Assetli Privacy Policy
Last updated: June 20, 2026
Version: 1.1
1. Data Controller
Ondřej Smutný
Business ID (IČO): 75343533
Registered office: Družstevní 511, 294 41 Dobrovice, Czech Republic
Email: info@assetli.app
Web: https://assetli.app
Given the scope of processing, no Data Protection Officer (DPO) has been appointed. For any questions regarding the protection of personal data, contact info@assetli.app.
2. What Data We Process
2.1 Registration and Profile Data
- First and last name
- Email address
- Hashed password (bcrypt, SALT_ROUNDS=12 — we never store the password in readable form)
- Registration date, language preference
- Optionally: phone number, date of birth
- 2FA configuration (TOTP seed, hashed backup codes)
2.2 Financial Data
This is the most sensitive data we process:
Bank accounts: name, type (checking, savings, investment, credit card, loan, cash), currency, balance, status (active/archived).
Transactions: date, amount, description/payee, category, tags, type (income/expense/transfer), notes. When importing from CSV/PDF, the files are processed by the server — the extracted data is stored in the database, the original files are not retained permanently.
Budgets: name, category, limits, period, spending status.
Savings envelopes: name, target amount, current status, contribution history.
Subscriptions: service name, amount, frequency, category, renewal date.
2.3 Investment Data
Stocks and ETFs: brokerage accounts, trades (date, symbol, quantity, price, fees), dividends (amount, withholding tax, ex-date, pay date), live prices (from external market data providers, in particular Yahoo Finance).
Cryptocurrencies: exchange accounts, trades (12+ types including buy, sell, swap, staking), holding positions, live prices (from CoinMarketCap/CoinGecko).
Alternative investments: P2P loans, crowdfunding, commodities, pension products — original value, current value, returns, events.
2.4 Asset Data
Real estate: type, purpose, address, area, purchase price, current value, rental income, expenses, utility readings (electricity, gas, water), appliances with power consumption, photovoltaic panels with production.
Vehicles: type, make, model, year, license plate, VIN, mileage, costs (fuel, insurance, maintenance), service events, valuation.
Valuables: category (16 types), purchase price, current value, depreciation, warranty, condition.
Mortgages and loans: principal, interest rate, installments, link to real estate.
2.5 Shared Expenses Data (Bill Splitting)
Group name, members (name, optionally email), shared expenses, settlements, comments, activity log. When a group is shared via a public link, the data may be visible to persons without an Assetli account.
2.6 Family Legacy Data
Contacts of trusted persons (name, email, relationship), access conditions, encrypted notes (AES-256-GCM), access log. Notes for heirs are encrypted at the database level — not even the Operator has access to them in readable form.
2.7 Payment Data
Payments are processed exclusively by Stripe, Inc. On Assetli's servers we store only: Stripe Customer ID, the last 4 digits of the card, card type, expiration date. We never store card numbers, CVV, or complete payment details.
2.8 Technical and Analytical Data
- IP addresses and approximate geolocation
- Browser and device type (User-Agent)
- Login timestamp
- Application error and performance logs
2.9 AI Conversations
Conversations with the AI assistant are stored in the database under the User's account. The content of conversations is sent to the AI provider (Anthropic, OpenAI, or Google Gemini, depending on the User's choice) to generate responses. The User can delete conversations at any time.
2.10 Uploaded Files
Documents, receipts, and photos uploaded to the File Manager are stored on Cloudflare R2. The files are assigned to the User's account and accessible only through an authenticated API. The files are permanently deleted upon account deletion.
3. Cookies and Tracking Technologies
3.1 Cookie Overview
| Cookie | Provider | Purpose | Type | Validity Period |
|---|---|---|---|---|
authjs.session-token |
Assetli | Authentication of the logged-in user | Necessary | 30 days |
authjs.csrf-token |
Assetli | Protection against CSRF attacks | Necessary | Session |
authjs.callback-url |
Assetli | Redirect after login | Necessary | Session |
lang |
Assetli | Language preference | Functional | 1 year |
cookiehub |
CookieHub | Storing the cookie consent choice | Necessary | 1 year |
_ga, _ga_* |
Google Analytics | Anonymized traffic analysis | Analytics | 2 years |
_clck, _clsk |
Microsoft Clarity | Analysis of user behavior (heatmaps) | Analytics | 1 year / Session |
3.2 Cookie Categories
Necessary cookies — required for the application to function (login, security). They cannot be refused.
Analytics cookies — help us understand how users use the application. They are activated only with your consent. You can refuse them at any time in the cookie banner settings.
