Privacy Policy - Clarity

Last reviewed: January 2026

Introduction

At Clarity, we're building a personal financial management application that makes it easy to manage your money. Clarity, like all financial applications, relies on data to be effective: data is at the heart of what we do, allowing us to make your money work better for you.

Please read this policy carefully to understand our practices regarding information we hold relating to you (known as "personal data"). Under Costa Rica's Personal Data Protection Law (Law 8968) and the European Union's General Data Protection Regulation (GDPR) (if applicable), we have legal obligations regarding how we collect, use, and protect your personal data.

Clarity ("we" or "us" throughout this document) is the data controller of the information that you provide to us or that we collect. "Data controller" refers to a company that collects or stores personal information and decides how and why it is processed.

Important: Our service processes bank statements automatically. Your documents are not manually reviewed by humans; processing is performed through automated systems with secure authentication.

Name and Address of Data Controller

Clarity
Contact email: contact@clarity.cr
Website: https://clarity.cr

If you have any questions about this policy, please contact our customer service team at contact@clarity.cr. If you request that your account be deleted, Clarity will delete all retained information about you within 30 days, except that which is required for fraud detection or any other legitimate business or legal purpose.

Clarity will not directly or indirectly transfer any data for any monetization-related service.

How and Why We Collect Data

In the course of using Clarity, interacting with our websites, or corresponding with the Clarity team, you provide us with or we collect various pieces of personal data.

We collect and use the data outlined below to provide a contracted service to you or to operate and develop our business.

Your personal data will NOT be sold, distributed, or leased to third parties. We only share your personal data in cases where it is necessary for us to provide our service.

We do not collect information about your race, ethnicity, religious or philosophical beliefs, political beliefs, sexual orientation, genetic information, or information about your health.

We will not discriminate against you should you exercise any of the rights described in our privacy policy.

Other Relevant Policies and Terms

This Privacy Policy should be read alongside:

Clarity Terms and Conditions of Use
Any other specific policies that may apply to particular services

The Data We Collect

We may collect or you may provide various types of personal information in the course of using Clarity, visiting our website, or interacting with the team.

i) Contact Details

Such as, but not limited to:

Your name
Email address
State of residence (Costa Rica)
Phone number (optional)

ii) Identity Data

To enable use of the service, we collect:

Authentication information: OAuth provider used (Google, Microsoft, Apple) or Magic Link method
Provider ID: For OAuth accounts
Avatar/Profile image: Optional, from OAuth providers
Email verification status

Important: We do not store passwords. We use authentication via "Magic Link" (secure one-time use links sent by email) or OAuth. This means there are no passwords that can be compromised.

iii) Financial Data

To provide the Service, we process:

Bank transactions: Dates, amounts, concepts, reference numbers, transaction types
Account information: Bank names, account numbers, IBANs, account types (bank account or credit card)
Bank statements: PDF, XLS, XLSX documents that you send or upload
Categories and tags: That you assign to transactions
Financial goals: Objectives and projections that you establish
Notes and comments: Additional information that you add to transactions
Currency conversions: Exchange rates used to convert between colones (CRC) and dollars (USD)

iv) Document Processing Data

When you send bank statements:

Original documents: Bank statements in PDF, XLS, XLSX format
Extracted data: Transactions and structured data extracted from documents
Metadata: Information about processing (date, time, status)

v) Usage Information

To improve the service, we may collect:

Usage patterns: Which features you use most
Errors and technical issues: For diagnosis and correction
Configuration preferences: Language, currency, etc.

Information We Collect About You, Directly or Indirectly

We collect the following personal information from you automatically when you visit our website or use our online service:

The Internet Protocol (IP) address used to connect your computer or access device to the internet
Your login information (session tokens, not passwords)
Your geographic location (general, not specific)
Your browser information
Your operating system and device identifier
Access logs (dates and times of Service use)

You can read more about how we collect cookie data in our Cookies section (below).

Information We Collect or Receive From Other Sources

We may receive the following personal information about you from third-party service providers, in accordance with your legitimate interest:

Automated Analysis Service

Purpose: Processing of bank statements
Data shared: Bank statement documents (PDF, XLS, XLSX)
Data received: Extracted transactions and structured data
Security: Authentication via secure tokens, isolated processing

OAuth Providers

Google, Microsoft, Apple: Basic profile information (name, email, avatar) for authentication
Control: You control what information you share through OAuth

Central Bank of Costa Rica (BCCR)

Purpose: Obtain official exchange rates
Data shared: None of your personal or financial data
Use: Only to query public exchange rates

Email Services (SMTP)

Purpose: Sending verification emails, notifications, and Magic Links
Data shared: Email address, name (only for system emails)
Security: Encrypted connections, secure credentials

Information We Share With Other Sources

Below is a list of the people with whom we share your personal data, the data types, and why we share it.

