Privacy Policy

Effective date: April 14, 2026

Lara ("we," "us," or "our") operates a WhatsApp-based expense tracking service, website, and related features (collectively, the "Service"). This Privacy Policy explains how we collect, use, store, and protect your information when you use the Service.

Data Controller: Lara is operated by Johnny Nassar (sole proprietor). For data protection inquiries, contact us at privacy@larabot.co.

By using Lara, you agree to the practices described in this policy. If you do not agree, please discontinue use of the Service.

1. What Data We Collect

1.1 Data You Provide

When you interact with Lara via WhatsApp, Telegram, or our website, we may collect:

Expense data — amounts, currencies, merchant names, categories, descriptions, and dates that you log via messages, voice notes, or receipt photos
Budget and goal data — spending limits by category and savings goals you set
Language preference — English or Arabic
Currency preference — your chosen base currency (e.g., AED, USD, LBP)
Phone number — used solely for identification and delivering messages (see Section 3 on how we protect it)
Voice notes — temporarily processed to extract expense data, then discarded
Receipt images — temporarily processed to extract expense items, then discarded
Email address — only if you voluntarily join our waitlist or contact us
Support chat messages — messages you send via the website support widget

1.2 Data We Derive

Income bracket — inferred from spending patterns (low / mid / high), never asked directly
Financial Health Score — a numerical score (0-100) calculated from your spending, savings, and budget adherence
Spending summaries — weekly and monthly aggregations of your expense data
Timezone — inferred from your phone number country code

1.3 Data We Automatically Collect

Message metadata — timestamps of your interactions with the Service
Subscription status — your current plan tier (Free, Plus, or Pro)

2. What We Do NOT Collect

Lara is an expense tracking tool. We never collect:

Bank account numbers, credit card numbers, or any financial account credentials
Your real name (unless you voluntarily include it in a message)
Government-issued identification documents
Social Security numbers, national ID numbers, or tax IDs
Biometric data
Location data (beyond timezone inferred from phone country code)
Contacts, photos, or files from your device (beyond receipt photos you explicitly send us)

We do not connect to your bank, payment apps, or any financial institution. All expense data is manually entered by you.

3. How We Protect Your Data

3.1 Phone Number Protection

Your phone number receives special treatment:

Hashing: Your phone number is immediately converted to a one-way SHA-256 hash (combined with a secret salt) for identification purposes. The raw phone number is never stored in our user database.
Encryption: A separate, AES-256 encrypted copy of your phone number is stored solely to send you outbound messages (reports, confirmations). This encrypted value cannot be read without our encryption key.
AI isolation: Your phone number is never sent to any AI model. Claude (our AI) only sees your expense content, categories, and aggregated totals — never your phone number or real name.

3.2 Infrastructure Security

All data is stored in a PostgreSQL database hosted by Supabase Inc., which provides encryption at rest and in transit
The application is hosted on Railway.app with HTTPS enforced on all connections
Payment processing is handled entirely by Stripe — we never see or store your credit card details
All API communications use TLS encryption

3.3 Log Redaction

Raw phone numbers are automatically redacted from all application logs. Internal logs reference only hashed user identifiers.

4. Third-Party Services

We use the following third-party services to operate Lara. Each has its own privacy policy:

Service	Purpose	Data Shared
Anthropic (Claude AI)	Expense parsing, categorization, report generation, support chat	Expense text, categories, amounts, aggregated totals. Never phone numbers or names.
Twilio	WhatsApp message delivery	Phone number (required for message delivery), message content
Supabase	Database hosting (PostgreSQL)	All stored data (hashed/encrypted as described above)
Stripe	Payment processing for paid tiers	Email address, payment method details (handled entirely by Stripe)
OpenAI (Whisper)	Voice note transcription	Audio data from voice notes (processed and discarded, not stored)
Railway.app	Application hosting	Application data in transit and server logs
Open Exchange Rates	Currency conversion rates	No user data shared — only currency pair lookups

We do not sell, rent, or trade your data to any third party. Data is shared with the services above only as necessary to operate the Service.

5. How We Use Your Data

We use the data we collect to:

Track and categorize your expenses as you log them
Generate weekly summaries and monthly financial health reports
Provide budget alerts when you approach or exceed limits
Process recurring expense entries
Deliver AI-generated educational insights about your spending patterns
Process subscription payments
Respond to support inquiries
Improve and debug the Service

We do not use your data to provide personalized financial advice, investment recommendations, or any form of regulated financial service.

