Skip to main content
Privacy

Privacy Policy | Assetli

Privacy Policy for Assetli - How we process your data in compliance with GDPR

Assetli Privacy Policy

Last updated: June 20, 2026
Version: 1.1


1. Data Controller

Ondřej Smutný
Business ID (IČO): 75343533
Registered office: Družstevní 511, 294 41 Dobrovice, Czech Republic
Email: info@assetli.app
Web: https://assetli.app

Given the scope of processing, no Data Protection Officer (DPO) has been appointed. For any questions regarding the protection of personal data, contact info@assetli.app.


2. What Data We Process

2.1 Registration and Profile Data

  • First and last name
  • Email address
  • Hashed password (bcrypt, SALT_ROUNDS=12 — we never store the password in readable form)
  • Registration date, language preference
  • Optionally: phone number, date of birth
  • 2FA configuration (TOTP seed, hashed backup codes)

2.2 Financial Data

This is the most sensitive data we process:

Bank accounts: name, type (checking, savings, investment, credit card, loan, cash), currency, balance, status (active/archived).

Transactions: date, amount, description/payee, category, tags, type (income/expense/transfer), notes. When importing from CSV/PDF, the files are processed by the server — the extracted data is stored in the database, the original files are not retained permanently.

Budgets: name, category, limits, period, spending status.

Savings envelopes: name, target amount, current status, contribution history.

Subscriptions: service name, amount, frequency, category, renewal date.

2.3 Investment Data

Stocks and ETFs: brokerage accounts, trades (date, symbol, quantity, price, fees), dividends (amount, withholding tax, ex-date, pay date), live prices (from external market data providers, in particular Yahoo Finance).

Cryptocurrencies: exchange accounts, trades (12+ types including buy, sell, swap, staking), holding positions, live prices (from CoinMarketCap/CoinGecko).

Alternative investments: P2P loans, crowdfunding, commodities, pension products — original value, current value, returns, events.

2.4 Asset Data

Real estate: type, purpose, address, area, purchase price, current value, rental income, expenses, utility readings (electricity, gas, water), appliances with power consumption, photovoltaic panels with production.

Vehicles: type, make, model, year, license plate, VIN, mileage, costs (fuel, insurance, maintenance), service events, valuation.

Valuables: category (16 types), purchase price, current value, depreciation, warranty, condition.

Mortgages and loans: principal, interest rate, installments, link to real estate.

2.5 Shared Expenses Data (Bill Splitting)

Group name, members (name, optionally email), shared expenses, settlements, comments, activity log. When a group is shared via a public link, the data may be visible to persons without an Assetli account.

2.6 Family Legacy Data

Contacts of trusted persons (name, email, relationship), access conditions, encrypted notes (AES-256-GCM), access log. Notes for heirs are encrypted at the database level — not even the Operator has access to them in readable form.

2.7 Payment Data

Payments are processed exclusively by Stripe, Inc. On Assetli's servers we store only: Stripe Customer ID, the last 4 digits of the card, card type, expiration date. We never store card numbers, CVV, or complete payment details.

2.8 Technical and Analytical Data

  • IP addresses and approximate geolocation
  • Browser and device type (User-Agent)
  • Login timestamp
  • Application error and performance logs

2.9 AI Conversations

Conversations with the AI assistant are stored in the database under the User's account. The content of conversations is sent to the AI provider (Anthropic, OpenAI, or Google Gemini, depending on the User's choice) to generate responses. The User can delete conversations at any time.

2.10 Uploaded Files

Documents, receipts, and photos uploaded to the File Manager are stored on Cloudflare R2. The files are assigned to the User's account and accessible only through an authenticated API. The files are permanently deleted upon account deletion.


3. Cookies and Tracking Technologies

3.1 Cookie Overview

Cookie Provider Purpose Type Validity Period
authjs.session-token Assetli Authentication of the logged-in user Necessary 30 days
authjs.csrf-token Assetli Protection against CSRF attacks Necessary Session
authjs.callback-url Assetli Redirect after login Necessary Session
lang Assetli Language preference Functional 1 year
cookiehub CookieHub Storing the cookie consent choice Necessary 1 year
_ga, _ga_* Google Analytics Anonymized traffic analysis Analytics 2 years
_clck, _clsk Microsoft Clarity Analysis of user behavior (heatmaps) Analytics 1 year / Session

3.2 Cookie Categories

Necessary cookies — required for the application to function (login, security). They cannot be refused.