We require third-party service providers to respect your privacy and the security of your personal data.

Cloud Storage Providers

Purpose: Secure storage of documents and email processing
Data shared: Bank statements, processed documents
Security: Encryption at rest and in transit, compliance with international security standards

Automated Analysis Service

Purpose: Processing of bank statements
Data shared: Bank statement documents (PDF, XLS, XLSX)
Security: Authentication via secure tokens, isolated processing, no human access to documents

OAuth Providers

Purpose: Authentication (Google, Microsoft, Apple)
Data shared: Only information necessary for authentication
Control: You control what information you share through OAuth

Email Services (SMTP)

Purpose: Sending verification emails and notifications
Data shared: Email address, name (only for system emails)
Security: Encrypted connections, secure credentials

Cache and Processing Systems

Purpose: Caching and background task processing
Data shared: Structured transaction data (without original documents)
Security: Authentication and encryption

Legal Requirements

We will only share information if:

It is required by law or legal process
It is necessary to protect our legal rights
It is necessary to prevent fraud or abuse
You give us explicit consent

IMPORTANT: We NEVER sell, rent, or share your financial data with third parties for marketing or advertising.

How Long Do We Keep Information About You?

When you choose to delete Clarity, we delete all information about you from our database and our backup databases within 30 days, except that which is required for fraud detection or any other legitimate business or legal purpose.

Active Data Retention

We will maintain your data while:

Your account is active
We need the data to provide the Service
We have a legal obligation to retain it

Account Deletion

When you delete your account:

User data: Deleted immediately or within 30 days
Transactions: Permanently deleted
Documents: Deleted from storage
Logs: Deleted according to log retention policy

Legal Retention

Some data may be retained longer if:

It is required by law
It is necessary to resolve disputes
It is necessary to prevent fraud

Backups

Backups may contain copies of your data for additional periods. Backups are deleted according to their scheduled lifecycle.

The Security of Your Personal Information

We encrypt personal data appropriately and use proper technical and organizational measures across the business.

Technical Security

Authentication and Authorization

Magic Link Authentication: Secure one-time use links sent by email (no passwords)
Secure Access Tokens: Session tokens with automatic expiration and periodic renewal
Service Tokens: API tokens hashed using secure cryptographic algorithms
Secure OAuth: Integration with verified OAuth providers (Google, Microsoft, Apple)
No Password Storage: We do not store passwords, completely eliminating the risk of password breaches

Encryption

Encryption in Transit: All communications use HTTPS/TLS (Secure Socket Layer)
Encryption at Rest: Data stored in databases and cloud storage is encrypted
Secrets Management: Keys and credentials are managed securely

Infrastructure

Databases: Encrypted databases with restricted access and security controls
Cloud Storage: Cloud storage services with automatic encryption at rest
Cache and Processing Systems: Cache and processing queues with authentication and encryption
Data Isolation: Each user can only access their own data through strict access controls

All cloud service providers comply with recognized international security standards and are certified in data protection.

Organizational Measures

Access Control: Only authorized personnel have access to user data
Audits: We log access and modifications to sensitive data
Training: The team is trained in data security
Retention Policies: Data is deleted according to established policies

We have written contracts with each of those third-party processors that contain safeguards for your information.

Your Rights

You have the right to:

1. Request Access to Your Personal Information

(Commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to verify that we are processing it lawfully.

2. Request Correction of Your Personal Information

This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.

3. Request Erasure of Your Personal Information

This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information when you have exercised your right to object to processing (see below).

4. Object to Processing of Your Personal Information

Where we are relying on a legitimate interest (of our own or of a third party) and there is something about your particular situation which makes you want to object to processing for this reason, as you feel it impacts your fundamental rights and freedoms.

5. Request Restriction of Processing of Your Personal Information

This enables you to ask us to suspend the processing of your personal information in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to delete it; (c) where you need us to hold the data even if we no longer require it, as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have legitimate grounds to use it.

6. Request the Transfer of Your Personal Information

We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information that you initially provided consent for us to use or where we used the information to perform a contract with you.

7. Withdraw Consent at Any Time

Where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us on the details above. We aim to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Your Right to Lodge a Complaint

If you feel that we have not handled information relating to you properly, or if you have contacted us about how we use that information and are unhappy with our response, you have the right to lodge a complaint with Costa Rica's data protection authority.

For more information on how to lodge a complaint, visit the Costa Rica data protection authority's website or contact us at contact@clarity.cr for more information.

Updates to the Privacy Policy

As things are always changing, we reserve the right to revise or add to this Privacy Policy occasionally. We encourage you to bookmark and review this page periodically to ensure you are familiar with the most recent version.

