Privacy Policy
Last updated: June 10, 2026
1. Introduction
At Patrimo.AI S.A.S (the “Company”), based in Colombia, we are the data controller responsible for the personal data we collect through Patrimo (the “Service”), a personal finance assistant that runs as an MCP (Model Context Protocol) server connected to Claude, Anthropic's artificial intelligence model.
This Privacy Policy explains what data we collect, how we process it, for what purpose, and what your rights are under applicable Colombian law, including Law 1581 of 2012 (the Personal Data Protection Law) and Decree 1377 of 2013.
2. Data controller
- Legal name: Patrimo.AI S.A.S
- Country: Colombia
- Website: patrimo.ai
- Contact email: legal@patrimo.ai
3. Data we collect
We collect only the data needed to provide you with the Service:
3.1 Identity data
- Full name (provided by Google OAuth)
- Email address (provided by Google OAuth)
- Google profile picture (optional, used only to display in your dashboard)
Our Google authentication flow requests only the openid email profile scopes. We do not request access to Google Drive, Gmail, Google Calendar, or any other Google service.
3.2 Financial data
- Income and expense records you enter conversationally
- Assets and liabilities you declare
- Custom categories you create
- Financial context (notes, goals, and reminders you share with the assistant)
All financial data is entered voluntarily by you through your conversation with Claude. Patrimo does not access your bank accounts, credit cards, or any external financial service.
3.3 Technical data
- Authentication session identifier
- Timestamps of requests to the MCP server
- Anonymized user identifier in operational logs
4. How we store your data
Your data is stored in a PostgreSQL database managed by Supabase, with the following security measures:
- Row Level Security (RLS): each user can access only their own records. Security policies are enforced at the database level.
- Encryption in transit: all communications between the MCP server and the database use TLS.
- Token encryption: Google OAuth authentication tokens are stored encrypted with AES-256-GCM, using a per-user derived key.
- Encryption at rest: Supabase encrypts stored data at the disk level.
- Logs without financial data: our operational logs never contain amounts, transaction descriptions, account names, or financial content. We log only technical metadata (tool invoked, duration, response status).
5. Purpose of processing
We use your personal data for the following purposes:
- Create and manage your Patrimo account
- Provide the personal finance assistant service via MCP
- Process your subscription and manage payments through Polar
- Send you transactional communications (registration confirmations, payment receipts, account notifications)
- Generate the personalized financial reports you request
- Improve the performance and quality of the Service
6. Sharing data with third parties
We do not sell, rent, or share your personal or financial data with third parties, except in the following cases that are strictly necessary to operate the Service:
- Supabase (infrastructure): stores your data on secure servers. Supabase acts as a data processor under our instructions.
- Polar (payments): acts as the Merchant of Record for your subscription. Polar is responsible for processing the charge, handling billing, and collecting any applicable taxes. It receives only the data needed to complete the transaction and maintains its own privacy policy.
- Resend (transactional email): sends confirmation emails and account notifications. It receives only your email address and the message content.
- Fly.io (hosting): hosts the MCP server. Data in transit is encrypted and the logs contain no financial information.
Under no circumstances do we share your financial records (income, expenses, assets, liabilities) with any third party.
7. Interaction with Claude (Anthropic)
Patrimo runs as an MCP server that Claude calls during your conversation. It's important that you understand the following:
- When you chat with Claude and it uses Patrimo's tools, your financial data passes between Claude and our MCP server to carry out the operations you request.
- How Anthropic handles your conversations with Claude is governed by Anthropic's privacy policy, not by this one.
- Patrimo stores your structured financial data in our database. Your conversation history resides with Anthropic under its own policies.
8. Data retention and deletion
We keep your data for as long as your account remains active. When you cancel your subscription:
- We retain your data for 90 days from cancellation. During that period you can reactivate your account and recover all of your information exactly as you left it.
- After 90 days, all of your data (financial and identity) is permanently deleted from our database.
- At any time — including before canceling — you can export a complete copy of all your data using the
export_datatool inside Claude.
You can also request deletion of your data at any time by writing to legal@patrimo.ai.
9. Your rights (Law 1581 of 2012)
Under Colombian personal data protection law, you have the right to:
- Know: request information about the personal data we hold about you.
- Update: correct data that is inaccurate, incomplete, or out of date.
- Rectify: amend data that is incorrect.
- Delete: request the deletion of your personal data when there is no legal or contractual duty to keep it.
- Withdraw consent: revoke your authorization for the processing of your data at any time.
- Access: obtain a copy of your personal data stored in our systems. You can do this at any time with Patrimo's
export_datatool. - File complaints: with the Superintendence of Industry and Commerce (SIC) if you believe we have violated your rights.
To exercise any of these rights, write to us at legal@patrimo.ai. We will respond to your request within ten (10) business days of receiving it, as required by law.
10. Information security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- AES-256-GCM encryption for sensitive tokens
- Row Level Security in the database
- TLS-encrypted communications
- Per-user rate limiting to prevent abuse
- No financial data in logs or monitoring systems
11. International data transfers
Your data may be stored on servers located outside Colombia (Supabase and Fly.io operate global infrastructure). In these cases, we ensure that providers offer adequate levels of data protection in line with Colombian regulations and international security best practices.
12. Minors
Patrimo is not directed at anyone under 18. We do not knowingly collect data from minors. If we discover that we have collected data from a minor, we will delete it immediately.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. We encourage you to review it periodically.
14. Contact
If you have questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, you can reach us at:
- Email: legal@patrimo.ai
- Company: Patrimo.AI S.A.S
- Country: Colombia