Back homeLanguage: EN

Legal document

Privacy Policy

Version: 1.0-draft·Effective date: 2026-05-28

Draft v1.0, subject to legal review before public launch. In case of any discrepancy, the English version prevails.

Effective date: 28 May 2026 Version: 1.0

This Privacy Policy explains how Wizz! comms., a company incorporated in Ireland with registered office in Castlerea, Co. Roscommon (the "Controller", "we"), processes personal data when you use the MeJu service ("Service"). It also serves as the Data Processing Addendum (DPA) for users who require one.

This policy meets the disclosure obligations of Articles 13 and 14 GDPR and Articles 9 and 18 LGPD.

1. Controller and DPO

  • Controller: Wizz! comms., Castlerea, Co. Roscommon, Ireland.
  • Data Protection Officer: dpo@wizzcomms.com.
  • General contact: support@wizzcomms.com.

2. Legal bases

We process personal data under the following legal bases, mapped by purpose.

| Purpose | GDPR (Art. 6) | LGPD (Art. 7) | |---|---|---| | Account creation, workspace operation, support | Contract performance (b) | Execution of contract (V) | | Payment processing, invoices, subscription billing | Contract performance (b); Legal obligation (c) | Execution of contract (V); Compliance with legal obligation (II) | | Tax, accounting, audit records | Legal obligation (c) | Compliance with legal obligation (II) | | Security, fraud prevention, abuse investigation | Legitimate interest (f) | Legitimate interest (IX) | | Product improvement, aggregated analytics | Legitimate interest (f); Consent (a) where consent applies | Legitimate interest (IX); Consent (I) where consent applies | | Non-essential cookies, marketing communications | Consent (a) | Consent (I) | | AI-generated suggestions (daily tip, monthly summary, panorama, category suggestion) | Legitimate interest (f), with explicit in-app opt-out | Legitimate interest (IX), with explicit in-app opt-out |

You may withdraw any consent at any time without affecting the lawfulness of prior processing.

3. Categories of data we process

  • Identification: name (if provided), email address.
  • Authentication: hashed password, magic-link tokens, session cookies.
  • Financial (structured records): transaction records, categories, recurring invoices, investment positions, budgets and goals that you create or import into your workspace.
  • Billing: plan, currency, billing period, last four digits of card and brand (Stripe tokenises full card data; we never receive or store it).
  • Technical: IP address, user agent, device type, language, page views, basic event metadata.
  • Support: content of any message you send us.

4. Data we do NOT collect

This is part of how MeJu protects your privacy by design:

  • Original PDF or CSV statements you upload are not stored. They are parsed in memory, the structured records are saved, and the original file is discarded.
  • We do not collect biometric data.
  • We do not collect special category data (Art. 9 GDPR).
  • We do not collect children's data (the Service is not directed at people under 18).

5. How we use your data

  • to operate and secure the Service;
  • to authenticate you and protect your account;
  • to process payments and invoices;
  • to send transactional emails (verification, payment receipts, trial reminders, security notices);
  • to investigate incidents and prevent abuse;
  • to comply with legal obligations;
  • (with your consent) to send product news.

We never sell your personal data. We never use your financial records to train AI models.

6. Artificial Intelligence

We use the OpenAI API to generate aggregated financial suggestions inside the Service: the daily tip, the monthly summary, the panorama report, the observation of out-of-pattern spends and category suggestions.

Model. The current model is gpt-4o-mini, operated by OpenAI, L.L.C. in the United States. We may change the model to a comparable OpenAI model with the same retention and privacy posture; the current model is always disclosed in the in-app Settings > Plan > Artificial Intelligence screen.

What is sent. Before the call, we aggregate your data into an anonymised snapshot containing only:

  • percentage variations between months and categories;
  • balance status (positive, neutral, negative);
  • day of the week and current day of the month;
  • account language (pt or en) and currency (BRL or EUR);
  • category labels you defined (e.g. "groceries", "transport");
  • for the category-suggestion feature, the transaction description, truncated to 80 characters, only after a local heuristic match fails.

What is NEVER sent.

  • no full name, no email address, no User identifier, no Account identifier;
  • no transaction description for the daily tip, summary, panorama or anomaly features;
  • no absolute monetary amount (only percentages and signs);
  • no bank account number, no card data, no IBAN;
  • no original PDF or CSV statement.

Country of processing. United States.

Safeguards. Transfer is governed by the European Commission's Standard Contractual Clauses (SCCs) 2021/914 and OpenAI's Data Processing Addendum. Zero data retention is contractually enabled at our OpenAI organisation level: prompts and completions are not persisted, are not used for training, are not reviewed by humans, and are not used to improve any model.

Output is informational. AI output may be inaccurate, incomplete or outdated. It is informational only and is not financial, tax, accounting, investment or legal advice. You remain solely responsible for any decision you make based on AI output.

Opt-out. You can switch AI off at any time under Settings > Plan > Artificial Intelligence. When off, no snapshot is built and no call to OpenAI is made for your account. Existing AI suggestions stored in your account stay until you delete them or close the account.

