Privacy Policy
This document explains how GALI collects, uses, and protects your personal data when you use our personal finance mobile application.
Introduction
We recommend reading this policy carefully. GALI collects only the data necessary to provide its personal finance management service and applies principles of data minimization, transparency, and privacy by design.
Contents
1. Controller
Data controller
The controller of the personal data collected through the GALI application is:
| Field | Details |
|---|---|
| Application | GALI – Smart personal finance |
| Privacy contact | galifinancialapp@gmail.com |
| Privacy address | Madrid, Spain |
| Applicable legislation | Regulation (EU) 2016/679 (GDPR) and LOPDGDD |
2. Definitions
Key concepts
Personal data
Any information that identifies or can identify a natural person.
Processing
Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
Data controller
The person or entity that determines the purposes and means of processing.
Data processor
A third party that processes data on behalf of the controller.
Consent
A freely given, specific, informed, and unambiguous indication by which the data subject agrees to the processing of their data.
GDPR
General Data Protection Regulation (EU) 2016/679.
LOPDGDD
Spanish Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights.
3. Data
Data we collect
3.1 Registration and account data
- Email address.
- User name or alias, if the user chooses to provide it.
- Authentication data managed through Firebase Authentication (Google/Apple Sign-In or email).
3.2 Financial data entered by the user
GALI does not connect to any bank account and does not automatically obtain financial data from financial institutions. The financial data processed by GALI is exclusively the data that the user voluntarily enters or imports:
Manual entries
income, expenses, and transfers that the user records directly in the app.
Bank statements
files (PDF, CSV, or other formats) that the user voluntarily uploads to import transactions. These files are processed to extract entries and are not stored in their original format beyond what is necessary to complete the import.
iOS automation (Apple Pay / NFC)
iPhone users can configure an iOS Shortcuts automation to automatically record payments made with Apple Pay or NFC. This automation is optional, runs on the user's device, and only sends GALI the transaction data (amount, merchant, date). GALI does not access bank account or card details.
3.3 Usage and analytics data
In order to understand how the app is used and improve the user experience, GALI collects usage data through PostHog analytics, including:
- Screens and features visited.
- Actions taken within the app, excluding the financial content of those actions.
- Technical device information: model, operating system, app version, and language.
- Anonymous session identifier.
3.4 Push notification data
If the user grants permission to receive push notifications, GALI stores the device notification token in order to send reminders and personalized budget or activity alerts.
4. Purposes
Purposes and legal basis of processing
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Create and manage the user account | Email, authentication data | Performance of a contract (Art. 6.1.b) |
| Provide the personal finance management service | Entries, statements, iOS automation | Performance of a contract (Art. 6.1.b) |
| Generate AI-assisted analysis, summaries, and contextual insights | User financial data | Performance of a contract (Art. 6.1.b) |
| Usage analytics and product improvement | Anonymized usage data | Legitimate interest (Art. 6.1.f) |
| Send push notifications | Device token | Consent (Art. 6.1.a) |
| Comply with legal obligations | The data required in each case | Legal obligation (Art. 6.1.c) |
5. AI
How Artificial Intelligence works
GALI includes an Artificial Intelligence (AI) agent that analyzes the user's financial data in order to provide contextual analysis, summaries, forecasts, and informational suggestions intended to help the user understand financial habits and app data.
Individual-only use
The user's financial data is used only to generate responses, summaries, and contextual outputs for that same user. GALI does not use users' financial data to train, fine-tune, or improve the underlying AI models.
No automated profiling with legal effects
AI outputs are informational only and do not constitute automated decisions with legal or similarly significant effects on the user within the meaning of Article 22 GDPR.
Privacy by design
The AI system is designed to work with the minimum amount of data needed to provide a useful service.
Transparency
The user may request information at any time about how the AI has processed their data by emailing galifinancialapp@gmail.com.
6. Transfers
International data transfers
To provide the service, GALI uses technology providers that may process data in countries outside the European Economic Area (EEA). The main ones are listed below:
| Provider | Function | Country | Safeguard |
|---|---|---|---|
| Firebase (Google LLC) | Authentication and storage | U.S. | Standard Contractual Clauses (SCCs) adopted by the European Commission |
| MongoDB Atlas | Primary database | U.S. / EU | Standard Contractual Clauses (SCCs) |
| PostHog | Usage analytics | U.S. / EU | Standard Contractual Clauses (SCCs) / self-hosted EU instance |
| AI model provider | AI response generation | U.S. | Standard Contractual Clauses (SCCs) |
You can obtain more information about the safeguards in place by contacting us at galifinancialapp@gmail.com.
