Legal

Privacy Policy

How Finovoo collects, uses, and protects your personal data. Compliant with GDPR, UK GDPR, and international data protection standards.

πŸ“… Effective: January 1, 2025πŸ“ Last updated: May 15, 2025

1. Introduction

Finovoo Inc. ("Finovoo", "we", "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Finovoo platform and services.

This policy applies to all users of Finovoo worldwide, including users in the European Economic Area (EEA), United Kingdom, and other jurisdictions with data protection regulations. Where applicable, we comply with the General Data Protection Regulation (GDPR), the UK GDPR, and other relevant data protection laws.

2. Data controller

Finovoo Inc. is the data controller responsible for your personal data. This means we determine the purposes and means of processing your personal data.

If you are in the EU/EEA and wish to exercise your rights under the GDPR, you may contact our Data Protection Officer directly at [email protected].

3. Data we collect

We collect only the data necessary to provide and improve the Finovoo service. Here is a complete list of the categories of data we process:

  • Account information β€” your name, email address, and password hash when you create an account. If you use SSO, we receive your name and email from the identity provider
  • Financial data β€” expense descriptions, amounts, currencies, categories, and receipt images you upload. This is the core data you create in Finovoo
  • Group data β€” group names, member lists, and shared expense records between group members
  • Payment information β€” if you subscribe to a paid plan, our payment processor (Stripe) handles your card details. We only store your subscription status and billing history, never your full card number
  • Usage data β€” how you interact with Finovoo: features used, pages visited, buttons clicked, and time spent. This is collected through analytics cookies (with your consent)
  • Device data β€” browser type, operating system, screen resolution, IP address, and approximate location (city-level) derived from your IP address
  • Communications β€” messages you send to our support team, feedback submissions, and survey responses
  • Fino Card data β€” if you use Fino Card, we process transaction amounts, merchant names, categories, and timestamps for each card transaction

5. How we use your data

We use your personal data for the following specific purposes:

  • Provide the service β€” create and manage your account, process expenses, calculate splits, and facilitate settlements
  • Fino Card β€” issue virtual cards, process transactions, enforce spend controls, and reconcile expenses
  • Fino Agent β€” run AI-powered expense auditing, anomaly detection, categorization, and policy compliance checks on your expense data
  • Receipt scanning β€” use AI/OCR to extract data from receipt images you upload. Receipt images are processed and stored securely
  • Improve the product β€” analyze aggregated, anonymized usage patterns to identify bugs, prioritize features, and improve the user experience
  • Security β€” detect and prevent fraud, unauthorized access, and abuse of the platform
  • Communications β€” send transactional emails (receipts, settlement reminders, account alerts) and, with your consent, product updates
  • Legal compliance β€” comply with applicable laws, regulations, and legal processes

6. Data sharing & third parties

We do not sell your personal data. We do not share your data with advertisers. We only share data with third parties when necessary to operate the service:

  • Group members β€” expense data you create in a shared group is visible to other members of that group. This is a core function of the service
  • Payment processors β€” Stripe processes payments on our behalf. They receive the minimum data necessary for billing (email, subscription plan)
  • Cloud infrastructure β€” our platform is hosted on cloud infrastructure that stores your data in encrypted form. Our hosting provider processes data under a Data Processing Agreement (DPA)
  • AI/OCR services β€” receipt images may be processed by our AI service to extract text. Images are processed transiently and not retained by the AI provider
  • Analytics β€” with your consent, anonymized usage data is processed by our analytics provider to generate aggregated insights
  • Legal requirements β€” we may disclose data if required by law, court order, or regulatory authority
  • Business transfers β€” in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you before your data is subject to a different privacy policy

7. Data security

We implement industry-standard technical and organizational measures to protect your personal data:

  • Encryption at rest β€” all stored data is encrypted using AES-256 encryption
  • Encryption in transit β€” all data transmitted between your device and our servers uses TLS 1.3
  • Access controls β€” employee access to personal data is restricted on a need-to-know basis and protected by multi-factor authentication
  • Infrastructure security β€” our cloud infrastructure is hosted in certified data centers with physical security, redundancy, and disaster recovery
  • Regular audits β€” we conduct regular security assessments and penetration testing
  • Incident response β€” we maintain an incident response plan and will notify affected users and authorities within 72 hours of discovering a personal data breach, as required by GDPR

8. Data retention

We retain your data only for as long as necessary to fulfill the purposes described in this policy:

  • Active account β€” your data is retained for the duration of your account
  • After deletion β€” when you delete your account, personal data is removed within 30 days. Some data may be retained longer if required by law (e.g., financial records for tax compliance)
  • Backup retention β€” encrypted backups are retained for 90 days after account deletion, then permanently destroyed
  • Analytics data β€” anonymized, aggregated analytics data that cannot identify you may be retained indefinitely for product improvement
  • Legal holds β€” if we are required to preserve data for legal proceedings, retention periods may be extended until the matter is resolved

9. Your rights (GDPR)

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data. You can exercise these rights at any time by contacting us at [email protected] or through your account settings:

  • Right of access β€” request a copy of all personal data we hold about you. We will provide it in a machine-readable format within 30 days
  • Right to rectification β€” request correction of inaccurate or incomplete personal data
  • Right to erasure ("right to be forgotten") β€” request deletion of your personal data. We will comply unless we have a legal obligation to retain it
  • Right to restrict processing β€” request that we limit how we use your data while a complaint is being resolved
  • Right to data portability β€” receive your data in a structured, machine-readable format (JSON or CSV) and transmit it to another service
  • Right to object β€” object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds
  • Right to withdraw consent β€” withdraw consent for any processing based on consent (e.g., analytics cookies) at any time without affecting the lawfulness of prior processing
  • Right to lodge a complaint β€” file a complaint with your local data protection authority (e.g., CNIL in France, ICO in the UK)
Export your data

You can export all your Finovoo data at any time from Settings β†’ Data & Privacy β†’ Export Data. The export includes all expenses, receipts, groups, and account information in CSV and JSON formats.

10. International data transfers

Finovoo operates globally. Your data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home country.

When we transfer data outside the EEA/UK, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) β€” we use EU-approved SCCs with all service providers who process EEA/UK data outside of these regions
  • Adequacy decisions β€” where available, we transfer data to countries that the European Commission has determined provide adequate data protection
  • Additional safeguards β€” we implement supplementary technical measures (encryption, pseudonymization) as recommended by the EDPB

11. Children's privacy

Finovoo is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16, we will delete that data promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and through a prominent notice in the Finovoo app at least 30 days before the changes take effect.

We encourage you to review this policy periodically. Your continued use of Finovoo after the effective date of a revised policy constitutes your acceptance of the changes.

13. Contact us

For any questions about this Privacy Policy or to exercise your data protection rights:

Privacy & data rights
[email protected]
Data Protection Officer
[email protected]
General support
[email protected]

If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. For EU residents, you can find your authority at edpb.europa.eu.