Ciento
FeaturesHow it WorksAIRoadmapPricing
Features
How it Works
AI
Roadmap
Pricing
Ciento

Your smart personal finance assistant. Take control of your money through clear, data-driven insights.

Product

  • Features
  • How it Works
  • Pricing
  • Download

Company

  • About
  • Roadmap
  • FAQ
  • Contact
  • Instagram

We improve our products by using Microsoft Clarity to see how you use our website. By using our site, you agree that we and Microsoft can collect and use this data. Our privacy policy has more details.

© 2026 Ciento Labs Inc. All rights reserved.

Terms of ServicePrivacy PolicyCookie Policy

Privacy Policy

Ciento

Last Updated: April 30, 2026

1. Introduction

Welcome to Ciento. Ciento Labs Inc. (“Company,” “we,” “us,” “our”) respects your privacy and is committed to protecting it through our compliance with this policy.

This policy describes the types of information we may collect from you or that you may provide when you use the Ciento mobile application (available on iOS and Android), our website, and our conversational interfaces via WhatsApp or Telegram (collectively, our "Service").

By accessing or using the Service, you agree to this privacy policy.

2. Information We Collect About You

We collect several types of information from and about users of our Service.

A. Information You Provide to Us

  • Account Information: Name, email address, phone number (specifically your WhatsApp or Telegram handle), and password.
  • Voluntary Financial Data: We do not directly access, scrape, or connect to your financial institution accounts. We only process financial data (such as expense entries, budget limits, or balances) that you manually input into the Service or send to us via chat.
  • Conversational & AI Data: When you interact with Ciento via WhatsApp or Telegram, we collect the content of your messages, prompts, and audio files to generate AI responses.

B. Information Collected Automatically (App & Device)

  • Usage Details: Traffic data, logs, and communication data (e.g., time spent in-app).
  • Device Information: We may collect information about your mobile device and internet connection, including the device's unique device identifier (UUID), IP address, operating system, and browser type.
  • Push Notifications: If you grant permission, we may send push notifications to your mobile device regarding budget alerts or account updates. You can manage these permissions in your device settings.
  • Firebase App Instance ID: A pseudonymous identifier generated by the Firebase SDK to associate analytics events with a single app installation. Reset when you uninstall the app or revoke analytics consent.
  • Crashlytics Installation UUID: A pseudonymous identifier used to associate crash reports with a single app installation. Does not contain your name or email.
  • Analytics Events (opt-in): When you grant analytics consent, we record interactions such as screen views, feature usage (e.g., when you create a transaction, complete onboarding, view a paywall), session duration, and app version. Events do not contain your transaction descriptions, amounts, or any free-text input.
  • Crash Reports (opt-in): When you grant crash-report consent, we record device model, operating system version, app version, stack traces, and the last ~64KB of internal app logs at the moment of a crash. Crash logs do not contain your financial data.
  • Subscription State: Via RevenueCat, we receive your subscription tier, trial/active/cancelled status, renewal date, and the App Store / Google Play product ID purchased. We do NOT receive your credit card number or full payment details — those stay with Apple and Google.
  • Receipt Photos & Imported Statements: When you upload a receipt photo or import a bank statement file, the image/file is stored on Supabase and (where applicable) processed by Google Gemini to extract transaction data.
  • Voice Recordings: When you send a voice message via the in-app chat, the audio file is stored on Supabase and processed by Google Gemini for transcription.

We do NOT collect Apple's IDFA (Identifier for Advertisers) or the Android Advertising ID (AD_ID). The app is built without these identifiers at the SDK level, which means we cannot and do not perform cross-app advertising tracking. This is why we do not show Apple's "App Tracking Transparency" prompt.

C. Website Analytics (Microsoft Clarity)

We partner with Microsoft Clarity to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve our products and services. Website usage data is captured using first-party and third-party cookies and other tracking technologies to determine the popularity of our content and online activity. Additionally, we use this information for site optimization and fraud/security purposes. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

D. Information from Third Parties

  • Meta (WhatsApp) & Telegram: We receive your phone number and profile name associated with your WhatsApp or Telegram account when you initiate a chat with our Service.

3. Your Privacy Choices & Consent

We follow a privacy-by-default approach. The first time you launch the Ciento mobile app, we show a consent dialog asking whether you'd like to enable:

  • Usage Analytics (Firebase Analytics) — anonymous usage events to help us understand how the app is used.
  • Crash Reports (Firebase Crashlytics) — anonymous crash reports to help us fix bugs faster.

Both categories are off by default until you actively choose. You can change your choice at any time in Settings → Privacy within the app. When you turn either category off, we stop collecting new data of that category and instruct Firebase to delete pseudonymous identifiers associated with your installation.

Essential data — the information needed to authenticate you, sync your data, and process your subscription — is always collected because the Service cannot function without it.

For users in the European Economic Area, the United Kingdom, Switzerland, and Quebec, the consent dialog is non-dismissable until you make an active choice, and the analytics/crash-reports categories require your affirmative opt-in (we do not pre-tick these consents).

4. How We Use Your Information

We use information that we collect about you or that you provide to us:

  • To Provide the Service: To process your natural language queries via chat and retrieve relevant insights based on the data you have manually provided (e.g., "How much did I spend on groceries this month?").
  • To Improve Our AI Models: We may use anonymized and aggregated interaction data to refine our prompt engineering and improve the accuracy of our AI responses. We will not use your personally identifiable financial information for third-party AI model training without your explicit consent.
  • To Secure Your Account: To verify your identity via your linked mobile number and prevent fraud.
  • To Send Notifications: To send you push notifications or chat alerts regarding your budget limits, subscription updates, or security alerts.

5. Artificial Intelligence & Chatbot Disclosures (Meta & Google)

Our Service utilizes artificial intelligence (AI) to process your messages. By using the Service, you acknowledge the following:

  • AI Processing: Your messages are processed by Google Gemini (via Google LLC). While Google does not use your data to train their public models by default, data may be retained temporarily for abuse monitoring.
  • Accuracy Disclaimer: AI-generated responses regarding your finances are estimates based on the data you provided. They may occasionally be inaccurate or "hallucinate." You should always verify important financial figures against your actual bank statements.
  • Human Interaction: You understand that you are communicating with an automated AI agent, not a human.

6. Prohibited Data (Safety & Compliance)

To ensure the security of your data and compliance with Meta's Business Policies:

  • No Sensitive Financial Credentials: You agree NOT to input or send full credit card numbers, bank account passwords, PINs, or CVV codes via WhatsApp, Telegram, or the App.
  • No Sensitive Personal Data: Do not send health data, government ID numbers (SIN/SSN), or other sensitive categories of data through the chat interface.

7. Data Retention

We retain your data until you decide to delete it.

  • User-Controlled Retention (Account & Financial Data): We retain your Personal Information, Financial Data, and Chat History for as long as your account is active, so you can track your financial progress over time.
  • Analytics Data: Pseudonymous Firebase Analytics events are retained for 2 months, then automatically deleted by Firebase. You can shorten this further by revoking analytics consent in the app, which triggers immediate deletion of your installation's analytics data.
  • Crash Reports: Crash logs are retained for 90 days by Firebase Crashlytics, then automatically deleted.
  • Subscription Records: RevenueCat retains subscription transaction records for as long as your account is active, plus the period required by Apple / Google billing reconciliation.
  • Account Deletion: If you delete your account or request data deletion, we will delete your data from our active production servers (database, cache, Firebase, RevenueCat) within 30 days. To delete your account from the Ciento mobile app, go to Settings → Profile and follow the account deletion flow. If you cannot use the app, email privacy@cientolabs.com to request deletion.
  • Legal Exception: Notwithstanding the above, we may retain specific transaction records for up to seven (7) years solely to comply with legal and tax obligations. This retained data is archived and isolated from active use.

8. Disclosure of Your Information

We do not sell your personal information to third parties. We disclose personal information only to the trusted service providers necessary to run our infrastructure.

Service Providers & International Data Transfers

We are based in British Columbia, Canada and use service providers located in other jurisdictions. By using the Service, you acknowledge that your data may be transferred to and processed in these countries.

Service ProviderRoleHeadquarters & JurisdictionContact
Microsoft ClarityWebsite Analytics, Heatmaps & Session ReplayOne Microsoft Way, Redmond, WA, USAPrivacy Statement
Supabase, Inc.Database & Authentication65 Chulia Street #38-02/03, Singapore 049513privacy@supabase.com
Microsoft AzureCloud InfrastructureOne Microsoft Way, Redmond, WA, USAprivacy@microsoft.com
Hostinger InternationalCloud Hosting (n8n)61 Lordou Vironos Street, 6023 Larnaca, Cyprusgdpr@hostinger.com
n8n GmbHWorkflow AutomationNovalisstr. 10, 10115 Berlin, Germanyprivacy@n8n.io
Redis Ltd.Caching & Performance303 2nd St, San Francisco, CA, USAprivacy@redis.com
Expo (650 Industries)Mobile App Framework624 University Ave, Palo Alto, CA, USAlegal@expo.dev
Google LLC (Gemini)AI & LLM Processing1600 Amphitheatre Pkwy, Mountain View, CA, USAGoogle Privacy
WhatsApp LLCMessaging Platform1601 Willow Road, Menlo Park, CA, USAPrivacy Policy
Telegram FZ-LLCMessaging PlatformBusiness Central Towers, Dubai, UAEPrivacy Policy
Google LLC (Firebase Analytics)Mobile App Usage Analytics1600 Amphitheatre Pkwy, Mountain View, CA, USAFirebase Privacy
Google LLC (Firebase Crashlytics)Mobile App Crash Reporting1600 Amphitheatre Pkwy, Mountain View, CA, USAFirebase Privacy
RevenueCat, Inc.Subscription Management631 Howard St #100, San Francisco, CA, USAprivacy@revenuecat.com
Apple Inc.iOS In-App Purchase ProcessingOne Apple Park Way, Cupertino, CA, USAPrivacy Policy
Google LLC (Google Play Billing)Android In-App Purchase Processing1600 Amphitheatre Pkwy, Mountain View, CA, USAPrivacy Policy

Note: Data sent to the United States may be subject to access by US law enforcement under the US CLOUD Act.

9. Your Data Rights (GDPR, UK GDPR, Quebec Law 25, PIPEDA & CCPA/CPRA)

We align our user rights with the highest global standards, including the General Data Protection Regulation (GDPR), the UK GDPR, Quebec's Law 25, Canada's PIPEDA, and the California Consumer Privacy Act (CCPA/CPRA).

Regardless of where you live, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure (Right to be Forgotten): Request that we delete your data.
  • Portability: Request a copy of your data in a structured, machine-readable format (JSON/CSV).

Notice to California Residents (CCPA)

  • Do Not Sell My Personal Information: Ciento Labs Inc. does not sell your personal information for monetary value.
  • Right to Opt-Out of Sharing: We may use third-party analytics tools. You have the right to opt-out of sharing your data for cross-context behavioral advertising. You may exercise this right by contacting us.

Notice to Quebec Residents (Law 25)

If you reside in Quebec, you have additional rights under the Act respecting the protection of personal information in the private sector ("Law 25"):

  • Right to be informed of automated decision-making: We use Google Gemini to generate AI responses and insights. These do not produce legally significant decisions about you (we don't use AI to deny services or set pricing). You can request not to receive AI-generated insights by contacting us.
  • Right to data portability: You may receive your personal information in a structured, commonly used technological format.
  • Right to information about cross-border transfers: As detailed in Section 8, your data is processed in the United States, Singapore, Cyprus, and Germany. We have assessed each transfer and rely on the recipient's contractual privacy commitments.

