privacy policy

Privacy Policy

how we look after your financial data. LGPD in plain language, with as little legalese as possible.

last updated: May 12, 2026

1. Who we are

This Policy describes how umpordez (CNPJ 62.016.040/0001-89), operator of sussa, collects, uses, and protects your personal data, in line with Brazil's LGPD (Law No. 13.709/2018).

Data Protection Officer (DPO): privacy@tosussa.com.br.

2. What data we collect

Account: name, email, password (stored encrypted), optional profile photo.

Financial data you record: transactions, categories, payables, receivables, goals, investments. Stored on your device and, on the premium plan, synced to our servers.

Payment: processed by Asaas (web) or Apple/Google (mobile). We do not store full card numbers.

Technical: IP address, device type, OS, app version. Used for support and diagnostics.

Photos used for camera-based reading (OCR) of boletos, invoices and receipts are processed on-device. Those images are never sent to our servers.

We do not collect bank statements or connect via Open Finance. You log whatever you want to track manually.

3. Legal bases (LGPD Art. 7)

Each use of your data is supported by a specific legal basis:

• Contract performance (Art. 7, V): creating your account, authenticating logins, syncing data across devices, processing the premium subscription, sending billing notices.

• Legal obligation (Art. 7, II): keeping tax records, responding to requests from competent authorities, handling LGPD rights requests.

• Legitimate interest (Art. 7, IX): technical support, fraud prevention, platform security monitoring, computing insights and projections from your entries.

• Consent (Art. 7, I): push notifications and emails that depend on your authorization. You can withdraw at any time in settings or at privacy@tosussa.com.br.

4. How we use your data

To deliver sussa: sync between devices, compute insights and projections, send the notifications you configured.

For support: answer questions and investigate reported issues.

To meet legal obligations: tax, accounting, and regulatory.

We do not sell your data to third parties. We do not use your financial data for advertising.

5. Sharing

We share only strictly necessary data with:

• Asaas Gestão Financeira S.A.: web payment processing.

• Transactional email providers: billing reminders and password reset links.

• Apple and Google: push notification delivery and IAP processing, under their own policies.

• Authorities, upon valid legal process.

6. International transfers

Your data is stored on servers in Brazil. In specific situations, parts of it may travel abroad:

• Apple Inc. (USA) and Google LLC (USA): push notification delivery and in-app payment processing on the App Store and Google Play. Transfer is supported by the standard contractual clauses approved by ANPD (Resolução CD/ANPD nº 19/2024).

• Transactional email providers: messages may be delivered by servers in other countries, with contractual safeguards equivalent to those required by LGPD.

We do not transfer sensitive financial data internationally. For details on the safeguards in each transfer, write to privacy@tosussa.com.br.

7. Children and minors

sussa is not intended for users under 18. We do not knowingly collect data from children or minors.

If we discover an account was created by a minor without parental consent, we close it and delete the data. Guardians can request closure at privacy@tosussa.com.br.

8. Your rights (LGPD)

At any time you may:

• Confirm that we are processing your data.

• Request a copy of your data.

• Correct incomplete or outdated data.

• Request anonymization or deletion (right to be forgotten).

• Request portability in a structured format.

• Withdraw consent.

To exercise these rights, write to privacy@tosussa.com.br. We reply within 15 days.

You may also file a complaint with Brazil's Data Protection Authority (ANPD) if you believe your rights are not being respected: gov.br/anpd.

9. Security

Passwords stored encrypted. Traffic between app and server over a secure connection (HTTPS). Backups encrypted at rest, servers hosted in Brazil.

10. Retention

We keep your data while your account is active. After deletion, data is purged within 30 days, except where legal retention applies (5 years for tax records, 6 months for security logs).

11. Cookies

The site uses only strictly necessary cookies for authentication and language preference. No advertising trackers, no third-party analytics.

12. Changes to this Policy

We may update this Policy from time to time. Material changes are communicated by email and inside the app at least 30 days in advance.

13. Contact

Data Protection Officer (DPO): privacy@tosussa.com.br · General support: support@tosussa.com.br.

the other half of the contract:

Terms of Service