3.3 Cookie Management
We manage consent for analytics cookies through the CookieHub platform. Analytics scripts (Google Analytics, Microsoft Clarity) are loaded only after consent is granted. You can manage cookies:
- Through the cookie banner (CookieHub) on your first visit and at any time thereafter
- In your browser settings
- By deleting cookies in your browser
4. Purposes of Processing and Legal Basis
| Purpose of Processing | Legal Basis (GDPR) | Data Processed |
|---|---|---|
| Provision of the Service (accounts, transactions, budgets) | Performance of a contract (Art. 6(1)(b)) | Registration, financial, investment, asset data |
| AI categorization of transactions | Performance of a contract (Art. 6(1)(b)) | Transaction texts (description, amount) |
| AI chat assistant | Performance of a contract (Art. 6(1)(b)) | Conversations, financial snapshot |
| Payment processing | Performance of a contract (Art. 6(1)(b)) | Payment data (via Stripe) |
| Account security (2FA, rate limiting, brute-force protection) | Legitimate interest (Art. 6(1)(f)) | IP addresses, login logs |
| Email notifications (budgets, subscriptions, security) | Consent (Art. 6(1)(a)) | Email address |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f)) | Anonymized analytics data |
| Legal obligations (tax records) | Legal obligation (Art. 6(1)(c)) | Payment records |
5. Recipients of Personal Data (Processors)
5.1 Processor Overview
| Processor | Purpose | Data Location | Transfer Outside the EU |
|---|---|---|---|
| MongoDB Atlas (MongoDB, Inc.) | Database | EU (Frankfurt, AWS eu-central-1) | No |
| Cloudflare, Inc. | Files (R2), CDN, protection | Global | Yes — Standard Contractual Clauses |
| Vercel, Inc. | Application hosting, temporary files (Vercel Blob) | Global | Yes — Standard Contractual Clauses |
| Stripe, Inc. | Payment processing | EU | No (primarily) |
| Resend, Inc. | Sending emails | USA | Yes — Standard Contractual Clauses |
| Anthropic, PBC | AI categorization, AI chat | USA | Yes — Standard Contractual Clauses |
| Google LLC | Google Analytics, Google OAuth | USA | Yes — Standard Contractual Clauses |
| Microsoft Corp. | Clarity (analytics) | USA | Yes — Standard Contractual Clauses |
| CookieHub ehf. | Cookie consent management (cookie banner) | EU/EEA (Iceland) | No |
5.2 What We Share with AI Providers
For AI categorization: transaction texts (description, amount, date). For AI chat: the conversation and a financial snapshot (aggregated data about accounts, investments, budgets). We never share login credentials, passwords, or payment information.
In the settings, the User may enter their own API key for Anthropic, OpenAI, or Google Gemini — in which case the data is sent directly to the provider without any markup on Assetli's part.
5.3 Market Data
Live prices: external market data providers, in particular Yahoo Finance (stocks and ETFs), CoinMarketCap/CoinGecko (crypto), frankfurter.app — based on the reference exchange rates of the European Central Bank (exchange rates). We do not send any personal data to these providers — only general queries for market data (stock symbol, currency code).
5.4 Wallet by BudgetBakers
During synchronization via WBB, transactions are transferred from WBB to Assetli. WBB is an independent data controller with its own license for accessing banking data via Open Banking. The terms of data processing are governed by the terms of BudgetBakers s.r.o.
5.5 No-Sale-of-Data Statement
We never sell, share, or provide your personal and financial data to third parties for marketing, advertising, or commercial purposes.
6. Data Transfers Outside the EU
Some processing involves the transfer of data to the USA (Anthropic, Resend, Cloudflare, Vercel, Google, Microsoft). For these transfers, we use Standard Contractual Clauses (SCC) approved by the European Commission pursuant to Art. 46(2)(c) GDPR. Copies of the SCC are available upon request.
7. Data Retention
| Type of Data | Retention Period |
|---|---|
| Registration data | For the duration of the account |
| Financial data (transactions, accounts, investments) | For the duration of the account |
| AI conversations | For the duration of the account (the user can delete at any time) |
| Uploaded files | For the duration of the account |
| Payment records | 5 years after the payment is made (Czech tax regulations) |
| After account deletion — personal data | Deleted within 30 days |
| After account deletion — anonymized financial data | May be retained for up to 5 years (legal obligations) |
| Inactive account (typically 12+ months without login) | The Operator reserves the right to delete the account after prior email notice (with a deadline for logging in) |
| Imported files (CSV/PDF) | Processed and deleted — not retained permanently |
| Login and error logs | 12 months |
8. Automated Decision-Making and Profiling
8.1 AI Categorization of Transactions
Assetli uses Claude AI models (Anthropic) to automatically categorize transactions based on their description. This processing has no direct legal consequences for the User, can be manually corrected at any time, and is transparent — the User sees the assigned category.
