How Finovoo collects, uses, and protects your personal data. Compliant with GDPR, UK GDPR, and international data protection standards.
π Effective: January 1, 2025π Last updated: May 15, 2025
1. Introduction
Finovoo Inc. ("Finovoo", "we", "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Finovoo platform and services.
This policy applies to all users of Finovoo worldwide, including users in the European Economic Area (EEA), United Kingdom, and other jurisdictions with data protection regulations. Where applicable, we comply with the General Data Protection Regulation (GDPR), the UK GDPR, and other relevant data protection laws.
2. Data controller
Finovoo Inc. is the data controller responsible for your personal data. This means we determine the purposes and means of processing your personal data.
If you are in the EU/EEA and wish to exercise your rights under the GDPR, you may contact our Data Protection Officer directly at [email protected].
3. Data we collect
We collect only the data necessary to provide and improve the Finovoo service. Here is a complete list of the categories of data we process:
Account information β your name, email address, and password hash when you create an account. If you use SSO, we receive your name and email from the identity provider
Financial data β expense descriptions, amounts, currencies, categories, and receipt images you upload. This is the core data you create in Finovoo
Group data β group names, member lists, and shared expense records between group members
Payment information β if you subscribe to a paid plan, our payment processor (Stripe) handles your card details. We only store your subscription status and billing history, never your full card number
Usage data β how you interact with Finovoo: features used, pages visited, buttons clicked, and time spent. This is collected through analytics cookies (with your consent)
Device data β browser type, operating system, screen resolution, IP address, and approximate location (city-level) derived from your IP address
Communications β messages you send to our support team, feedback submissions, and survey responses
Fino Card data β if you use Fino Card, we process transaction amounts, merchant names, categories, and timestamps for each card transaction
4. Legal basis for processing (GDPR)
Under the GDPR, we must have a legal basis for each type of data processing. Here are the legal bases we rely on:
Contract performance β processing your account data, financial data, and group data is necessary to provide the Finovoo service you signed up for (Article 6(1)(b))
Legitimate interests β we process usage data and device data to improve the product, prevent fraud, and ensure security. We have conducted a legitimate interests assessment to ensure our interests do not override your rights (Article 6(1)(f))
Consent β we process analytics cookies and optional marketing communications only with your explicit consent, which you can withdraw at any time (Article 6(1)(a))
Legal obligation β we may process and retain certain data to comply with tax reporting requirements, anti-money laundering regulations, or court orders (Article 6(1)(c))
5. How we use your data
We use your personal data for the following specific purposes:
Provide the service β create and manage your account, process expenses, calculate splits, and facilitate settlements
Fino Card β issue virtual cards, process transactions, enforce spend controls, and reconcile expenses
Fino Agent β run AI-powered expense auditing, anomaly detection, categorization, and policy compliance checks on your expense data
Receipt scanning β use AI/OCR to extract data from receipt images you upload. Receipt images are processed and stored securely
Improve the product β analyze aggregated, anonymized usage patterns to identify bugs, prioritize features, and improve the user experience
Security β detect and prevent fraud, unauthorized access, and abuse of the platform
Communications β send transactional emails (receipts, settlement reminders, account alerts) and, with your consent, product updates
Legal compliance β comply with applicable laws, regulations, and legal processes
6. Data sharing & third parties
We do not sell your personal data. We do not share your data with advertisers. We only share data with third parties when necessary to operate the service:
Group members β expense data you create in a shared group is visible to other members of that group. This is a core function of the service
Payment processors β Stripe processes payments on our behalf. They receive the minimum data necessary for billing (email, subscription plan)
Cloud infrastructure β our platform is hosted on cloud infrastructure that stores your data in encrypted form. Our hosting provider processes data under a Data Processing Agreement (DPA)
AI/OCR services β receipt images may be processed by our AI service to extract text. Images are processed transiently and not retained by the AI provider
Analytics β with your consent, anonymized usage data is processed by our analytics provider to generate aggregated insights
Legal requirements β we may disclose data if required by law, court order, or regulatory authority
Business transfers β in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of the transaction. We will notify you before your data is subject to a different privacy policy
7. Data security
We implement industry-standard technical and organizational measures to protect your personal data:
Encryption at rest β all stored data is encrypted using AES-256 encryption
Encryption in transit β all data transmitted between your device and our servers uses TLS 1.3
Access controls β employee access to personal data is restricted on a need-to-know basis and protected by multi-factor authentication
Infrastructure security β our cloud infrastructure is hosted in certified data centers with physical security, redundancy, and disaster recovery
Regular audits β we conduct regular security assessments and penetration testing
Incident response β we maintain an incident response plan and will notify affected users and authorities within 72 hours of discovering a personal data breach, as required by GDPR
8. Data retention
We retain your data only for as long as necessary to fulfill the purposes described in this policy:
Active account β your data is retained for the duration of your account
After deletion β when you delete your account, personal data is removed within 30 days. Some data may be retained longer if required by law (e.g., financial records for tax compliance)
Backup retention β encrypted backups are retained for 90 days after account deletion, then permanently destroyed
Analytics data β anonymized, aggregated analytics data that cannot identify you may be retained indefinitely for product improvement
Legal holds β if we are required to preserve data for legal proceedings, retention periods may be extended until the matter is resolved
9. Your rights (GDPR)
Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data. You can exercise these rights at any time by contacting us at [email protected] or through your account settings:
Right of access β request a copy of all personal data we hold about you. We will provide it in a machine-readable format within 30 days
Right to rectification β request correction of inaccurate or incomplete personal data
Right to erasure ("right to be forgotten") β request deletion of your personal data. We will comply unless we have a legal obligation to retain it
Right to restrict processing β request that we limit how we use your data while a complaint is being resolved
Right to data portability β receive your data in a structured, machine-readable format (JSON or CSV) and transmit it to another service
Right to object β object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds
Right to withdraw consent β withdraw consent for any processing based on consent (e.g., analytics cookies) at any time without affecting the lawfulness of prior processing
Right to lodge a complaint β file a complaint with your local data protection authority (e.g., CNIL in France, ICO in the UK)
Export your data
You can export all your Finovoo data at any time from Settings β Data & Privacy β Export Data. The export includes all expenses, receipts, groups, and account information in CSV and JSON formats.
10. International data transfers
Finovoo operates globally. Your data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home country.
When we transfer data outside the EEA/UK, we ensure appropriate safeguards are in place:
Standard Contractual Clauses (SCCs) β we use EU-approved SCCs with all service providers who process EEA/UK data outside of these regions
Adequacy decisions β where available, we transfer data to countries that the European Commission has determined provide adequate data protection
Additional safeguards β we implement supplementary technical measures (encryption, pseudonymization) as recommended by the EDPB
11. Children's privacy
Finovoo is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If we learn that we have collected data from a child under 16, we will delete that data promptly.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and through a prominent notice in the Finovoo app at least 30 days before the changes take effect.
We encourage you to review this policy periodically. Your continued use of Finovoo after the effective date of a revised policy constitutes your acceptance of the changes.
13. Contact us
For any questions about this Privacy Policy or to exercise your data protection rights:
If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. For EU residents, you can find your authority at edpb.europa.eu.