1. Who we are
This Privacy Policy describes how sussa Tecnologia LTDA ("sussa", "we") collects, uses, and protects your personal data, in line with Brazil's LGPD (Law No. 13.709/2018).
Data Protection Officer (DPO): privacy@tosussa.com.br.
2. What data we collect
Account data: name, email, password (stored as a bcrypt hash), optional profile photo.
Financial data you record: transactions, categories, payables, receivables, goals, investments. Stored locally on your device and, on the premium plan, synced to our servers.
Payment data: processed by Asaas (web) or Apple/Google (mobile). We do not store full card numbers on our servers.
Technical data: IP address, device type, OS, app version. Used for support and diagnostics.
We do not collect bank statements or connect to Open Finance — you log whatever you want to track manually.
3. How we use your data
To deliver sussa: sync between devices, compute insights and projections, send notifications you configured.
For support: answer questions, investigate reported issues.
To meet legal obligations: tax, accounting, and regulatory.
We do not sell your data to third parties. We do not use your financial data for advertising.
4. Sharing
We share strictly necessary data with:
• Asaas Gestão Financeira S.A. — for web payment processing.
• Transactional email providers — to send billing reminders and password reset links.
• Apple and Google — for push notification delivery and IAP processing, under their own policies.
• Authorities, upon valid legal process.
5. Your rights (LGPD)
At any time you may:
• Confirm the existence of processing of your data.
• Request a copy of your data.
• Correct incomplete or outdated data.
• Request anonymization or deletion (right to be forgotten).
• Request portability in a structured format.
• Withdraw consent.
To exercise these rights, email privacy@tosussa.com.br. We respond within 15 days.
6. Security
Passwords are stored with bcrypt (cost 12). Web traffic uses TLS 1.3. Server backups are encrypted at rest. The mobile app stores data locally in SQLite, protected by OS permissions.
7. Retention
We keep your data while your account is active. After deletion, data is purged within 30 days, except where legal retention applies (5 years for tax records, 6 months for security logs).
8. Cookies
The site uses only strictly necessary cookies for authentication and language preference. No advertising trackers, no third-party analytics.
9. Changes to this Policy
We may update this Policy from time to time. Material changes will be communicated by email and inside the app at least 30 days in advance.
10. Contact
Data Protection Officer (DPO): privacy@tosussa.com.br · General support: support@tosussa.com.br.