Back to home

Privacy Policy

Last updated: April 6, 2026

1. Data Controller

Lucr.io is the data controller responsible for processing your personal data. For any data protection inquiries, contact us at privacy@lucr.io.

2. Data We Collect

Lucrio collects the following data to provide our personal finance management service:

  • Account information: Name, email address (via Google OAuth or email/password registration)
  • Financial data: Salary, utilities, loans, properties, savings goals, stock portfolios, saving accounts, additional income, and budget information you enter
  • Payment information: Subscription status and billing history. Payment card details are processed directly by Stripe and are never stored on our servers
  • Usage data: Interaction logs for audit and security purposes

3. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR:

  • Contract performance: Processing your account information and financial data is necessary to provide the Lucrio service you signed up for
  • Consent: AI data sharing is based on your explicit consent, which you can grant or revoke at any time via granular toggles in the AI settings
  • Legitimate interest: Usage data and audit logs are processed for security, fraud prevention, and service improvement
  • Legal obligation: Certain data may be retained to comply with legal and regulatory obligations

4. AI Features & Google Gemini

Our AI assistant is powered by Google Gemini. When you use the AI assistant:

  • Your financial data is sent to Google's servers for processing per-request
  • You control exactly which data categories are shared via interactive toggles in the AI settings
  • You can revoke data sharing consent at any time — the AI will still work but without personalized financial context
  • AI conversation history is automatically deleted after 90 days
  • Google processes this data as a sub-processor under our data processing agreement; refer to Google's privacy policy for their data handling practices

5. Third-Party Services

We use the following third-party services to operate Lucrio:

  • Stripe: Payment processing for subscriptions. Stripe processes your payment card details directly — we never store card numbers. See Stripe's Privacy Policy
  • Google Gemini: AI assistant processing. Financial data you choose to share is sent per-request. See Google's Privacy Policy
  • Convex: Backend infrastructure and database hosting. All user data is stored on Convex's servers
  • Yahoo Finance: Stock market data. Portfolio ticker symbols are sent to retrieve pricing data; no personal financial data is shared

6. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our service providers (Convex, Google, Stripe) operate. These transfers are protected by appropriate safeguards including Standard Contractual Clauses (SCCs) and the service providers' compliance with applicable data protection frameworks.

7. Data Retention

  • Financial data: Retained as long as your account is active
  • AI conversations: Automatically deleted after 90 days
  • Audit logs: Retained for security and compliance purposes; deleted when your account is deleted
  • Payment records: Retained as required by tax and financial regulations, even after account deletion

8. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

  • Access: Request and export all your data at any time from Settings
  • Rectification: Edit your financial data through the app
  • Erasure: Delete your account and all associated data from Settings
  • Restriction: Request restriction of processing of your personal data in certain circumstances
  • Data portability: Receive your data in a structured, commonly used, machine-readable format
  • Object: Object to processing based on legitimate interests
  • Withdraw consent: Revoke AI data sharing consent at any time without affecting your ability to use the AI
  • Lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data is being processed unlawfully

To exercise any of these rights, contact us at privacy@lucr.io or use the self-service options in your account Settings.

9. Cookies & Tracking

Lucrio uses only essential cookies required for authentication and session management. We do not use advertising cookies, analytics trackers, or third-party tracking pixels. No cookie consent banner is required as we only use strictly necessary cookies.

10. Data Security

All data is stored securely using Convex's infrastructure with encryption at rest. Authentication is handled via Google OAuth or email/password with secure hashing. All connections use HTTPS/TLS encryption in transit. We maintain audit logs of sensitive actions (account deletion, data export, consent changes) for security purposes.

11. Children's Data

Lucrio is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete that data promptly.

12. Account Deletion

When you delete your account, all data is permanently removed including: profile information, all financial records, AI conversations and messages, and audit logs. Payment records may be retained as required by law (see Data Retention).

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the service and updating the "Last updated" date. For significant changes that affect how we process your data, we will provide prominent notice before the changes take effect.

14. Contact

For privacy-related inquiries, please contact us at privacy@lucr.io.