Privacy Policy
Last updated: 12 July 2026
1. Who we are
Taupi ("Taupi", "we", "us") is a personal finance management service for residents of Latvia. For the purposes of the EU General Data Protection Regulation (GDPR), the data controller is:
| Legal entity | [Legal entity name — to be registered] |
|---|---|
| Registration No. | [Registration number — pending] |
| Registered address | [Registered address — pending], Latvia |
| Privacy contact | privacy@taupi.app |
2. What data we collect
2.1 Account data
- Email address and password (stored as a bcrypt hash, never in plain text)
- Display preferences: language (Latvian/Russian/English), currency
- Email verification and password-reset tokens (short-lived)
2.2 Financial data you provide
- Bank statement files you upload (FiDAViSta XML or CSV) and the transactions parsed from them
- Account details you enter: account name, type, currency, and IBAN (masked in the app, e.g.
LV80****5001) - Categories, tags, and notes you add to transactions
2.3 Data we generate
- Category suggestions and confidence scores produced by our AI categorization
- A one-way fingerprint of each transaction, used only to detect duplicate imports
- Security audit events (login attempts, password changes, data exports, account deletion) — kept for fraud prevention and retained in anonymized form after account deletion
We do not knowingly collect data from children, and Taupi is not directed at individuals under 16.
3. How we use your data
- To provide the service: parsing statements, tracking balances, categorizing transactions, generating exports
- To secure your account: authentication, fraud and abuse prevention
- To communicate with you: email verification, password resets, service notices
- To improve categorization accuracy based on the corrections you make
We do not use your financial data for advertising, and we do not sell your data to third parties.
4. Legal basis for processing
- Performance of a contract — processing needed to provide the account, import, categorization, and export features you request
- Legitimate interest — security monitoring, fraud prevention, and service reliability
- Consent — where required, such as optional product communications (you can withdraw consent at any time)
5. AI categorization and data minimization
Before any transaction data is sent to our AI categorization provider (DeepSeek), it passes through a sanitization pipeline that strips IBANs, card numbers, email addresses, phone numbers, and personal ID numbers, and removes legal-entity prefixes from merchant names (e.g. "SIA", "AS"). Only cleaned merchant names and non-identifying transaction metadata are sent for categorization — never your raw bank statement data.
6. Who we share data with
We use the following categories of sub-processors to operate Taupi:
| AI provider (DeepSeek) | AI-powered transaction categorization, using sanitized data only (see Section 5; international transfer safeguards in Section 7 apply) |
|---|---|
| Email delivery provider (Brevo) | Sending verification, password-reset, and account emails (EU-based, France) |
| Hosting provider | Application hosting and database storage (EU data center) |
| File storage | Temporary storage of generated export files (PDF/CSV/Excel), automatically deleted after 24 hours |
We do not share your data with data brokers, advertisers, or any party for marketing purposes.
7. International data transfers
Our AI categorization provider (DeepSeek) is based outside the European Economic Area, in China. Where data leaves the EEA, we rely on the European Commission's Standard Contractual Clauses (or an equivalent transfer mechanism) to protect it, and only sanitized, non-identifying data is transferred as described in Section 5 — never raw bank statements, names, account numbers, or any other personal identifiers.
8. Data retention
- Account and financial data is kept for as long as your account is active
- Generated export files are automatically deleted 24 hours after creation
- When you delete your account, your transactions, accounts, imports, and exports are permanently removed; security audit logs are anonymized rather than deleted, for fraud-prevention record-keeping
9. Your rights
Under the GDPR, you have the right to:
- Access your data — request a full export of your account, transactions, accounts, and categories from Settings → Security → Export My Data in the app
- Rectify inaccurate data — edit your profile, transactions, and categories directly in the app
- Erase your data — permanently delete your account from Settings → Security → Delete Account
- Restrict or object to processing, and withdraw consent where processing is based on it
- Data portability — your data export is provided in a structured, machine-readable format
- Lodge a complaint with the Data State Inspectorate of Latvia (www.dvi.gov.lv) or your local supervisory authority
To exercise any right not available directly in the app, contact us at privacy@taupi.app.
10. Security measures
- Passwords hashed with bcrypt; sessions authenticated with short-lived JWT access tokens
- All traffic encrypted in transit (TLS)
- IBANs and card numbers masked in every API response and screen
- Rate limiting and structured audit logging on all authenticated endpoints
- PII sanitization pipeline applied before any data reaches a third-party AI provider
11. Cookies and local storage
The Taupi web app stores your authentication tokens in your browser's local storage so you stay signed in. We do not use third-party advertising or analytics trackers.
12. Changes to this policy
We may update this policy as the service evolves. Material changes will be announced in the app or by email before they take effect.
13. Contact
Questions about this policy or your data:
privacy@taupi.app