7. Subprocessors

We rely on the following subprocessors to operate the Service. Each is bound by a data processing agreement and appropriate safeguards.

| Subprocessor | Purpose | Location | Safeguards | |---|---|---|---| | Supabase | Database, authentication, object storage | EU region | Intra-EEA | | Stripe Payments Europe Ltd | Payments, subscriptions, customer portal | Ireland (EU) | Intra-EEA | | Resend | Transactional email | United States | Standard Contractual Clauses | | Vercel | Hosting, CDN, build | EU region (fra1, Frankfurt) | Intra-EEA, EU data residency | | Google Analytics | Anonymous traffic analytics | United States | Standard Contractual Clauses, IP anonymisation, consent gated | | OpenAI Inc. | Generation of aggregated financial suggestions (daily tip, monthly summary, observation of out-of-pattern spends, category suggestion) | United States | Standard Contractual Clauses 2021/914, aggregated non-personal snapshots, zero retention contracted, no training |

We update this list at https://meju.wizzcomms.com/legal/privacy whenever it changes.

8. International transfers

  • EU/EEA → United States (Resend, Google Analytics, OpenAI): transferred under the European Commission's Standard Contractual Clauses (SCCs) 2021/914, with additional technical measures (TLS 1.3 in transit, contractual zero retention at OpenAI, IP anonymisation at Google Analytics). You may request a copy of these clauses by writing to dpo@wizzcomms.com.
  • Brazil → European Union (Supabase, Stripe Europe, Vercel EU): transferred under LGPD Art. 33, II (cross-border transfer to a country that offers an adequate level of personal data protection, as recognised by the European Commission's adequacy framework and pending an ANPD adequacy decision) or, in the alternative, Art. 33, IX (specific consent of the data subject when applicable to a given operation).
  • Brazil → United States (Resend, Google Analytics, OpenAI): transferred under LGPD Art. 33, II in combination with Standard Contractual Clauses signed with each subprocessor, with the additional safeguards described in section 6 for OpenAI.

9. Retention

Retention is set by category, not by account.

| Category | Retention period | Trigger of deletion | |---|---|---| | Account profile (name, email, password hash) | Active account | 30 days after account closure | | Financial records (transactions, categories, budgets, goals, recurring) | Active account | 30 days after account closure | | AI snapshots and AI outputs (daily tip, summary, panorama) | Active account | 30 days after account closure or immediately on AI opt-out | | Backups | 30 days | Rolling deletion in normal rotation | | Technical and security logs | 90 days | Rolling deletion | | Email verification and magic-link tokens | 15 minutes | Automatic expiry | | Rate-limit counters | 24 hours | Automatic expiry | | Billing data, invoices, tax records | 5 years (Irish accounting and tax obligation) | 5-year statutory retention from issuance | | Consent records (cookies, AI, marketing) | 5 years or until withdrawal + 1 year | Statutory limitation period |

After deletion, residual references may remain in offline backups until the backup rotation completes; restoring a backup never reinstates a deleted account, only operational data of active accounts.

10. Your rights

You have the right to:

  • access your personal data;
  • correct inaccurate or incomplete data;
  • delete your data (right to erasure / right to be forgotten);
  • restrict or object to processing;
  • portability (receive your data in a structured, machine-readable format);
  • withdraw consent at any time, without affecting prior lawful processing;
  • not be subject to decisions based solely on automated processing that produces legal or similarly significant effects on you (we do not make such decisions; AI suggestions are informational and you remain the decision-maker);
  • lodge a complaint with a supervisory authority.

How to exercise your rights.

| Right | In-app path | Or by email | |---|---|---| | Access and portability | Settings > Plan > Export data (CSV/JSON of your workspace) | dpo@wizzcomms.com | | Correction | Edit any record directly inside the workspace | dpo@wizzcomms.com | | Erasure | Settings > Plan > Close account | dpo@wizzcomms.com | | Restrict or object | dpo@wizzcomms.com | — | | Withdraw AI consent | Settings > Plan > Artificial Intelligence (toggle off) | dpo@wizzcomms.com | | Withdraw cookie consent | "Cookie settings" link in the footer | — | | Withdraw marketing consent | unsubscribe link in any email | support@wizzcomms.com |

We respond to any rights request within 30 days. If we need an extension (complex requests, GDPR Art. 12(3)), we tell you within the first 30 days. There is no charge unless the request is manifestly unfounded or excessive.

11. Supervisory authorities

  • European Union: Data Protection Commission (DPC) Ireland, www.dataprotection.ie.
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD), www.gov.br/anpd.

You may complain to either authority depending on where you live.

12. Security

We apply organisational and technical measures including:

  • row-level security per workspace in the database;
  • encryption at rest (Supabase managed) and TLS 1.3 in transit;
  • secrets stored only as environment variables;
  • access to production limited to authorised personnel under least privilege;
  • regular dependency and configuration audits.

If a personal data breach poses a risk to your rights, we notify the supervisory authority within 72 hours under GDPR Art. 33 and you under Art. 34 where required.

13. Cookies

See our Cookies Policy at /legal/cookies for full details, categories and the cookie banner controls.

14. Children

The Service is not directed at and may not be used by people under 18.

15. Changes to this policy

We may update this policy. Material changes are notified by email at least 30 days before they take effect and appear with a new version number and effective date.

16. Contact

  • General: support@wizzcomms.com
  • Data protection: dpo@wizzcomms.com

Wizz! comms., Castlerea, Co. Roscommon, Ireland.

Legal questions? Talk to the DPO.

Back home

MeJu

Your money, read calmly. Made in Ireland, with care.

Wizz! comms. · Castlerea, Co. Roscommon, Ireland · support@wizzcomms.com

Product

  • Home
  • Pricing
  • Security
  • Changelog

Company

  • About Wizz!
  • Status

Legal

  • Terms of use
  • Privacy
  • Cookies
  • Acceptable use
  • Refund

Contact

© 2026 MeJu

Built by Wizz! comms.
PT|EN