5b. Legal Basis for Processing (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction where the GDPR or similar data protection laws apply, we process your personal data on the following legal bases:

Processing Activity	Legal Basis
Providing the Service (expense tracking, reports, budgets)	Performance of contract (Article 6(1)(b) GDPR) — necessary to deliver the service you requested
Processing subscription payments	Performance of contract (Article 6(1)(b) GDPR)
Sending weekly/monthly reports and budget alerts	Performance of contract (Article 6(1)(b) GDPR) — core service feature
AI-powered expense categorization and insights	Performance of contract (Article 6(1)(b) GDPR) — core service feature
Debugging, error logging, and service improvement	Legitimate interest (Article 6(1)(f) GDPR) — maintaining service quality and security
Anonymized, aggregated analytics	Legitimate interest (Article 6(1)(f) GDPR) — improving the service
Responding to support requests	Legitimate interest (Article 6(1)(f) GDPR)

You may withdraw consent at any time where consent is the legal basis. Withdrawing consent does not affect the lawfulness of processing performed before withdrawal.

6. Data Retention

Expense data: Retained for as long as your account is active, or until you request deletion.
Voice notes and receipt images: Processed in real-time and discarded immediately after extracting expense data. We do not store audio files or images.
Monthly summaries: Retained for as long as your account is active.
Support chat messages: Retained for up to 12 months for quality and debugging purposes.
After account deletion: All your data — expenses, budgets, goals, summaries, and encrypted phone number — is permanently deleted within 30 days of your deletion request. Hashed identifiers in aggregated, anonymized analytics may persist, but cannot be linked back to you.

7. Your Rights

Depending on your location, you may have the following rights under applicable data protection laws (including the GDPR, UK GDPR, and similar legislation):

7.1 Right of Access

You have the right to request a copy of the personal data we hold about you. You can export your expense data at any time by requesting a PDF or Excel report through the bot (available periods: all time, or last 1, 3, 6, or 12 months). For a full data access request, email privacy@larabot.co.

7.2 Right to Rectification

You can correct inaccurate data at any time by editing or deleting individual expenses through the bot (e.g., "undo" or "delete last"). For other corrections, contact us.

7.3 Right to Erasure ("Right to be Forgotten")

You can delete all your data at any time by sending "delete my data" to Lara via WhatsApp or Telegram. This permanently erases your user record, all expenses, budgets, goals, summaries, and encrypted phone number. This action is irreversible. You may also email us to request deletion.

7.4 Right to Restriction of Processing

You may request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of your data). Contact us at privacy@larabot.co.

7.5 Right to Data Portability

You can export your data at any time in structured, machine-readable formats (PDF and Excel) through the bot. This ensures you can take your data to another service.

7.6 Right to Object

You may object to processing based on legitimate interests. If you object, we will stop processing your data unless we have compelling legitimate grounds. To object, email privacy@larabot.co.

7.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

7.8 Right to Lodge a Complaint

If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk. For EU residents, contact your local data protection authority.

7.9 Change Your Preferences

You can update your language and currency preferences at any time by sending commands like "set currency USD" or "set language ar" to the bot.

7.10 Opt Out

You can stop using the Service at any time by simply not sending messages. If you want your data erased, use the "delete my data" command or email us.

We will respond to all data rights requests within 30 days (or within the timeframe required by applicable law). Requests are free of charge unless manifestly unfounded or excessive.

7b. Automated Decision-Making

Lara uses AI (Anthropic Claude) to automatically categorize your expenses and generate spending insights. This processing:

Does not produce legal effects or similarly significantly affect you
Is limited to expense categorization and educational insights
Can be corrected by you at any time (edit categories, delete entries)
Does not make financial decisions on your behalf

Your income bracket (low/mid/high) is inferred from spending patterns to adjust the tone of responses. This is used solely for personalizing educational content and does not affect your access to features or pricing.

8. Cookies and Local Storage

The Lara website uses minimal browser storage:

localStorage: Used only to store session tokens for returning users. No tracking cookies, no analytics cookies, no advertising cookies.
We do not use third-party tracking scripts, pixels, or fingerprinting technologies on our website.

9. Children's Privacy

Lara is not designed for, marketed to, or intended for use by anyone under the age of 16. We do not knowingly collect data from children under 16. If you believe a child under 16 has used the Service, please contact us and we will promptly delete their data.

10. International Data Transfers

Lara is operated from Lebanon. Our infrastructure providers (Supabase, Railway, Anthropic, OpenAI, Stripe, Paddle) may process data in the United States, the United Kingdom, and other jurisdictions.

Where your personal data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place:

Our third-party providers maintain Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK International Data Transfer Agreement (IDTA) for transfers to countries without an adequacy decision
We only use providers who maintain appropriate security certifications and data processing agreements
Your data is encrypted in transit and at rest regardless of where it is processed

You may request a copy of the safeguards we rely on for international transfers by contacting privacy@larabot.co.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify active users via a WhatsApp message at least 14 days before the changes take effect. The "Effective date" at the top of this page indicates when the policy was last revised.

Continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or your data, contact us at:

Email: privacy@larabot.co

You may also use the support chat widget on our website.