Analytics cookies — help us understand how users use the application. They are activated only with your consent. You can refuse them at any time in the cookie banner settings.

3.3 Cookie Management

We manage consent for analytics cookies through the CookieHub platform. Analytics scripts (Google Analytics, Microsoft Clarity) are loaded only after consent is granted. You can manage cookies:

  • Through the cookie banner (CookieHub) on your first visit and at any time thereafter
  • In your browser settings
  • By deleting cookies in your browser

4. Purposes of Processing and Legal Basis

Purpose of Processing Legal Basis (GDPR) Data Processed
Provision of the Service (accounts, transactions, budgets) Performance of a contract (Art. 6(1)(b)) Registration, financial, investment, asset data
AI categorization of transactions Performance of a contract (Art. 6(1)(b)) Transaction texts (description, amount)
AI chat assistant Performance of a contract (Art. 6(1)(b)) Conversations, financial snapshot
Payment processing Performance of a contract (Art. 6(1)(b)) Payment data (via Stripe)
Account security (2FA, rate limiting, brute-force protection) Legitimate interest (Art. 6(1)(f)) IP addresses, login logs
Email notifications (budgets, subscriptions, security) Consent (Art. 6(1)(a)) Email address
Analytics and service improvement Legitimate interest (Art. 6(1)(f)) Anonymized analytics data
Legal obligations (tax records) Legal obligation (Art. 6(1)(c)) Payment records

5. Recipients of Personal Data (Processors)

5.1 Processor Overview

Processor Purpose Data Location Transfer Outside the EU
MongoDB Atlas (MongoDB, Inc.) Database EU (Frankfurt, AWS eu-central-1) No
Cloudflare, Inc. Files (R2), CDN, protection Global Yes — Standard Contractual Clauses
Vercel, Inc. Application hosting, temporary files (Vercel Blob) Global Yes — Standard Contractual Clauses
Stripe, Inc. Payment processing EU No (primarily)
Resend, Inc. Sending emails USA Yes — Standard Contractual Clauses
Anthropic, PBC AI categorization, AI chat USA Yes — Standard Contractual Clauses
Google LLC Google Analytics, Google OAuth USA Yes — Standard Contractual Clauses
Microsoft Corp. Clarity (analytics) USA Yes — Standard Contractual Clauses
CookieHub ehf. Cookie consent management (cookie banner) EU/EEA (Iceland) No

5.2 What We Share with AI Providers

For AI categorization: transaction texts (description, amount, date). For AI chat: the conversation and a financial snapshot (aggregated data about accounts, investments, budgets). We never share login credentials, passwords, or payment information.

In the settings, the User may enter their own API key for Anthropic, OpenAI, or Google Gemini — in which case the data is sent directly to the provider without any markup on Assetli's part.

5.3 Market Data

Live prices: external market data providers, in particular Yahoo Finance (stocks and ETFs), CoinMarketCap/CoinGecko (crypto), frankfurter.app — based on the reference exchange rates of the European Central Bank (exchange rates). We do not send any personal data to these providers — only general queries for market data (stock symbol, currency code).

5.4 Wallet by BudgetBakers

During synchronization via WBB, transactions are transferred from WBB to Assetli. WBB is an independent data controller with its own license for accessing banking data via Open Banking. The terms of data processing are governed by the terms of BudgetBakers s.r.o.

5.5 No-Sale-of-Data Statement

We never sell, share, or provide your personal and financial data to third parties for marketing, advertising, or commercial purposes.


6. Data Transfers Outside the EU

Some processing involves the transfer of data to the USA (Anthropic, Resend, Cloudflare, Vercel, Google, Microsoft). For these transfers, we use Standard Contractual Clauses (SCC) approved by the European Commission pursuant to Art. 46(2)(c) GDPR. Copies of the SCC are available upon request.


7. Data Retention

Type of Data Retention Period
Registration data For the duration of the account
Financial data (transactions, accounts, investments) For the duration of the account
AI conversations For the duration of the account (the user can delete at any time)
Uploaded files For the duration of the account
Payment records 5 years after the payment is made (Czech tax regulations)
After account deletion — personal data Deleted within 30 days
After account deletion — anonymized financial data May be retained for up to 5 years (legal obligations)
Inactive account (typically 12+ months without login) The Operator reserves the right to delete the account after prior email notice (with a deadline for logging in)
Imported files (CSV/PDF) Processed and deleted — not retained permanently
Login and error logs 12 months

8. Automated Decision-Making and Profiling

8.1 AI Categorization of Transactions

Assetli uses Claude AI models (Anthropic) to automatically categorize transactions based on their description. This processing has no direct legal consequences for the User, can be manually corrected at any time, and is transparent — the User sees the assigned category.

