Privacy Policy

1. Information We Collect

Personal Information

When you create an account, we collect your name, email address, and preferred currency. If you choose to upload a profile photo, we store that as well. We do not require your real name -- you may use any display name you prefer.

Financial Data

To provide our core service, we collect transaction data you enter manually (amounts, descriptions, categories, dates) as well as account balances, budget configurations, income sources, goals, and net worth information. If you connect a bank account via Plaid, we receive transaction history and account balance information from your financial institution.

Usage Data

We automatically collect information about how you interact with the Service, including pages viewed, features used, time spent in the app, and interaction patterns. This data is used to improve the Service and is not sold to third parties.

Device Information

We collect device type, operating system, app version, unique device identifiers, IP address, and browser type. On mobile devices, we may also collect push notification tokens for delivering alerts and reminders you have opted into.

2. How We Use Your Information

Providing the Service

We use your financial data to deliver the core features of Finaps: expense tracking, budgets, reports, goals, and net worth calculations. Your data is the foundation of every feature you use.

AI-Powered Features

If you are a Pro subscriber, we process your transaction data through AI models (OpenAI, Anthropic) to provide automatic categorization, spending insights, anomaly detection, and natural language chat. Your data is sent to these providers solely for processing your request and is not used to train their models. We enforce strict data minimization -- only the minimum context needed is sent.

Improving the Service

Aggregated, anonymized usage data helps us understand how people use Finaps so we can improve performance, fix bugs, and prioritize new features. We never use individual financial data for this purpose.

Communications

We send transactional emails (OTP codes, password resets, billing receipts) via Brevo. You may also opt in to product updates and financial tips. You can unsubscribe from marketing emails at any time through your notification preferences or the unsubscribe link in every email.

3. Data Storage & Security

Your data is stored on MongoDB Atlas with encryption at rest (AES-256) and encrypted in transit (TLS 1.3). Sensitive financial fields -- such as account numbers and bank connection tokens -- are additionally protected with MongoDB Client-Side Field Level Encryption (CSFLE), meaning they are encrypted before they ever leave your device or our application server.

Our infrastructure runs on AWS with data centers in the US and EU. We use Redis with TLS for caching and session management. All file uploads (receipts, avatars) are stored in AWS S3 / Cloudflare R2 with server-side encryption enabled.

Passwords are hashed with bcrypt (cost factor 12) and are never stored in plain text. JWT tokens use RS256 asymmetric signing, and refresh tokens are stored as SHA-256 hashes. We conduct regular security audits and follow OWASP Top 10 guidelines.

4. Third-Party Services

We integrate with the following third-party services to deliver our features. Each provider only receives the minimum data required for its specific function:

5. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access -- Request a copy of all personal data we hold about you.
• Deletion -- Request that we delete your account and all associated data. You can initiate this from your account settings or by contacting us.
• Export -- Download all of your data in a machine-readable format (JSON or CSV) from your account settings at any time.
• Opt-Out -- Disable AI-powered features, marketing emails, and non-essential push notifications from your settings.
• GDPR Rights -- If you are in the EU/EEA, you have additional rights under the General Data Protection Regulation, including the right to rectification, restriction of processing, data portability, and the right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us at privacy@finaps.co. We will respond within 30 days.

6. Data Retention

While your account is active, we retain all data necessary to provide the Service. This includes your transactions, budgets, goals, and other financial records for as long as you need them.

If you delete your account, we initiate a permanent data purge. Your personal and financial data is deleted within 30 days. Backup copies are purged within 90 days. Anonymized, aggregated analytics data that cannot be traced back to you may be retained indefinitely.

Certain data may be retained longer if required by law (e.g., billing records for tax compliance) or to resolve disputes and enforce our agreements.

7. Children's Privacy

Finaps is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal data, please contact us at privacy@finaps.co.

8. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and/or a prominent notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the changes take effect constitutes your acceptance of the updated policy.

9. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us: