Effective date: 16 January 2026
Last updated: 1 July 2026
The data controller responsible for processing your personal data is:
NOVA V
Onze Lieve Vrouwestraat 63
8770 Ingelmunster
Belgium
Company number (KBO): 1026.507.349
VAT: BE 1026.507.349
Email: hello@briliza.com
We have assessed our processing against Article 37 GDPR and concluded that we are not required to appoint a Data Protection Officer: our core activities do not consist of large-scale processing of special categories of data, nor of large-scale, regular and systematic monitoring of individuals. We keep this assessment under review as the Service grows. For any privacy-related inquiry, please contact us at the email address above.
This Privacy Policy applies to the BRILIZA personal finance platform (the "Service") and describes how we collect, use, disclose, and protect your personal data in accordance with:
This Service is intended exclusively for users located in the European Union and European Economic Area (EU/EEA). By using the Service, you confirm that you are located within the EU/EEA.
We collect and process the following categories of personal data:
Data we do NOT collect: We do not track you across other websites, build advertising or marketing profiles, or use persistent cross-site identifiers. We do not collect precise (GPS) location, and we do not collect biometric data. Our analytics providers process your IP address only momentarily (to derive your approximate country and to count visits) but we do not store your IP address or use it to identify you.
We process your personal data for the following purposes, each with a specific legal basis under Article 6(1) GDPR:
| Purpose | Legal Basis | Data Categories |
|---|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) | Account data |
| Providing the personal finance tracking service | Contract performance (Art. 6(1)(b)) | Financial data, Account data |
| Bank account synchronization via Open Banking | Contract performance (Art. 6(1)(b)) | Financial data |
| AI-powered categorization and insights (a feature you choose to use) | Legitimate interest (Art. 6(1)(f)) | Aggregated, anonymized financial summaries |
| Service performance monitoring | Legitimate interest (Art. 6(1)(f)) | Anonymized technical data |
| Cookieless usage analytics (page views, country, masked session recordings) | Legitimate interest (Art. 6(1)(f)) | Pseudonymized usage data |
| Enhanced analytics with cookies (linking page views within a visit, funnels) | Consent (Art. 6(1)(a)) | Analytics cookie identifiers |
| Responding to support inquiries | Contract performance (Art. 6(1)(b)) | Account data, inquiry content |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) | As required by law |
Legitimate interest assessment: For performance monitoring, cookieless usage analytics (including masked session recordings), and AI-assisted categorization and insights, our legitimate interest is understanding how the Service is used and helping you make sense of your finances, so we can find and fix problems and improve the Service. We have weighed this against your privacy and minimize the impact: no cookies are set for analytics in this mode, all text inputs and sensitive content are masked, recordings are pseudonymized and not linked across visits, only aggregated and anonymized summaries (never individual transactions) are sent to our AI provider, and none of this is used to identify you or to make decisions that affect you. You can object at any time. Choosing "Reject all" in the cookie settings stops session-recording analytics for you, you can decline analytics cookies there, and you can choose not to use the AI features or contact us to object.
Mandatory data: Providing your email address and password is necessary to create an account and use the Service. Without this data, we cannot provide the Service to you.
Optional data: Connecting bank accounts and entering financial data is voluntary. However, without this data, certain features of the Service (such as automatic transaction import and insights) will not be available.
We share your personal data with the following categories of recipients, acting as data processors under written agreements that comply with Article 28 GDPR:
Purpose: Database hosting, user authentication, and data storage
Data processed: All account and financial data
Location: European Union (Paris, France, eu-west-3)
Safeguards: Data encrypted at rest (AES-256) and in transit (TLS 1.3)
Purpose: Open Banking connectivity (Account Information Service Provider under PSD2)
Data processed: Bank account identifiers, transaction history (accessed via your bank's API with your authorization)
Location: United Kingdom (GoCardless Ltd, authorized by the UK Financial Conduct Authority). The UK benefits from a European Commission adequacy decision.
Note: We never receive or store your bank login credentials. Authentication occurs directly with your bank.
Purpose: AI-powered financial insights and transaction categorization
Data processed: Aggregated, anonymized financial summaries (not individual transactions with identifying details)
Location: United States and other countries
Safeguards: Standard Contractual Clauses (SCCs) approved by the European Commission
Purpose: Application hosting, web analytics, and performance monitoring
Data processed: Pageview data (pages visited, referrer, approximate country); Web Vitals performance metrics (page load times). Your IP address is processed momentarily to derive country and to count unique visits, but is not stored or shared, and no cross-site identifiers are used.
Location: Global with EU edge nodes
Safeguards: Standard Contractual Clauses (SCCs)
Purpose: Website behavior analytics (heatmaps, session recordings, scroll depth analysis) to improve user experience
Data processed: Pseudonymized interaction data (clicks, scrolls, mouse movements, page navigation) and masked session recordings. All text input fields, numbers and other sensitive content are automatically masked, so recordings capture interaction patterns rather than your financial data. Approximate country is derived from your IP address; the IP address is not retained.
