Legal

Privacy Policy

This Privacy Policy explains how Assero collects, uses, and shares personal data when you use our website and app.

Last updated: 30 January 2026

Who we are

Assero is the controller of your personal data for the purposes of UK GDPR and EU GDPR. Our details are:

Assero

Email: support@assero.app

If we appoint a Data Protection Officer, we will publish their contact details here.

What we collect

  • Account data (name, email address, authentication details, and subscription status).
  • Financial and planning data you add, such as budgets, goals, and account balances.
  • Bank account and transaction data if you connect a bank via our open banking provider (for example, account identifiers, balances, and transaction history).
  • Usage data, device information, log data, and IP address for security, analytics, and service improvement.
  • Communications with us (support requests, feedback, or survey responses).
  • Billing metadata (for example, subscription status and invoices). Payment card details are handled by our payment processor and are not stored by Assero.

How we use your data

We only use personal data when we have a lawful basis under UK GDPR and EU GDPR. Our main purposes and lawful bases are:

  • Provide and operate the service (contract performance).
  • Authenticate users and keep accounts secure (contract performance and legitimate interests).
  • Process subscriptions and billing (contract performance and legal obligations).
  • Improve the service, diagnose issues, and prevent fraud (legitimate interests).
  • Communicate with you about service updates and support (contract performance and legitimate interests).
  • Comply with legal obligations and respond to lawful requests (legal obligation).

Authentication and login

We use Supabase to provide secure authentication and session management. If you sign in with Google, Google acts as your identity provider and we receive your basic profile information (such as name and email address). Supabase manages session cookies that keep you signed in across requests.

Who we share data with

We share data with trusted service providers who help us operate Assero, under contracts that require appropriate security and confidentiality. These include:

  • Supabase (authentication, database, and storage infrastructure).
  • Stripe (subscription billing and payment processing).
  • Open banking providers such as TrueLayer (bank connections and data retrieval when you choose to connect a bank).
  • Hosting, monitoring, and customer support providers used to keep the service running.

We may also share information where required by law, to protect our rights, or as part of a business transfer.

International transfers

We may transfer personal data outside the UK and European Economic Area. Where we do, we use appropriate safeguards such as UK International Data Transfer Agreements, EU Standard Contractual Clauses, or an adequacy decision.

Retention

We keep personal data only for as long as needed for the purposes described in this policy, including to comply with legal, accounting, or reporting obligations. You can request deletion of your account and we will delete or anonymise your data within a reasonable period, unless we must retain it by law.

Your rights

You have rights under UK GDPR and EU GDPR, including the right to:

  • Access your personal data.
  • Rectify inaccurate or incomplete data.
  • Request erasure of your data.
  • Restrict or object to certain processing.
  • Receive a portable copy of your data.
  • Withdraw consent where we rely on consent.

You can exercise these rights by contacting us. If you are in the UK, you may also complain to the Information Commissioner’s Office (ICO). If you are in the EEA, you can contact your local supervisory authority.

Security

We implement organisational and technical measures to protect your data, including access controls, encryption in transit, and least-privilege access. No method of transmission is completely secure, but we work to protect your data.

Children

Assero is not intended for children under 18. If you believe a child has provided personal data, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. We will post the updated version on this page and update the “Last updated” date.

Data processors

For a summary of our data processing agreements, visit the DPA summary page.