Privacy Policy

Introduction

Bibiis ("we", "us", or "our") is a personal finance management platform operated by NVP Tech Srls, a company registered in Italy. Bibiis provides account aggregation, budgeting, financial analytics, and AI-powered financial coaching services through our mobile application and web platform at bibiis.ch.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our services. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the revised Payment Services Directive (PSD2), and all applicable data protection laws.

By using Bibiis, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

Data Controller

The data controller responsible for your personal data is:

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at the email address above.

Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

When you register for Bibiis, we collect:

• Name: your full name as provided during registration
• Email address: used for account authentication and communications
• Password: stored in hashed form; we never store plain-text passwords
• Preferred currency and language: to personalize your experience

3.2 Financial Data

When you connect your bank accounts through our open banking integration, we access:

• Account details: account names, types, balances, and IBAN/identifiers
• Transaction history: transaction amounts, dates, descriptions, merchant information, and categories
• Account holder information: as provided by your bank through the open banking API

3.3 Usage Data

We automatically collect certain technical and usage information:

• Device information: device type, operating system, and app version
• Log data: access times, features used, and interaction patterns
• Analytics data: aggregated usage statistics to improve our services

3.4 AI Interaction Data

When you use our AI-powered financial coaching features, we process:

• Chat messages: your questions and conversations with our AI assistant
• Financial context: relevant financial data used to generate personalized insights

How We Use Your Data

We process your personal data for the following purposes:

• Service delivery: to provide account aggregation, budgeting, net worth tracking, and financial analytics
• AI-powered insights: to generate personalized financial coaching, spending predictions, and recommendations
• Transaction processing: to categorize, normalize, and analyze your transactions for budgeting and reporting
• Security: to detect fraud, prevent unauthorized access, and ensure the integrity of your account
• Communications: to send you service-related notifications, updates, and support responses
• Service improvement: to analyze usage patterns and improve our platform features and performance
• Legal compliance: to meet our regulatory obligations under GDPR, PSD2, and applicable financial regulations

Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

• Consent (Art. 6(1)(a)): for connecting bank accounts via open banking and for AI-powered financial coaching features. You may withdraw consent at any time
• Contract performance (Art. 6(1)(b)): to provide the services you have requested, including account management, budgeting, and financial analytics
• Legitimate interest (Art. 6(1)(f)): for service improvement, security measures, and fraud prevention, where our interests do not override your rights
• Legal obligation (Art. 6(1)(c)): to comply with applicable laws and regulations, including financial services regulations

Third-Party Service Providers

We work with carefully selected third-party providers to deliver our services. These providers process data on our behalf under strict contractual obligations:

6.1 Open Banking Providers

We use licensed Account Information Service Providers (AISPs) such as Tink and/or Salt Edge to securely connect to your bank accounts. These providers are regulated under PSD2 and access your financial data only with your explicit consent. They act as data processors and are contractually bound to process your data solely for the purpose of providing account information services to Bibiis.

6.2 Cloud Infrastructure

We use Supabase for our backend infrastructure, including database hosting and authentication services. Data is stored in secure, GDPR-compliant data centers within the European Economic Area (EEA).

6.3 AI Services

We use OpenAI to power our AI financial coaching features. When you interact with our AI assistant, relevant financial context may be sent to OpenAI's API to generate responses. We minimize the data shared and do not send full account credentials or sensitive authentication data. OpenAI processes this data as a data processor under our instructions and does not use it to train their models.

6.4 Analytics

We may use analytics services to understand how users interact with our platform. Any analytics data is aggregated and anonymized where possible.

Data Sharing and Transfers

We may share your data in the following limited circumstances:

• Service providers: with the third-party providers described in Section 6, acting as data processors under our instructions
• Legal requirements: when required by law, regulation, or valid legal process
• Safety and security: to protect the rights, safety, and property of Bibiis, our users, or the public
• Business transfers: in connection with a merger, acquisition, or sale of assets, with prior notice to affected users

Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

• Account data: retained for the duration of your account and deleted within 30 days of account closure
• Financial data: transaction data is retained while your account is active and for up to 12 months after disconnecting a bank account, unless longer retention is required by law
• AI interaction data: chat history is retained while your account is active and deleted upon account closure
• Usage and analytics data: retained in anonymized form for up to 24 months for service improvement purposes

You may request earlier deletion of your data at any time by contacting us at privacy@bibiis.ch.

Data Security

We implement robust technical and organizational measures to protect your personal data, including encryption of data in transit (TLS/SSL) and at rest, secure authentication with hashed passwords and support for multi-factor authentication, regular security assessments and monitoring, access controls ensuring only authorized personnel can access personal data, and secure API communications with our banking and AI service providers.

While we take every reasonable precaution, no system is completely secure. We encourage you to use strong, unique passwords and to contact us immediately if you suspect unauthorized access to your account.

Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

• Right of access (Art. 15): request a copy of the personal data we hold about you
• Right to rectification (Art. 16): request correction of inaccurate or incomplete data
• Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten")
• Right to restrict processing (Art. 18): request limitation of how we process your data
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interests
• Right to withdraw consent: withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at privacy@bibiis.ch. We will respond to your request within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Italy, this is the Garante per la protezione dei dati personali.

Open Banking and PSD2 Compliance

Bibiis accesses your bank account data through licensed AISPs regulated under the revised Payment Services Directive (PSD2). Key principles of our open banking practices:

• Explicit consent: We only access your financial data after you provide explicit, informed consent through a secure authentication process with your bank
• Limited access: We access only account information (balances and transactions). We cannot initiate payments or modify your accounts
• Revocable access: You can disconnect any linked bank account at any time through the Bibiis app, immediately revoking our access to new data from that account
• Regulated providers: Our AISP partners are licensed and supervised by relevant financial authorities and comply with all PSD2 requirements, including strong customer authentication (SCA)

Cookies and Tracking Technologies

Our website (bibiis.ch) may use essential cookies to ensure proper functionality. We do not use advertising or tracking cookies. If we introduce non-essential cookies in the future, we will update this policy and obtain your consent before placing them.

Children's Privacy

Bibiis is designed for users aged 18 and older. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable laws. We will notify you of material changes through the app or by email. The "Last updated" date at the top of this policy indicates when it was last revised.

We encourage you to review this Privacy Policy periodically.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: