Back to FinPM
Privacy PolicyTerms of ServiceCookie PolicyData Processing Agreement

GDPR Compliant

Privacy Policy

This Privacy Policy explains how FinPM ("we", "us", or "our") collects, uses, discloses, and protects your personal data when you use our personal finance management application in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Effective Date: January 11, 2026

Contents

  1. 1. Data Controller
  2. 2. Personal Data We Collect
  3. 3. Legal Basis for Processing
  4. 4. How We Use Your Data
  5. 5. Third-Party Data Processors
  6. 6. Data Retention
  7. 7. Your Rights Under GDPR
  8. 8. International Data Transfers
  9. 9. Security Measures
  10. 10. Children's Privacy
  11. 11. Changes to This Policy
  12. 12. Contact Information

1. Data Controller

The data controller responsible for your personal data is:

Facundo Cosimo

Operating as FinPM

Brussels, Belgium

Contact:

Email: privacy@finpm.eu

Supervisory Authority:

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for FinPM is the Autorité de protection des données (APD) / Gegevensbeschermingsautoriteit (GBA) (Belgium): https://www.dataprotectionauthority.be

2. Personal Data We Collect

We collect the following categories of personal data when you use our service:

2.1 Account Information

  • Email address — Required for account creation and authentication
  • Name — For personalization (optional)
  • Country of residence — To determine applicable regulations and default currency
  • Date of birth — Optional profile information
  • Timezone — For accurate transaction timestamps

2.2 Financial Data

The following data is collected only when you explicitly provide it through manual import:

  • Bank account names, types, and balances
  • Transaction history including dates, amounts, descriptions, and merchant information
  • Categories, budgets, and financial goals you create
  • Recurring transaction patterns

Important: We do not have direct access to your bank accounts. All financial data is provided by you through manual statement uploads. We do not store bank credentials or account numbers.

2.3 Usage Data

  • Device information (browser type, operating system)
  • Log data (anonymized IP address, access times, pages viewed)
  • Feature usage patterns (which features you use and how often)

2.4 AI-Processed Data

We use artificial intelligence to categorize transactions. The AI processes transaction descriptions and amounts only. The AI never has access to your bank credentials, raw account numbers, or complete financial statements.

3. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

Data TypeLegal BasisPurpose
Email address, password hashContract (Art. 6(1)(b))Account creation and authentication
Name, date of birth, countryConsent (Art. 6(1)(a))Profile personalization
Financial dataContract (Art. 6(1)(b))Providing the core service
Transaction categorization via AILegitimate Interest (Art. 6(1)(f))Service improvement and automation
Household sharingConsent (Art. 6(1)(a))Joint financial management

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. How We Use Your Data

We process your personal data for the following purposes only:

  • Service Delivery: Importing accounts, tracking transactions, calculating budgets, and generating financial insights
  • AI Categorization: Automatically categorizing transactions using machine learning to reduce manual effort
  • Household Features: Enabling shared financial management with household members who have consented
  • Communications: Sending essential account-related notifications (password resets, security alerts)
  • Security: Detecting and preventing unauthorized access, fraud, and abuse
  • Improvement: Analyzing anonymized usage patterns to improve features

We do not:

  • Sell your personal data to third parties
  • Share your data with advertisers or data brokers
  • Use your data for purposes unrelated to providing the service
  • Make automated decisions with legal or significant effects without human oversight

5. Third-Party Data Processors

We engage carefully selected third-party service providers who process data on our behalf. All processors are bound by Data Processing Agreements ensuring GDPR compliance and are reviewed annually.

ProviderPurposeData Location
RailwayBackend infrastructure and database hostingAmsterdam, Netherlands (EU)
Google Cloud (Gemini)AI transaction categorizationEuropean Union region
VercelFrontend hostingFrankfurt, Germany (EU)
ResendTransactional email deliveryEuropean Union region
SentryError tracking and performance monitoring (no financial data processed)European Union region

We maintain signed Data Processing Agreements with all sub-processors and will notify you of any changes to this list.

6. Data Retention

We retain personal data only as long as necessary for the purposes described:

Data TypeRetention Period
Account dataDuration of account, plus 30 days after deletion request
Transaction dataDuration of account (you may delete individual transactions at any time)
Usage logs90 days (anonymized thereafter)
Backup data30 days after primary data deletion

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

  • Right of Access (Article 15): You may request a copy of all personal data we hold about you.
  • Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Article 17): You may request deletion of your personal data ("right to be forgotten").
  • Right to Restriction (Article 18): You may request we restrict processing of your data in certain circumstances.
  • Right to Data Portability (Article 20): You may request your data in a machine-readable format (JSON or CSV).
  • Right to Object (Article 21): You may object to processing based on legitimate interests.
  • Rights related to automated decision-making (Article 22): You have the right not to be subject to decisions based solely on automated processing.

To exercise these rights, contact us at privacy@finpm.eu. We will respond within 30 days as required by GDPR. You also have the right to lodge a complaint with a supervisory authority (specifically the Autorité de protection des données / Gegevensbeschermingsautoriteit).

8. International Data Transfers

All personal data is stored and processed within the European Economic Area (EEA).Our primary infrastructure is located in Amsterdam, Netherlands and Frankfurt, Germany.

In rare cases where data must be transferred outside the EEA (such as for technical support), we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework for US-based services
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules where applicable

9. Security Measures

We implement comprehensive technical and organizational security measures in accordance with GDPR Article 32:

  • Encryption: TLS 1.3 for all data in transit; AES-256 encryption for data at rest
  • Authentication: Secure password hashing, two-factor authentication, session management
  • Access Control: Role-based access control, principle of least privilege
  • Infrastructure: EU-only data centers, network segmentation, automated security patching
  • Monitoring: Comprehensive audit logging, real-time threat detection
  • Incident Response: Documented breach notification procedures, 72-hour notification commitment

10. Children's Privacy

FinPM is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@finpm.euand we will delete such data.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. For material changes:

  • We will notify you via email and/or prominent notice in the application
  • Notification will be provided at least 30 days before changes take effect
  • Continued use after changes become effective constitutes acceptance

12. Contact Information

For privacy-related inquiries or to exercise your data protection rights:

Privacy Inquiries:
Email: privacy@finpm.eu
Response time: Within 30 days as required by GDPR

Data Protection Authority:
You have the right to lodge a complaint with your local supervisory authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) if you believe we have violated your data protection rights.

FinPM

© 2026 All rights reserved.

Last updated: January 2026

Contact: legal@finpm.eu