Your privacy. On the right side of the law.
Mbongo Tech's Privacy Policy, in compliance with the Constitution of the Republic of Angola, Law no. 22/11 (Personal Data Protection) and Law no. 14/24 (Electronic Communications and Information Society Services).
1. Who we are (Data Controller)
The entity responsible for processing your personal data is:
Mbongo Tech, Lda.
Tax ID 5417XXXXXX
Head office: Edifício XYZ, Rua Marechal Brós Tito, no. 35, Maianga, Luanda, Angola
Data Protection Officer (DPO) email: dpo@mbongo.app
General email: privacidade@mbongo.app
2. Data we collect
2.1 Data you provide to us
- Account: first name, last name, email, mobile number, time zone, country.
- Financial profile (during onboarding): type of activity (employee, freelancer, business owner, student), typical monthly income, main currency, financial goals, usual expense categories.
- Financial data you record manually: transactions, bank accounts, savings vaults, goals, investment positions, debts, automatic rules.
- Attachments you upload: invoices, receipts, contracts, bank statements (CSV or OFX) for import.
2.2 Data generated by use
- Usage data: pages visited, features used, frequency of access, session duration.
- Technical data: IP address, device model, operating system, browser, connection type (Wi-Fi/mobile data), language.
- Cookies and identifiers as detailed in our Cookie Policy.
2.3 Data we receive from third parties
- Authentication: name, profile picture and email from the authentication provider you choose (Google, Apple, etc.), through our identity management partner Clerk.
- Payments: transaction confirmations and status from Multicaixa Express, Visa, Mastercard, processed by the respective operators.
We do not collect data about sexual orientation, political opinions, religious beliefs, health status or ethnic origin.
3. The purposes for which we process your data
| Purpose | Legal basis (Law 22/11) |
|---|---|
| Provide you with the Mbongo service (create account, record transactions, show analytics) | Performance of a contract — art. 6 (b) |
| Invoice and charge the subscription (Pro/Family plan) | Performance of a contract and legal obligation — art. 6 (b) and (c) |
| Detect fraud, ensure security and prevent abuse | Legitimate interest — art. 6 (f) |
| Improve the app based on aggregated usage analysis | Legitimate interest (aggregated/anonymised data) — art. 6 (f) |
| Send marketing communications and the Mbongo newsletter | Consent — art. 6 (a) |
| Training AI models for personalised suggestions | Optional consent (Settings → Privacy) — art. 6 (a) |
| Comply with tax, regulatory and judicial obligations | Legal obligation — art. 6 (c) |
4. Legal bases and principles
The processing of your data follows the principles enshrined in art. 5 of Law 22/11:
- Lawfulness and good faith — we only process data with a legal basis.
- Purpose — we collect for specific, explicit and legitimate purposes.
- Proportionality — only what is necessary for each purpose.
- Accuracy — we keep data up to date and correct inaccuracies.
- Limited retention — we keep it only for as long as necessary.
- Security — we protect against unauthorised access, alteration or destruction.
- Transparency — that is what this policy is for.
5. Who we share your data with
We do not sell your personal data to third parties, under any circumstances. We share only with:
- Technical subprocessors that need the data in order to provide us with their service:
- Clerk Inc. (user authentication) — United States
- Supabase Inc. (database hosting) — EU (Ireland)
- Vercel Inc. (web application hosting) — United States
- OpenAI / Anthropic (AI models, only if authorised) — United States
- Wesender / Resend (sending transactional emails) — EU
- Regulators and authorities when legally required (BNA, AGT, Courts).
- External auditors under a confidentiality agreement.
All subprocessors have signed a Data Processing Agreement (DPA) with Mbongo that requires them to process your data only according to our instructions and to apply appropriate technical and organisational measures.
6. International transfers
Some of our subprocessors are based outside Angola. International transfers comply with art. 33 of Law 22/11, relying on:
- Equivalent approved standard contractual clauses (Standard Contractual Clauses), when the destination country does not offer an adequate level of protection.
- Express and informed consent for specific purposes, where applicable.
7. How long we keep your data
| Category | Term |
|---|---|
| Account data (while the account is active) | Until you request deletion |
| Recorded financial transactions | While account active + 5 years (tax purposes) |
| Subscription invoices | 10 years (tax obligation — General Tax Law) |
| Security and audit logs | 2 years |
| Analytics cookies | 13 months maximum |
| Security backups | 90 days after main deletion |
8. Your rights
Under articles 11 to 17 of Law 22/11, you have the right to:
- Access — know what data we hold about you and obtain a copy in a readable format.
- Rectification — correct incorrect or incomplete data.
- Erasure ("to be forgotten") — delete your account and all associated data.
- Restriction of processing — ask us to stop certain processing.
- Portability — receive your data in a structured format (CSV, JSON) to transfer to another service.
- Objection — object to processing based on legitimate interest (including marketing profiles).
- Withdraw consent at any time, for processing that depends on it.
- Not be subject to automated decisions with significant legal effects.
- File a complaint with the Data Protection Agency (APD), when operational, or with the competent court.
9. How to exercise your rights
You have three ways, all free of charge:
- Directly in the app: Settings → Account (rectify, delete) · Settings → Data (export CSV/JSON) · Settings → Privacy (revoke consents).
- By email: privacidade@mbongo.app or dpo@mbongo.app.
- By letter: head office address, c/o the Data Protection Officer.
We undertake to respond to your request within a maximum of 30 days from receipt, extendable by a further 60 days in complex cases, with substantiated information.
10. Security measures
In compliance with art. 24 of Law 22/11, we apply technical and organisational measures appropriate to the risk:
- Encryption in transit (TLS 1.3) and at rest (AES-256) for all personal and financial data.
- Multi-factor authentication mandatory for our team; recommended (and free) for users.
- Principle of least privilege and segregation of duties in data access by employees.
- Security audits conducted annually by an independent external entity.
- Continuity and recovery plan with encrypted backups in multiple locations.
- Incident notification to the user and the competent authority within a reasonable time, where applicable.
11. Minors
Mbongo is intended for people aged 18 or over. We do not knowingly collect data from minors. If we discover that we have collected data from a minor without the proper consent of their legal guardians, we delete that data immediately.
13. Changes to this policy
We may update this policy. Material changes — those that affect your rights or the purposes of processing — are communicated to you by email and within the app, at least 30 days in advance. The version in force is always on this page, with the date and version shown at the top.
14. Contacts
Data Protection Officer (DPO): dpo@mbongo.app
General privacy requests: privacidade@mbongo.app
Complaints to the supervisory authority: Data Protection Agency (APD), when operational, or to the Common Courts of the District of Luanda.