Privacy Policy
Last updated: May 6, 2026
1. Data Controller
The controller of personal data is belfai (hereinafter "we", "our" or "belfai"). For any privacy-related questions, you can contact us at [email protected].
2. Data Collected
We collect the following categories of data:
- -Registration data: name, email, phone, company name, VAT number, tax code, address
- -The tradesperson's client data: name, contacts, address (entered by the user)
- -Financial data: quotes, invoices, amounts, configured payment methods
- -Voice recordings: temporary audio for transcription, deleted after processing
- -Photographs: images of jobs or invoices uploaded by the user
- -Usage data: anonymous logs, crash reports, performance metrics
3. Purposes of Processing
Your data is used to:
- -Provide the service: generating quotes, invoices, reminders, dashboard
- -AI processing: voice transcription, data extraction, suggestions (all data remains isolated per user)
- -Service communications: push notifications, transactional emails
- -Service improvement: aggregated and anonymous analytics
- -Tax and legal obligations
4. Legal Basis for Processing
We process your personal data in compliance with Article 6 of Regulation (EU) 2016/679 (GDPR), on the basis of the following legal grounds:
- -Performance of the contract (art. 6.1.b GDPR): account registration, provision of the service (quotes, invoices, client management), service communications, subscription management.
- -Legal obligation (art. 6.1.c GDPR): retention of tax data for 10 years as required by Article 2220 of the Italian Civil Code, electronic invoicing compliant with the SdI (Italian Exchange System), tax obligations.
- -Legitimate interest (art. 6.1.f GDPR): service security, fraud prevention, product improvement through aggregated and anonymous analytics.
- -Consent (art. 6.1.a GDPR): crash reporting and analytics via Sentry, promotional communications, any advanced AI learning features. Consent can be withdrawn at any time from the app settings.
5. AI Processing and Voice Data
Voice recordings are sent to transcription services (Groq/Deepgram/OpenAI) solely to convert them into text. The audio is deleted immediately after transcription. The transcribed texts and the data extracted by the AI are stored in your account and are never shared with other users. The AI is not trained on your data.
6. Data Security
Data is protected through encryption in transit (TLS) and at rest. Each user has access exclusively to their own data thanks to Row Level Security (RLS) at the database level. The API keys of external services are never exposed in the mobile client. Data is hosted on Supabase infrastructure in European data centers.
7. Data Sharing and International Transfers
We never sell your data. We share it exclusively with the following sub-processors (data processors) for the provision of the service:
- -Supabase (EU/Frankfurt): database hosting, authentication, storage
- -Anthropic PBC (USA): AI processing for suggestions and analysis (Claude)
- -Groq Inc / OpenAI Inc (USA): voice transcription (Whisper STT)
- -Stripe Inc (USA/EU): payment processing, subscription management
- -Resend Inc (USA): sending transactional emails
- -Sentry (EU/Germany): error monitoring and crash reports (post-consent, anonymous)
- -Expo (EAS) (USA): mobile infrastructure and push notifications
Transfers outside the EU. Some of the sub-processors above are based in the United States. Transfers of personal data outside the European Economic Area take place in compliance with Article 46 GDPR on the basis of:
- -Standard Contractual Clauses (SCC) approved by the European Commission (Decision (EU) 2021/914)
- -Data Processing Agreements (DPA) signed with each provider
- -Supplementary technical and organizational measures (encryption in transit and at rest, data minimization, audit logs)
You can request a copy of the applicable SCCs by writing to [email protected].
8. Data Retention
Your data is retained for the entire duration of the account. Deleted data is moved to the trash for 30 days, then permanently removed. Upon account deletion, all data is deleted within 30 days.
9. Your Rights (GDPR)
Pursuant to Articles 15-22 and 77 of the GDPR, you have the right to:
- -Access (art. 15): obtain confirmation of processing and a copy of your personal data
- -Rectification (art. 16): correct inaccurate or incomplete data
- -Erasure (art. 17, "right to be forgotten"): request the deletion of your data
- -Restriction (art. 18): restrict processing in certain circumstances
- -Portability (art. 20): receive your data in a structured format (JSON/CSV)
- -Objection (art. 21): object to processing based on legitimate interest or marketing
- -Withdrawal of consent (art. 7.3): withdraw at any time the consents you have given
To exercise these rights, write to [email protected]. We will respond within 30 days.
Right to lodge a complaint with the Supervisory Authority (art. 77 GDPR). If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali):
- -Website: www.garanteprivacy.it
- -Address: Piazza Venezia 11, 00187 Rome, Italy
- -Email: [email protected] — PEC: [email protected]
10. California Rights (CCPA/CPRA)
If you are a California resident, under the California Consumer Privacy Act (CCPA) as amended by the CPRA, you have the following additional rights:
- -Right to Know: know the categories of personal information collected in the last 12 months, the sources, the purposes and the recipients
- -Right to Delete: request the deletion of the personal information collected
- -Right to Correct: correct inaccurate personal information
- -Right to Opt-Out of Sale/Sharing: object to the sale or sharing of data
- -Right to Limit Use of Sensitive Personal Information: limit the use of sensitive data
- -Right to Non-Discrimination: not be discriminated against for exercising CCPA rights
We do not sell or share your personal information as defined by the CCPA/CPRA. We do not share data with third parties for cross-context behavioral advertising and we do not sell data to data brokers.
To exercise your CCPA rights, contact us at [email protected] indicating "CCPA Request" in the subject line. We verify your identity before fulfilling the request. Response within 45 days.
12. Changes
We reserve the right to update this policy. In the event of substantial changes, we will notify you via an in-app notification or by email.