Bibiis

Privacy Policy

Last updated: 2026-06-23

Introduction

Bibiis ("we", "us", or "our") is a personal finance management platform operated by NVP Tech Srls, a company registered in Italy. Bibiis provides account aggregation, budgeting, financial analytics, and AI-powered financial coaching services through our mobile application and web platform at bibiis.it.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our services. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the revised Payment Services Directive (PSD2), and all applicable data protection laws.

By using Bibiis, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

Data Controller

The data controller responsible for your personal data is:

NVP Tech Srls
Registered office: Piazza Aldo Moro 33, 70122 Bari, Italy
VAT no. / Tax code (P. IVA / C.F. / Registro Imprese Bari): 09139340724
REA: BA-674327
Certified email (PEC): nvptech@pec.it
Email: privacy@bibiis.it
Website: bibiis.it

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at the email address above.

Data We Collect

We collect and process the following categories of personal data:

3.1 Account Information

When you register for Bibiis, we collect:

  • Name: your full name as provided during registration
  • Email address: used for account authentication and communications
  • Password: stored in hashed form; we never store plain-text passwords
  • Preferred currency and language: to personalize your experience

3.2 Financial Data

When you connect your bank accounts through our open banking integration, we access:

  • Account details: account names, types, balances, and IBAN/identifiers
  • Transaction history: transaction amounts, dates, descriptions, merchant information, and categories
  • Account holder information: as provided by your bank through the open banking API

Financial data is accessed through licensed Account Information Service Providers (AISPs) in compliance with PSD2 regulations. We only access your data with your explicit consent, and you can revoke access at any time. You may also add financial data manually or by uploading documents, in which case we process the information you provide.

3.3 Usage Data

We automatically collect certain technical and usage information:

  • Device information: device type, operating system, and app version
  • Log data: access times, features used, and interaction patterns
  • Analytics data: aggregated usage statistics to improve our services

3.4 AI Interaction Data

When you use our AI-powered financial coaching features, we process:

  • Chat messages: your questions and conversations with our AI assistant
  • Financial context: relevant financial data used to generate personalized insights

How We Use Your Data

We process your personal data for the following purposes:

  • Service delivery: to provide account aggregation, budgeting, net worth tracking, and financial analytics
  • AI-powered insights: to generate personalized financial coaching, spending predictions, and recommendations
  • Transaction processing: to categorize, normalize, and analyze your transactions for budgeting and reporting
  • Security: to detect fraud, prevent unauthorized access, and ensure the integrity of your account
  • Communications: to send you service-related notifications, updates, and support responses
  • Service improvement: to analyze usage patterns and improve our platform features and performance
  • Legal compliance: to meet our regulatory obligations under GDPR, PSD2, and applicable financial regulations

Legal Basis for Processing

We process your personal data based on the following legal grounds under Article 6 of the GDPR:

  • Consent (Art. 6(1)(a)): for connecting bank accounts via open banking and for AI-powered financial coaching features. You may withdraw consent at any time
  • Contract performance (Art. 6(1)(b)): to provide the services you have requested, including account management, budgeting, and financial analytics
  • Legitimate interest (Art. 6(1)(f)): for service improvement, security measures, and fraud prevention, where our interests do not override your rights
  • Legal obligation (Art. 6(1)(c)): to comply with applicable laws and regulations, including financial services regulations

Third-Party Service Providers

We work with carefully selected third-party providers who process data on our behalf as data processors under Article 28 of the GDPR, bound by contract to process your data only on our instructions and to protect it with appropriate security measures. We describe them below by category.

6.1 Open Banking Providers

We use licensed Account Information Service Providers (AISPs) regulated under PSD2 to securely connect to your bank accounts. These providers access your financial data only with your explicit consent and are contractually bound to process it solely to provide account information services to Bibiis.

6.2 Cloud Infrastructure

We use third-party cloud infrastructure providers for database hosting, authentication, and application hosting. Your account and financial data are stored in data centres located within the European Economic Area (EEA).

