Legal documents
Privacy Policy
We care about your privacy. Learn what data we process, for what purpose, and how we protect it.
1. Data Controller
The controller of your personal data is Martia Labs spółka z ograniczoną odpowiedzialnością (limited liability company) with its registered office in Sopot at ul. Aleja Niepodległości 942, 81-861 Sopot, Poland, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court Gdańsk-Północ in Gdańsk, 8th Commercial Division of the National Court Register, under KRS number 0001244962, NIP (tax ID): 5851511387, REGON: 544885885, share capital: PLN 10,000.00.
We have not appointed a data protection officer (DPO). For all matters concerning your data and this policy, please contact us at support@martia.ai.
2. What Martia is
Martia is an AI-powered assistant you talk to about your money. It is available as a mobile app (iOS and Android), a web app (app.martia.ai, martia.ai), and an API, in 6 languages. You chat with Martia in your own language, and answers are based on your real bank transactions.
You are talking to an AI system
You are talking to an artificial-intelligence system, not a human. Martia's answers may contain mistakes and do not constitute professional financial, legal, or tax advice. Before you add a voice recording or an image, we show a short in-app notice explaining how that material is processed.
3. What data we process, for what purpose, and on what basis
Below we describe the categories of data we process — together with the purpose, legal basis (Art. 6 GDPR), retention period, and recipients. You will find the list of providers in Section 5 and the retention details in Section 8.
Account and identity data
- Scope: email address, optionally your first name, and your Auth0 user identifier (the “sub”).
- Purpose: creating and running your account, sign-in, and account-related communication.
- Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
- Retention: for the life of the account.
- Recipients: Auth0 (Okta).
Bank data
- Scope: list of accounts, balances, and transaction history.
- Purpose: showing your balance, spending history, and categories, and answering your questions about your finances.
- Legal basis: Art. 6(1)(b) GDPR (performance of a contract). You authorise the bank connection separately by granting bank consent within your account-information service provider's flow.
- Retention: for the life of the account.
- Recipients: Enable Banking (a licensed AIS provider), GoCardless (historical data for some accounts), Google Cloud, Neon.
Content you provide
- Scope: chat messages (including images and voice recordings, if you add them), CSV/PDF imports, and notes.
- Purpose: holding the conversation, analysing and categorising your finances, and personalising answers.
- Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (our legitimate interest in personalising and improving answers — see Section 4).
- Retention: for the life of the account; you can delete individual conversations yourself.
- Recipients: AI model providers routed via OpenRouter (incl. Anthropic, Google, xAI) — for chat, context, and categorisation; OpenAI — for transcribing voice recordings; Google Cloud, Neon.
Onboarding answers and preferences
- Scope: answers from the onboarding survey and your settings and preferences.
- Purpose: fitting the product to your needs and configuring the app.
- Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (product fit).
- Retention: for the life of the account.
- Recipients: Google Cloud, Neon.
Payments and subscription
- Scope: email address, billing address, and tax identification number (if you provide it).
- Purpose: handling payments, issuing invoices, and accounting.
- Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (legal obligation — accounting rules).
- Retention: accounting documents for the period required by law (in Poland, 5 years counting from the end of the tax year).
- Recipients: Stripe.
Technical and security logs
- Scope: technical logs, which may include an account identifier and information about the operations performed.
- Purpose: security, abuse detection, and diagnostics.
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest — security and reliability of the service).
- Retention: up to 12 months.
- Recipients: Google Cloud.
Optional product analytics
- Scope: a pseudonymous account identifier and allowlisted usage events. It does not include chat content, transactions, or onboarding answers.
- Purpose: understanding how you use the app so we can improve it.
- Legal basis: Art. 6(1)(a) GDPR (consent), which we ask for during onboarding. You can withdraw consent at any time in Settings — withdrawal stops collection immediately and does not affect the lawfulness of processing before withdrawal.
- Retention: up to 12 months.
- Recipients: PostHog (EU Cloud).
Notification and support emails
- Scope: service notifications sent to internal company mailboxes (e.g. signup, onboarding completed, purchase, account-deletion request) and support correspondence.
- Purpose: operating and running the service correctly and contacting you.
- Legal basis: Art. 6(1)(f) GDPR (legitimate interest — operating the service).
- Retention: cleaned up on a 12-month cycle.
- Recipients: Resend (email delivery), internal team mailboxes.