8.2 Financial Score (0–850)

Assetli automatically calculates a financial health score based on 7 components. This score is for informational purposes only, does not affect access to loans or other financial products, and is not shared with third parties.

8.3 Predictions and Analytics

Cash flow predictions, latte factor analysis, lifestyle inflation check, and other analytical functions are automated calculations that are purely informational in nature.

8.4 Right to Human Review

In accordance with Art. 22 GDPR, the User has the right to human review of any automated output. Contact info@assetli.app.


9. Your Rights (GDPR Art. 15–22)

Right How to Exercise It
Right of access (Art. 15) Settings → Data Export (GDPR export in JSON)
Right to rectification (Art. 16) By editing the data in account settings
Right to erasure (Art. 17) Settings → Danger Zone → Delete Account
Right to data portability (Art. 20) Settings → Data Export (complete GDPR export in JSON format)
Right to restriction of processing (Art. 18) Contact info@assetli.app
Right to object (Art. 21) Settings → Privacy, or info@assetli.app
Right to withdraw consent Settings → Notifications, cookie banner

Response deadline: 30 days. For complex requests, this may be extended by a further 60 days with notice.

Supervisory authority: Czech Data Protection Authority (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, posta@uoou.cz, www.uoou.cz


10. Protection of Children

The Service is not intended for children under 15 years of age (in accordance with Section 7 of Act No. 110/2019 Coll.). We do not knowingly collect personal data of children under 15 years of age. If we find that we have collected data from a person under 15 years of age without the consent of a legal guardian, we will delete such data without delay.


11. Security

11.1 Technical Measures

  • Encrypted connections (HTTPS/TLS)
  • Password hashing (bcrypt, SALT_ROUNDS=12)
  • Two-factor authentication (TOTP)
  • Protection against brute-force attacks with automatic account lockout
  • Form protection with reCAPTCHA v3
  • Encryption of sensitive data: Family Legacy notes (AES-256-GCM), API keys (SHA-256 hash)
  • Database hosted in the EU (MongoDB Atlas, Frankfurt, AWS eu-central-1)

11.2 Data Breach Notification

In accordance with Art. 33 and 34 GDPR, we will report a security breach to the supervisory authority (ÚOOÚ) within 72 hours of detection. We will inform affected users without undue delay if the breach poses a high risk.

11.3 Disclaimer

Although we implement reasonable measures, no method of data transmission or storage is 100% secure. If you detect unauthorized access to your account, contact us immediately at info@assetli.app.

11.4 Vulnerability Reporting

If you discover a security vulnerability, contact info@assetli.app. We appreciate responsible disclosure of vulnerabilities and will not take legal action against persons who report vulnerabilities in good faith.


12. Rights of Users Outside the EU

12.1 United Kingdom (UK GDPR)

The processing of data of users in the United Kingdom is governed by the UK GDPR and the Data Protection Act 2018. Your rights are similar to those under the EU GDPR. Supervisory authority: Information Commissioner's Office (ICO), www.ico.org.uk.

12.2 California (CCPA/CPRA)

If you are a California resident, you have rights under the CCPA/CPRA:

  • Right to know about the data collected
  • Right to delete personal data
  • Right to correct inaccurate data
  • Right to opt out of the sale/sharing of data — we do not sell or share your data for advertising
  • Right to non-discrimination

Contact info@assetli.app. We will respond within 45 days.

12.3 Other US States

Residents of Colorado, Connecticut, Virginia, and other states with privacy laws may have similar rights. Contact info@assetli.app.


13. Aggregation and Anonymization

We reserve the right to create aggregated and anonymized data for the purpose of improving the Service and training AI models. Aggregated data must not allow the identification of an individual User and is not subject to the GDPR.


14. Changes to This Policy

  • Minor changes: announced on the website
  • Material changes: announced by email at least 30 days in advance
  • For changes requiring consent, we will request new active consent
  • Older versions are archived and available upon request

15. Contact

Ondřej Smutný
Email: info@assetli.app
Web: https://assetli.app
Address: Družstevní 511, 294 41 Dobrovice, Czech Republic


Effective date: June 20, 2026
© 2026 Assetli. All rights reserved.