Person in Charge of the Protection of Personal Information:

Ignacio Zorrilla Barbera (CEO), Guillermo Zorrilla Barbera (COO), and Juan Mateo-Sagasta Escondrillas (CTO)

Co-founders, Ciento Labs Inc.

Email: privacy@cientolabs.com

Notice to EEA / UK Residents (GDPR / UK GDPR)

If you reside in the EEA, the UK, or Switzerland, you have rights under GDPR / UK GDPR including the right to:

  • Withdraw consent at any time (in-app: Settings → Privacy; or by emailing us).
  • Lodge a complaint with your national supervisory authority.
  • Object to processing based on legitimate interests.

Our legal bases for processing are:

  • Contract (Art. 6(1)(b)) — for account, financial data, and subscription processing.
  • Consent (Art. 6(1)(a)) — for Firebase Analytics and Crashlytics.
  • Legitimate Interests (Art. 6(1)(f)) — for fraud prevention and service security.

To exercise any of these rights, please contact privacy@cientolabs.com.

10. Data Security

The security of your data is our top priority. We use End-to-End Encryption where possible and Encryption-at-Rest for all database records.

  • Platform Security: Interactions via WhatsApp and Telegram are subject to the encryption standards of those respective platforms.
  • Input Security: As you enter data manually, please avoid inputting sensitive credentials (such as passwords or full credit card numbers) into the chat interface.

11. Children's Privacy

Our Service is intended for adult users. The minimum age varies by jurisdiction:

  • Canada (British Columbia): 19 years of age.
  • United States: 13 years of age. We do not knowingly collect personal information from children under 13 (COPPA).
  • European Economic Area & United Kingdom: 16 years of age (or the lower age set by your member state, never below 13). We rely on parental consent for any user below the applicable digital-consent age.
  • Other jurisdictions: the age of majority in your jurisdiction of residence.

If we learn we have collected personal information from a minor without verification of parental consent, we will delete that information promptly. To report such a case, contact privacy@cientolabs.com.

12. Governing Law and Jurisdiction

This policy and your use of the Service shall be governed by and construed in accordance with the laws of the Province of British Columbia and the federal laws of Canada applicable therein. Any dispute arising out of or in connection with this policy shall be subject to the exclusive jurisdiction of the courts located in Vancouver, British Columbia.

13. Changes to Our Privacy Policy

We will review this privacy policy annually to ensure it complies with evolving laws and technologies.

  • Standard Changes: We will notify you at least 15 days in advance of any material changes to this policy via email or a chat notification.
  • Urgent Updates: For changes required to address security vulnerabilities, abuse, or immediate legal requirements, we may provide 1 day notice or effective-immediately notice.
  • Continued Use: Your continued use of the Service after such changes constitutes acceptance of the new policy.

14. Designated Privacy Contacts

  • Person in Charge of the Protection of Personal Information (Quebec Law 25): Ignacio Zorrilla Barbera (CEO), Guillermo Zorrilla Barbera (COO), and Juan Mateo-Sagasta Escondrillas (CTO), privacy@cientolabs.com
  • General privacy inquiries: privacy@cientolabs.com (or product@cientolabs.com)
  • Account deletion: Use Settings → Profile in the Ciento mobile app. If you cannot use the app, email privacy@cientolabs.com.
  • EU / UK Representative under GDPR Art. 27: Not currently designated. We will appoint a representative if our processing of EEA/UK residents' data exceeds the thresholds in Art. 27(2). Until then, EEA/UK users may contact us directly at privacy@cientolabs.com.

15. Contact Information

To ask questions or comment about this privacy policy and our privacy practices, contact us at:

Ciento Labs Inc.

Email: product@cientolabs.com (general) | privacy@cientolabs.com (privacy & data requests)

Headquarters: Vancouver, BC, Canada