4. Financial profile, memory, and no automated decisions
To answer more accurately, Martia builds a profile of your financial situation from your data, along with a “memory” — it remembers context from earlier conversations to personalise answers. We do this to perform our contract (Art. 6(1)(b) GDPR) and in our legitimate interest in providing a useful, personalised assistant (Art. 6(1)(f) GDPR). You can delete individual conversations in the app at any time.
We do not make automated decisions about you that produce legal effects or similarly significantly affect you within the meaning of Art. 22 GDPR. Martia does not perform credit scoring, does not make credit decisions, and does not provide regulated investment advice.
5. Who we share data with
We do not sell your personal or financial data, and we do not share it with advertisers. We use the following providers — as processors and, where applicable, independent controllers — to run the service:
- Auth0 (Okta) — identity and sign-in.
- Enable Banking — a licensed account information service (AIS) provider; an independent, regulated entity.
- GoCardless — bank data for some accounts (a legacy setup).
- Google Cloud — hosting, storage, and logging; EU region.
- Neon — PostgreSQL database.
- OpenRouter and AI model providers (incl. Anthropic, Google, xAI) — processing chat, context, and categorisation.
- OpenAI — voice-recording transcription.
- PostHog — product analytics (EU Cloud, opt-in only).
- Stripe — payments.
- Resend — email delivery.
- Serper — merchant-information enrichment: only the public merchant name from a transaction is sent to the search service, never your identifier or amounts.
- Internal team mailboxes — service notifications.
We conclude the required data-processing agreements with our providers.
6. Transfers outside the EEA
Some providers — especially AI model providers and US-based entities — may process data outside the European Economic Area. Where this happens, we rely on the transfer mechanisms provided for by law: standard contractual clauses or an adequacy decision (including the EU–US Data Privacy Framework, where applicable).
7. Whether your conversations train AI models
We do not use your data to train our own models. We engage AI model providers under API terms that — per their current policies — do not grant them the right to train on customer content. We do not sell data, do not work with advertisers, and do not use advertising cookies.
8. How long we retain data
We keep data only for as long as it is needed:
- Account data, transactions, and content (chat, imports) — for the life of the account; deleted when the account is deleted.
- Technical logs — up to 12 months.
- Analytics data — up to 12 months.
- Raw bank-sync archives — up to 90 days.
- Backups — age out on a cycle of up to 30 days; we do not restore them into production systems without checking for prior deletion requests.
- Accounting documents — for the period required by law (in Poland, 5 years from the end of the tax year).
- Notification emails — cleaned up on a 12-month cycle.
9. Your rights (GDPR)
In connection with the processing of your data, you have the following rights:
- Right of access — you may request a copy of the data we process about you.
- Right to rectification — you may request correction of inaccurate data.
- Right to erasure — you may request deletion of your data (right to be forgotten).
- Right to data portability — you may receive your data in a machine-readable format.
- Right to restriction of processing — in certain circumstances.
- Right to object — you may object to processing based on legitimate interest.
- Right to withdraw consent — at any time, where we process data based on consent (e.g. analytics); withdrawal does not affect the lawfulness of earlier processing.
To exercise these rights, write to support@martia.ai or use the in-app option. We confirm receipt within 24 hours and fulfil requests without undue delay, at the latest within one month.
You also have the right to lodge a complaint with a supervisory authority. For Martia, the lead supervisory authority is the President of the Polish Personal Data Protection Office (UODO); you may also contact the authority in your country of residence.
10. Deleting your account and data
You can delete your account and data yourself in the app (Settings → Delete account and data) or at https://martia.ai/delete-account.
Once we receive your request, we block the account, cancel any active subscription, and permanently delete data from our active systems and from our providers: from Auth0, from PostHog, from Google Cloud storage, and we revoke the session with the bank provider. We retain Stripe invoices for the period required by tax law. Backups age out on a cycle of up to 30 days.
11. Security
We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or destruction. All data is transmitted exclusively over encrypted HTTPS connections.
The bank connection operates in read-only mode — we never know your banking password and cannot perform transactions on your account.
12. Cookies and analytics
We use technical cookies and browser storage required for session management and sign-in. In addition, only after you give consent, we use product analytics (PostHog, EU Cloud), which you can turn on or off in the app. We do not use advertising or tracking cookies and do not sell data.
13. Changes to this policy
We will notify you of material changes in advance — in the app or by email — explaining what the change involves. This policy is informational and is not a contract; continued use of the app does not constitute “acceptance” of its contents.
Version 2026-07-11 replaces the document dated 2025-01-01.
Last updated: July 11, 2026