7. Retention
Data retention
| Data category | Retention period |
|---|---|
| Account data (email, authentication) | While the account remains active + 30 days after deletion |
| Financial data (entries, statements) | While the account remains active; deleted when the account is deleted |
| Usage data (analytics) | 12 months in individualized form; anonymized afterwards |
| Push notification token | While permission remains active; deleted when revoked or when the account is deleted |
8. Rights
Your rights
Under the GDPR and the LOPDGDD, you have the following rights regarding your personal data:
Access
Know what data we process about you, for what purpose, and for how long.
Rectification
Correct inaccurate or incomplete data.
Erasure ("right to be forgotten")
Request deletion of your data when, among other cases, it is no longer necessary for the purposes for which it was collected.
Restriction of processing
Request that we suspend the processing of your data in certain circumstances.
Portability
Receive your data in a structured, commonly used, machine-readable format and transfer it to another controller.
Objection
Object to processing based on legitimate interest, including profiling based on that ground.
Withdrawal of consent
Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
Not to be subject to automated decisions
Not be subject to decisions based solely on automated processing that produce significant legal effects.
To exercise any of these rights, send an email to galifinancialapp@gmail.com stating the right you wish to exercise and attaching a copy of your identity document, or any other means that allows us to verify your identity. We will respond within a maximum period of 30 days.
If you believe that the processing of your data violates applicable law, you may also lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.
9. Communications
Communications and notifications
GALI communicates with the user exclusively through push notifications within the app. These notifications include:
- Reminders to log financial entries.
- Alerts about budget status, such as nearing the limit of a category.
- Personalized suggestions and nudges from the AI agent.
- Service notices, including important updates and app changes.
Push notifications require the user's explicit consent, which is requested at installation or first use. The user may revoke this permission at any time from their device settings. GALI does not send marketing communications by email or SMS.
10. Security
Data security
GALI applies appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration. These measures include:
- Encryption in transit using HTTPS/TLS for all communication between the app and servers.
- Secure authentication managed by Firebase Authentication, including Google and Apple sign-in support.
- Data storage in MongoDB Atlas with role-based access controls and encryption at rest.
- Restricted access to production data under the principle of least privilege.
- Periodic security reviews of dependencies and code.
In the event of a security breach that may pose a risk to the rights and freedoms of users, GALI will notify the competent supervisory authority within a maximum of 72 hours and, where appropriate, the affected users without undue delay.
11. Minors
Minors
GALI is intended for people over 16 years of age. We do not knowingly collect data from children under 16. In Spain, Article 7 of the LOPDGDD sets 14 as the minimum age for consent to data processing; GALI has adopted a more conservative threshold of 16 in line with recommendations from the European Data Protection Board.
If you become aware that a child under 16 has provided us with personal data, please notify us at galifinancialapp@gmail.com so that we can proceed with its immediate deletion.
13. Changes
Changes to this policy
GALI may update this Privacy Policy at any time to reflect changes in the service, applicable law, or our data processing practices. When we make material changes, we will notify you through a push notification in the app or through a prominent notice when opening the application before the changes take effect. The date of the latest update will always be shown at the beginning of this document.
Continued use of the app after publication of the changes implies acceptance of the new version of the policy.
14. Contact
Contact
If you have any question, concern, or request related to this Privacy Policy or the processing of your personal data, you can contact us through:
| Field | Details |
|---|---|
| galifinancialapp@gmail.com | |
| Suggested subject | "Privacy – [your request]" |
| Response time | Maximum 30 calendar days from receipt of your request |
GALI · Privacy Policy v1.0 · Madrid, Spain · April 2026 · galifinancialapp@gmail.com
15. Gali for Advisors
Additional privacy terms for Gali for Advisors
Gali for Advisors is a service designed to help advisors manage client relationships, view authorised financial information, store documents, create reports, and use planning tools such as calendar features.
Google API compliance
Google Workspace API Limited Use statement
The use and transfer of raw or derived user data received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
For Google Calendar connections in Gali for Advisors, we use Google user data only to provide and support the calendar sync features requested by the advisor inside the product.
We do not use Google Calendar data obtained through these APIs to develop, improve, or train generalised artificial intelligence or machine learning models.
