and consents, and requests the removal of your analytics data from our providers (including events and session recordings in PostHog). Deletion is final and logged for audit purposes.

Exceptions to permanent deletion occur only when retention is required by law (for example, tax obligations or court orders). In such cases, only the strictly necessary data is preserved for the legal period.

5. Your Rights

According to the General Data Protection Law (LGPD), you have the right to:

  • Access: request a copy of the data we have about you.
  • Correction: correct incomplete, inaccurate or outdated data.
  • Deletion: request the deletion of your personal data.
  • Portability: receive your data in a structured format.
  • Revocation: withdraw your consent at any time.
  • Objection: object to processing carried out on the basis of legitimate interest (for example, the usage analytics described in section 1.4), at any time.
  • Information: know with whom your data has been shared.

How to exercise your rights:

  • Objection to processing based on legitimate interest: you may object to the processing of analytics, telemetry and campaign measurement data at any time, through the contact channel in section 11 or by deleting your account (section 4.3), which ends these collections.
  • Withdrawal of AI consent: the artificial intelligence features can be disabled at any time in the app settings, revoking the specific consent.
  • Account deletion: you can delete your account and your data from the app itself, under Settings, in the Delete account option (the process is described in section 4.3).
  • Other requests: for access, correction, portability or any question, contact our Data Protection Officer (DPO) at contato@monely.app.

6. Cookies and Similar Technologies

The Monely mobile app does not use cookies. However, our website may use:

  • Essential cookies: necessary for basic website functionality.
  • Local storage: to save preferences (such as theme and language choices).
  • Analytics cookies (Google Analytics): our website uses Google Analytics to measure page traffic and performance, with Google's Consent Mode. These cookies are only activated after your consent in the cookie banner, and you can decline them.

7. Third-Party Services

Monely uses the following third-party services:

  • Firebase (Google): authentication, push notifications and analytics. Firebase Privacy Policy
  • Google Sign-In: authentication via Google account. Google Privacy Policy
  • Apple Sign-In: authentication via Apple account. Apple Privacy Policy
  • Sentry: error monitoring. Sentry Privacy Policy
  • PostHog: product telemetry and usage analysis, including session recordings with masking of sensitive content. Hosted in the United States. PostHog Privacy Policy
  • WhatsApp Business API (Meta): integration for receiving messages via WhatsApp. WhatsApp Privacy Policy
  • Google Cloud Vertex AI: primary artificial intelligence provider for chat, financial insights, natural language processing, audio transcription and image recognition. Hosted in the us-central1 region (Iowa, United States). Your data is not used to train AI models, as per Google Cloud's terms. The international transfer is governed by the Google Cloud Data Processing Addendum. Vertex AI Data Governance
  • OpenAI: alternative artificial intelligence provider, used only as a fallback when Vertex AI is unavailable. Hosted in the United States. Your data is not used to train AI models, as per OpenAI API policy. The international transfer is governed by the OpenAI Data Processing Addendum. OpenAI Privacy Policy

7.1 Consent for AI Features

The artificial intelligence features (receipt OCR, AI chat, personalized financial insights, WhatsApp assistant and document imports) require your explicit consent before any data processing takes place. When using these features:

  • You will be asked to consent to data sharing before first use;
  • The following data may be sent for processing: messages, images and audio you send; financial transaction data (amounts, categories, dates); photos of receipts; documents (PDF, CSV, XLS, OFX) you import;
  • Your data is processed by Google Cloud Vertex AI (us-central1 region, Iowa, United States) as the primary provider. OpenAI (United States) is used only as a fallback if the primary provider is unavailable;
  • Your data is not used to train artificial intelligence models at either provider;
  • We record the timestamp, current policy version and source of your consent in our systems (user_consents table) as proof of compliance;
  • You may revoke your consent at any time in the app settings, which immediately disables all AI features;
  • Revoking consent does not affect the lawfulness of processing carried out prior to revocation.

Use of these features is optional. All other Monely features remain fully available regardless of your AI consent.

Legal basis (LGPD): data processing by AI features is carried out based on the data subject's consent (Art. 7, I, of Law No. 13.709/2018, LGPD).

8. Minors

Monely is intended for persons with legal capacity. Minors should only use the Service with the authorization and under the supervision of their legal guardian, who is responsible for authorizing and monitoring the use of the app and the processing of the minor's data. When we process adolescents' data, we observe their best interest, in accordance with art. 14 of Law No. 13.709/2018 (LGPD). We do not intentionally collect data from children without the guardian's consent; if a guardian identifies that a minor under their care has used the Service without proper authorization, they may request the deletion of the data through the channels indicated in section 11. If we identify the processing of a child's data without the guardian's consent, we will take measures to delete such data as quickly as possible.

9. International Data Transfer

Your main database remains in São Paulo, Brazil. However, some operations involve international data transfer, as described below.

Artificial intelligence processing: requests sent to the AI providers are processed in the United States, Google Cloud Vertex AI (us-central1 region, Iowa) as the primary provider and OpenAI as the fallback. Processing is performed on demand: data is sent only at the moment of the request, is not stored at rest by the providers after the response is returned, and is not used for model training. The transaction history and other financial data at rest remain in São Paulo.

Auxiliary and analytics services: authentication and abuse protection (Firebase), push notifications, error tracking (Sentry), usage analytics (Firebase Analytics) and product telemetry (PostHog, hosted in the United States) may use international data centers. Some of these auxiliary services may use infrastructure distributed globally by the respective providers. These services do not receive amounts, categories or the content of your financial transactions.

Legal basis (LGPD, Art. 33): all international transfers take place based on standard contractual clauses (Google Cloud and OpenAI Data Processing Addenda) and on your explicit consent to AI processing, as described in section 7.1. We apply appropriate technical and organizational measures to ensure the protection of transferred data.

10. Changes to this Policy

We may update this Privacy Policy periodically. When we make significant changes, we will notify you through the app or by email. The date of the last update will always be indicated at the beginning of this document.

Continued use of Monely after the changes constitutes your acceptance of the updated policy.

11. Contact

If you have questions, concerns or requests related to this Privacy Policy or the processing of your personal data, contact us:

12. Applicable Law

This Privacy Policy is governed by the laws of the Federative Republic of Brazil, particularly the General Data Protection Law (LGPD, Law No. 13.709/2018).


Monely. Your personal finance simplified.
© 2026 Monely. All rights reserved.