8.2 Financial Score (0–850)
Assetli automatically calculates a financial health score based on 7 components. This score is for informational purposes only, does not affect access to loans or other financial products, and is not shared with third parties.
8.3 Predictions and Analytics
Cash flow predictions, latte factor analysis, lifestyle inflation check, and other analytical functions are automated calculations that are purely informational in nature.
8.4 Right to Human Review
In accordance with Art. 22 GDPR, the User has the right to human review of any automated output. Contact info@assetli.app.
9. Your Rights (GDPR Art. 15–22)
| Right | How to Exercise It |
|---|---|
| Right of access (Art. 15) | Settings → Data Export (GDPR export in JSON) |
| Right to rectification (Art. 16) | By editing the data in account settings |
| Right to erasure (Art. 17) | Settings → Danger Zone → Delete Account |
| Right to data portability (Art. 20) | Settings → Data Export (complete GDPR export in JSON format) |
| Right to restriction of processing (Art. 18) | Contact info@assetli.app |
| Right to object (Art. 21) | Settings → Privacy, or info@assetli.app |
| Right to withdraw consent | Settings → Notifications, cookie banner |
Response deadline: 30 days. For complex requests, this may be extended by a further 60 days with notice.
Supervisory authority: Czech Data Protection Authority (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, posta@uoou.cz, www.uoou.cz
10. Protection of Children
The Service is not intended for children under 15 years of age (in accordance with Section 7 of Act No. 110/2019 Coll.). We do not knowingly collect personal data of children under 15 years of age. If we find that we have collected data from a person under 15 years of age without the consent of a legal guardian, we will delete such data without delay.
11. Security
11.1 Technical Measures
- Encrypted connections (HTTPS/TLS)
- Password hashing (bcrypt, SALT_ROUNDS=12)
- Two-factor authentication (TOTP)
- Protection against brute-force attacks with automatic account lockout
- Form protection with reCAPTCHA v3
- Encryption of sensitive data: Family Legacy notes (AES-256-GCM), API keys (SHA-256 hash)
- Database hosted in the EU (MongoDB Atlas, Frankfurt, AWS eu-central-1)
11.2 Data Breach Notification
In accordance with Art. 33 and 34 GDPR, we will report a security breach to the supervisory authority (ÚOOÚ) within 72 hours of detection. We will inform affected users without undue delay if the breach poses a high risk.
11.3 Disclaimer
Although we implement reasonable measures, no method of data transmission or storage is 100% secure. If you detect unauthorized access to your account, contact us immediately at info@assetli.app.
11.4 Vulnerability Reporting
If you discover a security vulnerability, contact info@assetli.app. We appreciate responsible disclosure of vulnerabilities and will not take legal action against persons who report vulnerabilities in good faith.
12. Rights of Users Outside the EU
12.1 United Kingdom (UK GDPR)
The processing of data of users in the United Kingdom is governed by the UK GDPR and the Data Protection Act 2018. Your rights are similar to those under the EU GDPR. Supervisory authority: Information Commissioner's Office (ICO), www.ico.org.uk.
12.2 California (CCPA/CPRA)
If you are a California resident, you have rights under the CCPA/CPRA:
- Right to know about the data collected
- Right to delete personal data
- Right to correct inaccurate data
- Right to opt out of the sale/sharing of data — we do not sell or share your data for advertising
- Right to non-discrimination
Contact info@assetli.app. We will respond within 45 days.
12.3 Other US States
Residents of Colorado, Connecticut, Virginia, and other states with privacy laws may have similar rights. Contact info@assetli.app.
13. Aggregation and Anonymization
We reserve the right to create aggregated and anonymized data for the purpose of improving the Service and training AI models. Aggregated data must not allow the identification of an individual User and is not subject to the GDPR.
14. Changes to This Policy
- Minor changes: announced on the website
- Material changes: announced by email at least 30 days in advance
- For changes requiring consent, we will request new active consent
- Older versions are archived and available upon request
15. Contact
Ondřej Smutný
Email: info@assetli.app
Web: https://assetli.app
Address: Družstevní 511, 294 41 Dobrovice, Czech Republic
Effective date: June 20, 2026
© 2026 Assetli. All rights reserved.