Information we collect
Depending on how the service is used, we may collect and process the following categories of personal information:
Account information
When an advisor creates or uses an account, we may process information such as name, email address, login details, language settings, time preferences, and other account-related settings.
Client relationship information
When an advisor is connected to a client through the Gali ecosystem, we may process information needed to show that relationship inside the advisor portal, including permission level, connection status, and related financial information the client has authorised for advisor access.
Documents and files
If an advisor uploads documents or files for a client, we process the file itself together with related information such as file name, type, size, upload date, and download information.
Calendar and planning information
If an advisor creates reminders, meetings, follow-ups, notes, or other calendar entries, we process the information included in those entries. If the advisor chooses to connect an external calendar, we may also display calendar information from that connected service.
Reports and usage information
We may process report names, export settings, and product usage information that helps us provide the service, maintain security, and understand how the advisor portal is used.
Security and verification information
We process information needed to verify accounts, manage password resets, prevent abuse, and protect the service, such as verification codes, login session information, and other technical security records.
How we use information
To provide the service
We use information to create accounts, sign users in, show dashboards, manage advisor-client relationships, generate reports, store files, and support the normal operation of Gali for Advisors.
To protect accounts and the platform
We use information to verify identity, prevent unauthorised access, manage password recovery, detect misuse, and keep the platform secure.
To support optional features
If an advisor chooses to use optional features, such as a calendar connection or analytics preferences, we use information to enable and manage those features.
To improve and maintain the product
Where permitted, we use limited product usage information to understand how the service is performing, fix issues, and improve the user experience.
Legal bases for processing
If the General Data Protection Regulation applies, we process personal information on one or more of the following legal bases:
Performance of a contract
Most processing is necessary to provide Gali for Advisors and the features an advisor asks us to provide.
Legitimate interests
We may process information where necessary for security, fraud prevention, service reliability, internal administration, and similar legitimate business needs, provided those interests are not overridden by individual rights.
Consent
Where required, we rely on consent, for example for optional analytics or optional third-party integrations. Consent can be withdrawn at any time for future processing.
Legal obligations
We may process information where necessary to comply with applicable law, lawful requests, or regulatory obligations.
How we share information
We do not sell personal information. We may share information only where it is necessary to operate the service or comply with law.
Service providers
We may share information with trusted providers that help us run the service, such as providers for authentication, hosting, storage, email delivery, customer communications, analytics, and technical infrastructure.
Connected services chosen by the user
If an advisor chooses to connect a third-party service, we may share and receive information as needed to provide that connection.
Legal and compliance reasons
We may disclose information where necessary to comply with law, enforce our terms, protect rights, or respond to lawful requests from public authorities.
Analytics and device storage
We may use cookies, local storage, session storage, and similar technologies to keep users signed in, remember preferences, support core product features, and improve the service.
Where analytics is optional, we ask for the user's choice before using it. Users can change that choice later inside the service where the option is available.
Data retention
We keep personal information for as long as reasonably necessary for the purposes described in this policy, unless a longer retention period is required or permitted by law.
Account data
We keep account and profile information for as long as needed to provide the service and manage the account, and for a limited period after that where necessary for security, legal, or record-keeping reasons.
Verification and password reset data
Verification and password reset codes are kept only for a short period and are designed to expire automatically.
Client files after a disconnection
If an advisor-client connection ends, certain stored files may remain recoverable for a short grace period of up to 14 days before they are scheduled for deletion.
Reports, calendar entries, and related records
We keep reports, calendar information, and similar records for as long as needed to provide the relevant feature, unless they are deleted earlier or a longer retention period is required by law.
International transfers
We and our service providers may process personal information in countries other than the country where the user is located.
Where required, we take appropriate steps to protect personal information when it is transferred internationally.
Security
We use technical and organisational measures designed to protect personal information against unauthorised access, loss, misuse, or alteration.
However, no system can be guaranteed to be completely secure.
Your rights
Depending on the laws that apply to you, you may have the right to request access to your personal information, request correction or deletion, object to certain processing, request restriction of processing, withdraw consent, or request portability of certain information.
To exercise these rights, contact us at [insert privacy email]. You may also have the right to lodge a complaint with your local data protection authority.
Changes and contact
We may update this Privacy Policy from time to time. When we do, we will update the date at the top of the page.
If you have questions about this Privacy Policy or our privacy practices, contact us at [insert privacy email].