Mbongo
FeaturesAboutContact
Sign inStart free
Privacy Policy

Your privacy. On the right side of the law.

Mbongo Tech's Privacy Policy, in compliance with the Constitution of the Republic of Angola, Law no. 22/11 (Personal Data Protection) and Law no. 14/24 (Electronic Communications and Information Society Services).

Version 1.0In force since 22 May 2026Last updated 22 May 2026

Contents

  1. 1. Who we are
  2. 2. Data we collect
  3. 3. For what purposes
  4. 4. Legal grounds
  5. 5. Who we share with
  6. 6. International transfers
  7. 7. Retention periods
  8. 8. Your rights
  9. 9. How to exercise your rights
  10. 10. Security
  11. 11. Minors
  12. 12. Cookies
  13. 13. Changes
  14. 14. Contacts

1. Who we are (Data Controller)

The entity responsible for processing your personal data is:

Mbongo Tech, Lda.
Tax ID 5417XXXXXX
Head office: Edifício XYZ, Rua Marechal Brós Tito, no. 35, Maianga, Luanda, Angola
Data Protection Officer (DPO) email: dpo@mbongo.app
General email: privacidade@mbongo.app

The right to the inviolability of private and family life is guaranteed by article 32 of the Constitution of the Republic of Angola. This policy gives effect to that right in the context of our activity.

2. Data we collect

2.1 Data you provide to us

  • Account: first name, last name, email, mobile number, time zone, country.
  • Financial profile (during onboarding): type of activity (employee, freelancer, business owner, student), typical monthly income, main currency, financial goals, usual expense categories.
  • Financial data you record manually: transactions, bank accounts, savings vaults, goals, investment positions, debts, automatic rules.
  • Attachments you upload: invoices, receipts, contracts, bank statements (CSV or OFX) for import.

2.2 Data generated by use

  • Usage data: pages visited, features used, frequency of access, session duration.
  • Technical data: IP address, device model, operating system, browser, connection type (Wi-Fi/mobile data), language.
  • Cookies and identifiers as detailed in our Cookie Policy.

2.3 Data we receive from third parties

  • Authentication: name, profile picture and email from the authentication provider you choose (Google, Apple, etc.), through our identity management partner Clerk.
  • Payments: transaction confirmations and status from Multicaixa Express, Visa, Mastercard, processed by the respective operators.

We do not collect data about sexual orientation, political opinions, religious beliefs, health status or ethnic origin.

3. The purposes for which we process your data

PurposeLegal basis (Law 22/11)
Provide you with the Mbongo service (create account, record transactions, show analytics)Performance of a contract — art. 6 (b)
Invoice and charge the subscription (Pro/Family plan)Performance of a contract and legal obligation — art. 6 (b) and (c)
Detect fraud, ensure security and prevent abuseLegitimate interest — art. 6 (f)
Improve the app based on aggregated usage analysisLegitimate interest (aggregated/anonymised data) — art. 6 (f)
Send marketing communications and the Mbongo newsletterConsent — art. 6 (a)
Training AI models for personalised suggestionsOptional consent (Settings → Privacy) — art. 6 (a)
Comply with tax, regulatory and judicial obligationsLegal obligation — art. 6 (c)

4. Legal bases and principles

The processing of your data follows the principles enshrined in art. 5 of Law 22/11:

  • Lawfulness and good faith — we only process data with a legal basis.
  • Purpose — we collect for specific, explicit and legitimate purposes.
  • Proportionality — only what is necessary for each purpose.
  • Accuracy — we keep data up to date and correct inaccuracies.
  • Limited retention — we keep it only for as long as necessary.
  • Security — we protect against unauthorised access, alteration or destruction.
  • Transparency — that is what this policy is for.

5. Who we share your data with

We do not sell your personal data to third parties, under any circumstances. We share only with:

  • Technical subprocessors that need the data in order to provide us with their service:
    • Clerk Inc. (user authentication) — United States
    • Supabase Inc. (database hosting) — EU (Ireland)
    • Vercel Inc. (web application hosting) — United States
    • OpenAI / Anthropic (AI models, only if authorised) — United States
    • Wesender / Resend (sending transactional emails) — EU
  • Regulators and authorities when legally required (BNA, AGT, Courts).
  • External auditors under a confidentiality agreement.

All subprocessors have signed a Data Processing Agreement (DPA) with Mbongo that requires them to process your data only according to our instructions and to apply appropriate technical and organisational measures.

6. International transfers

Some of our subprocessors are based outside Angola. International transfers comply with art. 33 of Law 22/11, relying on:

  • Equivalent approved standard contractual clauses (Standard Contractual Clauses), when the destination country does not offer an adequate level of protection.
  • Express and informed consent for specific purposes, where applicable.

7. How long we keep your data

CategoryTerm
Account data (while the account is active)Until you request deletion
Recorded financial transactionsWhile account active + 5 years (tax purposes)
Subscription invoices10 years (tax obligation — General Tax Law)
Security and audit logs2 years
Analytics cookies13 months maximum
Security backups90 days after main deletion

8. Your rights

Under articles 11 to 17 of Law 22/11, you have the right to:

  • Access — know what data we hold about you and obtain a copy in a readable format.
  • Rectification — correct incorrect or incomplete data.
  • Erasure ("to be forgotten") — delete your account and all associated data.
  • Restriction of processing — ask us to stop certain processing.
  • Portability — receive your data in a structured format (CSV, JSON) to transfer to another service.
  • Objection — object to processing based on legitimate interest (including marketing profiles).
  • Withdraw consent at any time, for processing that depends on it.
  • Not be subject to automated decisions with significant legal effects.
  • File a complaint with the Data Protection Agency (APD), when operational, or with the competent court.

9. How to exercise your rights

You have three ways, all free of charge:

  1. Directly in the app: Settings → Account (rectify, delete) · Settings → Data (export CSV/JSON) · Settings → Privacy (revoke consents).
  2. By email: privacidade@mbongo.app or dpo@mbongo.app.
  3. By letter: head office address, c/o the Data Protection Officer.

We undertake to respond to your request within a maximum of 30 days from receipt, extendable by a further 60 days in complex cases, with substantiated information.

10. Security measures

In compliance with art. 24 of Law 22/11, we apply technical and organisational measures appropriate to the risk:

  • Encryption in transit (TLS 1.3) and at rest (AES-256) for all personal and financial data.
  • Multi-factor authentication mandatory for our team; recommended (and free) for users.
  • Principle of least privilege and segregation of duties in data access by employees.
  • Security audits conducted annually by an independent external entity.
  • Continuity and recovery plan with encrypted backups in multiple locations.
  • Incident notification to the user and the competent authority within a reasonable time, where applicable.

11. Minors

Mbongo is intended for people aged 18 or over. We do not knowingly collect data from minors. If we discover that we have collected data from a minor without the proper consent of their legal guardians, we delete that data immediately.

12. Cookies

The use of cookies and similar technologies is detailed in our Cookie Policy, in compliance with Law no. 14/24 (Electronic Communications).

13. Changes to this policy

We may update this policy. Material changes — those that affect your rights or the purposes of processing — are communicated to you by email and within the app, at least 30 days in advance. The version in force is always on this page, with the date and version shown at the top.

14. Contacts

Data Protection Officer (DPO): dpo@mbongo.app

General privacy requests: privacidade@mbongo.app

Complaints to the supervisory authority: Data Protection Agency (APD), when operational, or to the Common Courts of the District of Luanda.

Mbongo© 2026 Mbongo Capital. All rights reserved.
AboutManifestoPrivacyTermsCookiesContact