Privacy Policy

1. Data Controller

Clesaro is the data controller responsible for your personal data. For all privacy matters, contact us at privacy@clesaro.com. We will acknowledge your request within 5 business days and respond fully within 30 days as required by UAE PDPL Article 14 and GDPR Article 12.

2. Legal Basis for Processing

We process your personal data on the following legal bases:

• — Contractual necessity — processing required to deliver the Clesaro service you have signed up for (GDPR Art. 6(1)(b), UAE PDPL Art. 4)
• — Consent — processing based on your explicit consent given at registration, which you may withdraw at any time (GDPR Art. 6(1)(a), UAE PDPL Art. 4)
• — Legitimate interests — processing necessary for security, fraud prevention, and service improvement, where your interests do not override ours (GDPR Art. 6(1)(f))

3. Personal Data We Collect

We collect and process the following categories of personal data:

• — Identity data — first name, email address
• — Financial data — monthly income (optional), debt status, financial goals, manually entered transactions
• — Derived data — financial health scores calculated from your inputs
• — Technical data — session tokens, IP address, browser type (for security purposes only)
• — Usage data — features used, pages visited within the app

We do not collect sensitive personal data as defined under UAE PDPL Article 1 or GDPR Article 9 (health, biometric, racial, religious data). Financial data you voluntarily enter is treated with equivalent care.

4. Purpose Limitation

Your data is collected for specific, explicit, and legitimate purposes and will not be processed in a manner incompatible with those purposes (UAE PDPL Art. 3, GDPR Art. 5(1)(b)):

• — Calculating and displaying your financial health score
• — Generating personalised financial insights and recommendations
• — Sending in-app notifications about your financial progress
• — Budget tracking and spending analysis
• — Account security and fraud prevention

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties for marketing purposes.

5. Data Minimisation

We only collect data that is necessary for the purposes stated above (UAE PDPL Art. 3, GDPR Art. 5(1)(c)). Income and financial data is optional — you may choose not to share it, though this will limit the accuracy of your financial health score.

6. Data Storage and Location

Your data is stored on Microsoft Azure servers located in UAE North (Dubai). This ensures compliance with UAE PDPL data residency requirements. We do not transfer your personal data outside the UAE without implementing appropriate safeguards as required by UAE PDPL Article 22 and GDPR Chapter V.

7. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction (UAE PDPL Art. 16, GDPR Art. 32):

• — Passwords hashed using bcrypt with cost factor 12 — never stored in plain text
• — All data transmitted over HTTPS using TLS 1.2 or higher
• — Database access restricted by IP-based firewall rules
• — Sessions managed using signed, httpOnly, secure cookies
• — Email verification required before account activation
• — Database encrypted at rest using AES-256

8. Data Retention

We retain your personal data only for as long as your account is active or as needed to provide you with our services (UAE PDPL Art. 13, GDPR Art. 5(1)(e)). Upon account deletion, all personal data is permanently and irreversibly deleted within 30 days. Anonymised, non-identifiable aggregate data may be retained indefinitely for statistical analysis.

9. Your Rights

You have the following rights under UAE PDPL and GDPR. To exercise any right, contact privacy@clesaro.com:

• — Right of access (Art. 9 PDPL / Art. 15 GDPR) — request a copy of all personal data we hold about you
• — Right to rectification (Art. 10 PDPL / Art. 16 GDPR) — request correction of inaccurate or incomplete data
• — Right to erasure (Art. 11 PDPL / Art. 17 GDPR) — request permanent deletion of your data and account
• — Right to data portability (Art. 12 PDPL / Art. 20 GDPR) — request your data in a structured, machine-readable format
• — Right to withdraw consent (Art. 4 PDPL / Art. 7 GDPR) — withdraw consent at any time without affecting prior processing
• — Right to object (Art. 17 GDPR) — object to processing based on legitimate interests
• — Right to restriction (Art. 18 GDPR) — request restriction of processing in certain circumstances

We will respond to all requests within 30 days. If you are an EU resident and believe your rights have not been respected, you have the right to lodge a complaint with your local supervisory authority.

10. Cookies

Clesaro uses a single essential session cookie to maintain your authenticated session. This cookie is httpOnly, secure, and strictly necessary for the service to function. We do not use tracking cookies, analytics cookies, or third-party advertising cookies. No cookie consent banner is required as we only use strictly necessary cookies.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33) and will notify affected users without undue delay where the breach is likely to result in a high risk (GDPR Art. 34, UAE PDPL Art. 16).

12. Children

Clesaro is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately at privacy@clesaro.com and we will delete it promptly.

13. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email and an in-app notification at least 30 days before they take effect. Continued use of Clesaro after the effective date constitutes acceptance of the updated policy.

14. Contact and Complaints

For any privacy-related questions, requests, or complaints: privacy@clesaro.com. We take all privacy concerns seriously and will respond within 5 business days.