Location: Global (Microsoft Azure infrastructure)
Safeguards: Standard Contractual Clauses (SCCs); automatic masking of all text inputs and sensitive content; cookieless by default (cookies only after consent)
Purpose: Transactional email delivery for contact form notifications
Data processed: Name, email address, and message content from contact form submissions
Location: United States
Safeguards: Standard Contractual Clauses (SCCs)
We do not sell, rent, or trade your personal data to third parties. We do not share your data with advertisers or data brokers.
Your account and financial data are stored within the European Economic Area (Supabase, EU region). Some processors, however, process data outside the EEA: Google, Vercel, Microsoft and Resend (United States), and GoCardless (United Kingdom).
For these transfers we rely on:
You may request a copy of the relevant safeguards by contacting us.
We use the following cookies and storage mechanisms:
These cookies are essential for the Service to function and cannot be disabled.
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth token | Keeps you signed in | Session (managed by Supabase) |
| locale | Remembers your chosen language | 1 year |
Legal basis: These cookies are exempt from consent requirements under Article 5(3) of the ePrivacy Directive as they are strictly necessary to provide the service you requested.
We use the following analytics tools to understand how visitors use our website and to improve the user experience:
Legal basis (cookieless analytics): Legitimate interest (Art. 6(1)(f) GDPR). Vercel Web Analytics, Vercel Speed Insights, and Clarity's cookieless mode set no cookies and process only pseudonymized, masked data that is not linked across visits, so they run under our legitimate interest in improving the Service. To object: choosing "Reject all" in the cookie settings stops Microsoft Clarity (including session recordings) from loading for you. Vercel's analytics are cookieless and aggregate and do not identify you individually; you can avoid them with a tracker-blocking browser or extension, and you may raise any objection under Article 21 with us at the email above.
Legal basis (cookie-based analytics): Consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy Directive). Clarity's first-party analytics cookies are set only after you give consent via "Accept all". You can withdraw your consent at any time; it is as easy to withdraw as it was to give.
None of these tools track you across other websites, collect your personal financial data, or share data with advertisers.
We use your browser's local storage to remember your preferences and choices. This information stays on your device, is never sent to advertisers, and is not used to track you. We store the following, grouped by purpose:
| What we store | Purpose | Cleared on logout? |
|---|---|---|
| Current selection | Which accounts, owners and bank you are currently viewing | Yes |
| Display preferences | How the app looks for you: avatar style, privacy-blur (demo) mode, mobile navigation | No |
| Feature toggles | Optional features you have switched on or off | No |
| Tool and view settings | Your settings inside the planning and reporting tools: chart options, selected periods, planner inputs | No |
| Cookie choice | Your analytics-cookie decision, so we do not ask you again | No |
| Cached data and flags | Setup flags and cached reference data so the app loads faster | No |
Items not cleared on logout remain on your device until you clear your browser data. None of this is shared with us as personal data beyond what is described elsewhere in this policy.
We retain your personal data according to the following criteria:
| Data Category | Retention Period |
|---|---|
| Account and financial data | Duration of your account, plus 30 days after deletion request |
| Authentication logs | Retained only as long as necessary for security and fraud prevention |
| Backup copies | Purged within 90 days of account deletion |
| Support correspondence | 2 years after resolution (for legal compliance) |
When you request deletion of your account (by emailing us), we revoke all bank connections and begin permanent deletion of your personal data. Complete erasure occurs within 30 days, with backups purged within 90 days.
You have the following rights regarding your personal data:
How to exercise your rights: Contact us at hello@briliza.com. We will respond within 30 days. If your request is complex, we may extend this period by up to 60 additional days, in which case we will inform you of the extension and the reasons.
Identity verification: To protect your privacy, we may request information to verify your identity before processing your request.
We use AI (Google Generative AI) to assist with transaction categorization and generate financial insights. This processing:
We do not engage in automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:
Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we commit to promptly addressing any security incident.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit) within 72 hours of becoming aware of the breach, as required by Article 33 GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34 GDPR.
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately so we can delete it.
We may update this Privacy Policy to reflect changes in our practices, legal requirements, or for other operational reasons. When we make material changes:
We encourage you to review this policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy, except where consent is required.
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority.
For Belgium, the competent authority is:
Gegevensbeschermingsautoriteit (GBA)
Drukpersstraat 35
1000 Brussels
Belgium
Website: www.gegevensbeschermingsautoriteit.be
Email: contact@apd-gba.be
You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work.
This Privacy Policy and any disputes arising from it shall be governed by the laws of Belgium, without regard to conflict of law principles. This choice of law does not deprive you of the protection afforded by provisions that cannot be derogated from by agreement under the law of your country of habitual residence.
If any provision of this Privacy Policy is found to be invalid or unenforceable by a court of competent jurisdiction, that provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall continue in full force and effect.
Our failure to enforce any right or provision of this Privacy Policy shall not constitute a waiver of that right or provision.
This Privacy Policy is available in English, Dutch, and Spanish. In the event of any conflict between the English version and a translation, the English version prevails, without prejudice to any mandatory right you have to rely on the version in your own language under the data-protection and consumer-protection laws of your country of residence.
For any questions about this Privacy Policy or our data practices, please contact:
NOVA V
Onze Lieve Vrouwestraat 63
8770 Ingelmunster
Belgium
Company number (KBO): 1026.507.349
VAT: BE 1026.507.349
Email: hello@briliza.com