Privacy Policy
Last Updated: March 5, 2026 | Effective Date: March 5, 2026
1. Data Controller
The data controller responsible for your personal data is:
- Company: FinoAI
- Website: https://finoai.app
- Email: info@finoai.app
- General Contact: fino.ai.team@gmail.com
Data Protection Officer (DPO)
In accordance with GDPR Articles 37-39, our Data Protection Officer can be contacted at:
- Email: info@finoai.app
- Response Time: Within 30 days of receiving your request
The DPO is responsible for overseeing our data protection strategy, ensuring compliance with GDPR requirements, and serving as the point of contact for data subjects and supervisory authorities.
2. What Data We Collect
We collect and process the following categories of personal data:
| Data Category | Specific Data | Purpose | Legal Basis |
|---|---|---|---|
| Account Data | First name, last name, email address, password (hashed) | Account creation and authentication | Contract performance |
| Profile Data | Phone number, date of birth, profile photo, country | Personalization and account management | Consent |
| Financial Data | Income, expenses, budgets, savings goals, transactions | Core app functionality — financial management | Contract performance |
| Authentication Data | JWT tokens, refresh tokens, 2FA secret keys, biometric preferences | Secure authentication and session management | Legitimate interest (security) |
| Device Data | FCM token, device type | Push notifications | Consent |
| Third-Party Auth | Google ID (if using Google Sign-In) | Alternative authentication method | Consent |
| Technical Data | IP address, browser type, access logs | Security monitoring and troubleshooting | Legitimate interest (security) |
3. How We Use Your Data
We use your personal data for the following purposes:
- Provide our services: To operate the FinoAI financial management application, including budget tracking, goal setting, expense management, and financial insights.
- Account management: To create and manage your account, verify your identity, and handle authentication.
- Communication: To send you service-related notifications, security alerts, and (with your consent) marketing communications.
- Security: To protect your account and our systems from unauthorized access, fraud, and abuse.
- Improvement: To analyze usage patterns and improve our application's features and performance.
- Legal compliance: To comply with applicable laws, regulations, and legal processes.
4. Data Retention
We retain your personal data only as long as necessary for the purposes described above:
- Active accounts: Data is retained as long as your account remains active.
- Deactivated accounts: Data is retained for 12 months after deactivation, after which it is permanently deleted.
- Deleted accounts: Personal data is anonymized immediately upon account deletion. Financial data associated with the anonymized account is retained for 30 days before permanent deletion.
- Server logs: Technical logs are retained for 90 days.
- Backup data: Encrypted backups are retained for 30 days and then permanently purged.
5. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in transit: All data is transmitted over TLS/SSL (HTTPS).
- Password hashing: Passwords are hashed using PBKDF2-HMAC-SHA256 (industry standard).
- JWT authentication: Secure token-based authentication with HMAC-SHA256 signing.
- Two-Factor Authentication: Optional TOTP-based 2FA with Google Authenticator.
- Biometric authentication: Optional fingerprint/Face ID support (data stays on your device).
- Account lockout: Automatic lockout after 5 failed login attempts.
- Structured logging: Security events are monitored and logged.
6. Your Rights Under GDPR
If you are a resident of the European Economic Area (EEA), you have the following rights:
6.1 Right of Access (Article 15)
You have the right to request a copy of your personal data that we hold. Contact us at info@finoai.app to make a request.
6.2 Right to Rectification (Article 16)
You can update your personal information at any time through the Profile section of the app.
6.3 Right to Erasure (Article 17)
You can delete your account through the app's Account & Security settings. Upon deletion, your personal data will be anonymized and your account will be permanently deactivated.
6.4 Right to Restrict Processing (Article 18)
You can deactivate your account at any time through the Account & Security settings, which will temporarily restrict all processing of your data.
6.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Contact us at info@finoai.app to request a data export.
6.6 Right to Object (Article 21)
You may object to the processing of your data for certain purposes, including direct marketing. You can manage your notification preferences within the app.
6.7 Right to Withdraw Consent (Article 7)
Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
7. Data Sharing and Third Parties
We do not sell your personal data. We may share data with the following third-party services:
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Google (Firebase Cloud Messaging) | Push notifications | Device token |
| Google (Sign-In) | Authentication | Email, name (with consent) |
| Gmail SMTP | Email delivery | Email address |
8. International Data Transfers
Our servers are located in Europe. If your data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
9. Cookies and Tracking
Our website (finoai.app) uses cookies for:
- Essential cookies: Required for authentication and session management.
- Analytics cookies: To understand how visitors use our website (only with your consent).
You can manage cookie preferences through the cookie consent banner displayed on our website.
10. Children's Privacy
FinoAI is not intended for users under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes through the app or via email. The "Last Updated" date at the top indicates the latest revision.
12. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:
- Email: info@finoai.app
- General Inquiries: fino.ai.team@gmail.com
- Website: https://finoai.app
13. Right to Complain
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.