Skip to content

Last updated · 2026-05-23 · Effective 2026-05-23

Privacy policy

This Privacy Policy describes how Pitanga Pixels LTD (“nomfi”, “we”, “us”) collects, uses, stores, shares, and protects personal data when you use the nomfi website, mobile application, and related services (collectively, the “Service”).

We are committed to processing your data lawfully, fairly, and transparently in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”), the Cyprus Law on the Protection of Natural Persons with regard to the Processing of Personal Data (Law 125(I)/2018), and other applicable data protection laws.

1. Who we are

nomfi is operated by Pitanga Pixels LTD, a private limited company incorporated under the laws of the Republic of Cyprus.

  • Registered office: 12–14 Gladstonos, Paphos 8046, Cyprus
  • Company registration number: HE429960
  • VAT number: CY10429960E
  • Contact: hello@nomfi.app

For the purposes of the GDPR, Pitanga Pixels LTD acts as the data controller for personal data processed through the Service.

2. Scope of this policy

This policy applies to all personal data we collect through the Service, including the nomfi.app website, the nomfi mobile app, and related communications. It does not apply to third-party services we link to (Wise, Google, Stripe, etc.), each of which has its own privacy policy that you should review.

3. Personal data we collect

We collect the minimum data necessary to provide a useful, secure, and personalised financial advisor. The categories below summarise what we collect and why.

3.1 Account & identity data

  • Email address, name, and profile picture (if you sign in with Google).
  • Authentication identifiers and session tokens issued by our auth provider.
  • Optional profile fields you provide during onboarding (e.g. base currency, voice preference).

3.2 Financial data (via Wise)

When you connect a Wise account, we receive: transaction history, account balances, currency holdings, and account metadata via Wise’s authorised API. We do not store your Wise login credentials; access is managed exclusively through Wise’s OAuth flow and revocable from your Wise account at any time.

3.3 Calendar data (Google Calendar — read-only)

With your explicit consent we access event titles, times, locations, and attendees from your primary Google Calendar to help anticipate upcoming spend (rent, flights, meetings, etc.). We never write, modify, share, or delete calendar data.

3.4 Email data (Gmail — read-only, narrow scope)

With your explicit consent we use the gmail.readonly scope solely to detect and classify financial messages (receipts, statements, bank notifications, invoices). Only the financial metadata necessary for advisory features is processed; we do not read, store, or analyse the content of personal correspondence. We never send, draft, modify, or delete email on your behalf.

Our use of Gmail data adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Gmail data to third parties except as necessary to provide the Service, do not use it for advertising, do not allow humans to read it (except where required for security, legal, abuse investigations, or with your explicit consent), and do not use it to train generalised AI models.

3.5 Payment data

If you subscribe, billing is processed by Stripe Payments Europe Ltd. We receive subscription status, the last four digits of your card, and the billing country — we never receive or store your full card number, expiry, or CVC.

3.6 Technical & usage data

  • Device type, operating system, app version, locale, time zone, IP address (truncated for analytics).
  • Aggregated and pseudonymised analytics about feature usage and screen views (no content of your messages or financial data).
  • Crash reports and diagnostic logs (sensitive data redacted before transmission).

3.7 Communications

Records of support enquiries, feedback, and the messages you exchange with the nomfi in-app AI advisor. AI conversation history is stored to provide continuity across sessions and is encrypted at rest.

4. How we use your data & legal bases

We process personal data on the following GDPR lawful bases (Art. 6 GDPR):

  • Performance of a contract (Art. 6(1)(b)): creating and operating your account, providing the advisor, processing your subscription, and delivering customer support.
  • Consent (Art. 6(1)(a)): connecting optional integrations (Google Calendar, Gmail, Wise) and sending you the launch announcement if you joined the waitlist. You can withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legitimate interests (Art. 6(1)(f)): securing the Service against fraud and abuse, improving product quality through aggregated analytics, and corporate administration. We balance these interests against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): retaining billing records, responding to lawful requests from authorities, and complying with applicable tax and accounting law.

5. Automated processing & AI

nomfi uses large language models (Anthropic’s Claude API) to generate personalised insights based on the data you share with us. These insights are informational and do not constitute regulated financial advice. We do not make legally significant or solely automated decisions about you under Art. 22 GDPR (e.g. we do not deny you a service or set a price based purely on automated logic).

Prompts sent to Anthropic are processed under Anthropic’s Commercial Terms; Anthropic does not retain prompt content for model training and provides EU Standard Contractual Clauses for international data transfers (see Section 7).

6. Sharing & sub-processors

We do not sell, rent, or share your personal data with advertisers. We rely on a small set of vetted sub-processors who act only on our documented instructions and are bound by confidentiality and data-protection obligations:

  • Supabase Inc. — database, authentication, file storage. Data hosted in the EU region (AWS Frankfurt).
  • Wise Payments Limited / Wise Europe SA — bank account connection and transaction data (only after your authorisation).
  • Google LLC / Google Ireland Limited — OAuth sign-in, Calendar (read-only), Gmail (read-only).
  • Anthropic, PBC — large-language-model API for the advisor.
  • Stripe Payments Europe Ltd. — subscription billing and payment processing.
  • Resend Inc. — transactional and waitlist email delivery.
  • Cloudflare, Inc. — bot mitigation (Turnstile) and edge infrastructure.
  • Upstash Inc. — rate-limit storage (no personal data; IP hashes only).
  • Vercel Inc. — website hosting and edge delivery.

We may also disclose personal data where we are legally required to do so (e.g. response to a binding court order or law-enforcement request), and to professional advisers (legal, accounting) bound by confidentiality.

7. International data transfers

Some of our sub-processors (notably Anthropic, Stripe US affiliates, Vercel, Cloudflare, Resend, and Upstash) are established outside the European Economic Area, principally in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V of the GDPR, namely:

  • The European Commission’s EU–US Data Privacy Framework adequacy decision, where the recipient is certified; and/or
  • The European Commission’s Standard Contractual Clauses (Decision 2021/914), supplemented where necessary by technical and organisational measures (encryption in transit and at rest, access controls, audit logging).

You may request a copy of the relevant transfer mechanism by emailing hello@nomfi.app.

8. How long we keep your data

  • Account data: for as long as your account is active, plus 30 days after deletion for backup rotation.
  • Financial data (Wise, Gmail, Calendar): retained while the relevant integration is connected. When you disconnect, the data is deleted from our active systems within 30 days and removed from encrypted backups within a further 60 days.
  • Billing records: retained for the period required by Cyprus tax and accounting law (currently 6 years).
  • Waitlist email addresses: until launch is announced, plus 12 months, or until you unsubscribe.
  • Support and abuse logs: 12 months.

9. Your rights

Under the GDPR you have the following rights, which you can exercise free of charge:

  • Access — obtain a copy of the personal data we hold about you (Art. 15).
  • Rectification — correct inaccurate or incomplete data (Art. 16).
  • Erasure — request deletion of your data (Art. 17).
  • Restriction — ask us to limit how we use your data (Art. 18).
  • Portability — receive your data in a machine-readable format (Art. 20).
  • Objection — object to processing based on legitimate interests or direct marketing (Art. 21).
  • Withdraw consent — for any processing based on consent, without affecting the lawfulness of prior processing (Art. 7(3)).

To exercise any of these rights, email hello@nomfi.app. We will respond within one month (extendable by two further months for complex requests, per Art. 12(3) GDPR). We may need to verify your identity before disclosing personal data.

You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (dataprotection.gov.cy). If you are located in another EU/EEA member state, you may also contact your local data protection authority.

10. Security

We apply industry-standard technical and organisational measures to protect your data, including:

  • TLS 1.3 encryption for all data in transit.
  • AES-256 encryption at rest for personal and financial data.
  • Row-level security policies and least-privilege access controls on our databases.
  • Multi-factor authentication for internal admin access.
  • Centralised audit logging and intrusion-detection monitoring.
  • Regular dependency scanning, code review, and pre-launch security testing.

Despite our efforts, no system is completely secure. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay, as required by Arts. 33–34 GDPR.

11. Cookies & similar technologies

The nomfi website uses strictly necessary cookies and local storage to maintain your session, remember your preferences (e.g. voice mode), and protect against bot abuse via Cloudflare Turnstile. We do not use third-party advertising cookies, cross-site trackers, or behavioural-profiling scripts. Where additional analytics cookies are introduced, we will request your explicit consent through a banner.

12. Children

The Service is intended for users aged 18 or older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided personal data to us, please contact us and we will delete it promptly.

13. Marketing communications

If you joined the waitlist or opted in to product updates, we will send you transactional and announcement emails via Resend. Every marketing email contains an unsubscribe link; you can also email hello@nomfi.app at any time. We do not send marketing emails to users who only signed up for the paid service unless they opted in separately.

14. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or in applicable law. Material changes will be communicated by email (where we have your address) and by an in-app or on-site notice at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

15. Contact us

For any privacy question, data-subject request, or complaint, please email hello@nomfi.app or write to us at:

Pitanga Pixels LTD
12–14 Gladstonos
Paphos 8046
Cyprus