You can determine when this Privacy Policy was last reviewed by checking the "date of last update" at the top of this Privacy Policy. You will be alerted by email about any major amendments to this Policy.

If we change the Policy and collect more information from you, we will notify you at the time we collect that information about what our policy is at that time.

If you have any questions or comments about the content of this Privacy Policy Notice, please contact us at contact@clarity.cr.

Your trust is a top priority to us and as such we take privacy extremely seriously. This policy applies to the entire Clarity ecosystem. If you do not accept this policy, you may not use the service.

Personal Information

We collect personal information from you (such as name, address, telephone number, email address, etc.) when you complete registration forms, submit comments to the Site, or send us emails. Please do not send personal information via email unless specifically requested.

Use of Your Information

By using this Site, you agree that we may collect, hold, process and use your information (including personal information) for the purpose of providing you with the Site services, developing our business and improving our services, including:

Personalizing your visits to the Site to improve the services provided to you
Informing you about the latest changes to the Site, products, services or promotional offers that may interest you
Notifying you about changes to the Service
Communicating (and personalizing such communication) with you and personalizing your experience within the application
For identity verification and fraud mitigation
Enabling you to share our content with others (for example, using an "Email a friend" or "Share this" functionality)
Conducting market research
Carrying out technical and statistical analysis to measure the performance of our services and the Site
Improving automatic categorization functionality and pattern detection

If you cancel your user account for the Service, we will promptly and securely delete all of the Personal Information we hold about you. However, we reserve the right to retain any Anonymous Data collected.

Sharing Your Information

We may share information about you with suppliers that we engage to help us provide certain services and/or functionality, for example, online payment processing. We will use reasonable endeavors to ensure that such suppliers do not use your personal information except to provide services to us or to you.

Furthermore, by using the Site, you consent to the transfer of your personal information outside of Costa Rica to cloud service providers located globally (which may not provide the same protection for such information as Costa Rica's laws). All providers comply with international data protection standards and maintain recognized security certifications.

Keeping Your Personal Information Secure

We take the security of your personal information very seriously and have appropriate physical, technical and administrative procedures in place to help protect your personal information from unauthorized access, use, alteration and disclosure. We only allow access to your personal information to those employees and contractors who have a legitimate business need to access such information.

Cookies and Similar Technologies

Session Cookies

We use cookies and similar technologies for:

Authentication: Keeping your session active
Security: Preventing unauthorized access
Preferences: Remembering your settings

Cookie Control

You can control cookies through your browser settings. However, disabling cookies may affect the functionality of the Service.

International Transfers

Your data may be processed and stored outside of Costa Rica, including:

Cloud service providers: Global servers with encryption and compliance with international standards
OAuth providers: Google, Microsoft, Apple servers located globally

All providers comply with international data protection standards and maintain recognized security certifications.

Legal Compliance

Applicable Laws

This Policy complies with:

Costa Rica's Personal Data Protection Law (Law 8968)
General Data Protection Regulation (GDPR) (for EU users, if applicable)
International standards: Best practices for data security

Legal Basis

We process your data based on:

Consent: When registering and using the Service
Contract performance: To provide the Service
Legitimate interest: To improve the Service and prevent fraud
Legal obligation: To comply with legal requirements

Security of Minors

Clarity is not directed at minors under 18 years of age. We do not intentionally collect information from minors. If we discover that we have collected information from a minor, we will delete it immediately.

Contact and Exercising Rights

Privacy Questions

For questions about this Policy or the handling of your data:

Email: contact@clarity.cr
Website: https://clarity.cr

Exercising Your Rights

To exercise any of your rights (access, correction, deletion, portability):

Through the application: Use the configuration features
By email: Send a request to contact@clarity.cr
Include: Your name, registered email, and the right you wish to exercise

We will respond to your request within 30 days.

Complaints

If you have a complaint about the handling of your data, you can:

Contact us first to resolve the problem
File a complaint with Costa Rica's data protection authority (if applicable)

Security Best Practices

Recommendations for Users

To keep your data secure:

Protect your email: Since access links are sent to your email, ensure your email account is protected with a strong password and two-factor authentication
Do not share access links: Magic links are single-use and personal - never share them
Log out: On shared or public devices
Review activity: Regularly review transactions in your account
Keep software updated: Use updated browsers and operating systems
Be cautious with emails: Verify that access links come from @clarity.cr
Use OAuth when possible: OAuth authentication (Google, Microsoft, Apple) is even more secure

Our Commitments

We commit to:

Notify breaches: Inform you immediately if there is a security breach that affects your data
Continuous improvement: Constantly update our security measures
Transparency: Be transparent about how we handle your data
Compliance: Comply with all applicable data protection laws

By using Clarity, you confirm that you have read and understood this Privacy Policy.