6.3 Artificial Intelligence Providers

To categorise your transactions and to power our AI financial assistant, certain data — primarily transaction descriptions, amounts, and categories, and your chat messages — is processed by third-party providers of artificial intelligence services. We minimise the data shared and never send your bank login credentials or authentication data. These providers act as data processors under our instructions and do not use your data to train their models. Part of this processing may take place outside the European Economic Area (in the United States); where this occurs, the transfer is governed by Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an adequate level of protection.

6.4 Email and Communications

We use a third-party email delivery provider, based in the European Union, to send service-related and transactional emails (such as purchase confirmations and account notifications). This provider processes your email address and the content of those messages solely to deliver them on our behalf.

6.5 Analytics

We may use analytics services to understand how users interact with our platform. Any analytics data is aggregated and anonymized where possible.

Automated Decision-Making

Bibiis does not take decisions that produce legal effects concerning you, or that similarly significantly affect you, based solely on automated processing. AI-generated categorisations, insights, and answers are tools to help you understand your finances; every financial decision remains yours.

Data Sharing and Transfers

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

We may share your data in the following limited circumstances:

  • Service providers: with the third-party providers described in Section 6, acting as data processors under our instructions
  • Legal requirements: when required by law, regulation, or valid legal process
  • Safety and security: to protect the rights, safety, and property of Bibiis, our users, or the public
  • Business transfers: in connection with a merger, acquisition, or sale of assets, with prior notice to affected users

Your account and financial data are stored within the European Economic Area (EEA). Where specific processing operations (such as the AI processing described in Section 6.3) involve a transfer of data outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or an adequacy decision.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

  • Account data: retained for the duration of your account and deleted within 30 days of account closure
  • Financial data: transaction data is retained while your account is active and for up to 12 months after disconnecting a bank account, unless longer retention is required by law
  • AI interaction data: chat history is retained while your account is active and deleted upon account closure
  • Usage and analytics data: retained in anonymized form for up to 24 months for service improvement purposes

You may request earlier deletion of your data at any time by contacting us at privacy@bibiis.it.

Data Security

We implement robust technical and organizational measures to protect your personal data, including encryption of data in transit (TLS/SSL) and at rest, secure authentication with hashed passwords and support for multi-factor authentication, regular security assessments and monitoring, access controls ensuring only authorized personnel can access personal data, and secure API communications with our banking and AI service providers.

While we take every reasonable precaution, no system is completely secure. We encourage you to use strong, unique passwords and to contact us immediately if you suspect unauthorized access to your account.

Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of access (Art. 15): request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing (Art. 18): request limitation of how we process your data
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format
  • Right to object (Art. 21): object to processing based on legitimate interests
  • Right to withdraw consent: withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at privacy@bibiis.it. We will respond to your request within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In Italy, this is the <a href="https://www.garanteprivacy.it" target="_blank" rel="noopener">Garante per la protezione dei dati personali</a>.

Open Banking and PSD2 Compliance

Bibiis accesses your bank account data through licensed AISPs regulated under the revised Payment Services Directive (PSD2). Key principles of our open banking practices:

  • Explicit consent: We only access your financial data after you provide explicit, informed consent through a secure authentication process with your bank
  • Limited access: We access only account information (balances and transactions). We cannot initiate payments or modify your accounts
  • Revocable access: You can disconnect any linked bank account at any time through the Bibiis app, immediately revoking our access to new data from that account
  • Regulated providers: Our AISP partners are licensed and supervised by relevant financial authorities and comply with all PSD2 requirements, including strong customer authentication (SCA)

Cookies and Tracking Technologies

Our website (bibiis.it) may use essential cookies to ensure proper functionality. We do not use advertising or tracking cookies. If we introduce non-essential cookies in the future, we will update this policy and obtain your consent before placing them.

Children's Privacy

Bibiis is designed for users aged 18 and older. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable laws. We will notify you of material changes through the app or by email. The "Last updated" date at the top of this policy indicates when it was last revised.

We encourage you to review this Privacy Policy periodically.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

NVP Tech Srls
Email: privacy@bibiis.it
Website: bibiis.it