GDPR Compliant
Privacy Policy
This Privacy Policy explains how FinPM ("we", "us", or "our") collects, uses, discloses, and protects your personal data when you use our personal finance management application in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Effective Date: January 11, 2026
1. Data Controller
The data controller responsible for your personal data is:
Facundo Cosimo
Operating as FinPM
Brussels, Belgium
Contact:
Email: privacy@finpm.eu
Supervisory Authority:
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for FinPM is the Autorité de protection des données (APD) / Gegevensbeschermingsautoriteit (GBA) (Belgium): https://www.dataprotectionauthority.be
2. Personal Data We Collect
We collect the following categories of personal data when you use our service:
2.1 Account Information
- Email address — Required for account creation and authentication
- Name — For personalization (optional)
- Country of residence — To determine applicable regulations and default currency
- Date of birth — Optional profile information
- Timezone — For accurate transaction timestamps
2.2 Financial Data
The following data is collected only when you explicitly provide it through manual import:
- Bank account names, types, and balances
- Transaction history including dates, amounts, descriptions, and merchant information
- Categories, budgets, and financial goals you create
- Recurring transaction patterns
Important: We do not have direct access to your bank accounts. All financial data is provided by you through manual statement uploads. We do not store bank credentials or account numbers.
2.3 Usage Data
- Device information (browser type, operating system)
- Log data (anonymized IP address, access times, pages viewed)
- Feature usage patterns (which features you use and how often)
2.4 AI-Processed Data
We use artificial intelligence to categorize transactions. The AI processes transaction descriptions and amounts only. The AI never has access to your bank credentials, raw account numbers, or complete financial statements.
3. Legal Basis for Processing
Under GDPR Article 6, we process your personal data based on the following legal grounds:
| Data Type | Legal Basis | Purpose |
|---|---|---|
| Email address, password hash | Contract (Art. 6(1)(b)) | Account creation and authentication |
| Name, date of birth, country | Consent (Art. 6(1)(a)) | Profile personalization |
| Financial data | Contract (Art. 6(1)(b)) | Providing the core service |
| Transaction categorization via AI | Legitimate Interest (Art. 6(1)(f)) | Service improvement and automation |
| Household sharing | Consent (Art. 6(1)(a)) | Joint financial management |
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
4. How We Use Your Data
We process your personal data for the following purposes only:
- Service Delivery: Importing accounts, tracking transactions, calculating budgets, and generating financial insights
- AI Categorization: Automatically categorizing transactions using machine learning to reduce manual effort
- Household Features: Enabling shared financial management with household members who have consented
- Communications: Sending essential account-related notifications (password resets, security alerts)
- Security: Detecting and preventing unauthorized access, fraud, and abuse
- Improvement: Analyzing anonymized usage patterns to improve features
We do not:
- Sell your personal data to third parties
- Share your data with advertisers or data brokers
- Use your data for purposes unrelated to providing the service
- Make automated decisions with legal or significant effects without human oversight
5. Third-Party Data Processors
We engage carefully selected third-party service providers who process data on our behalf. All processors are bound by Data Processing Agreements ensuring GDPR compliance and are reviewed annually.
| Provider | Purpose | Data Location |
|---|---|---|
| Railway | Backend infrastructure and database hosting | Amsterdam, Netherlands (EU) |
| Google Cloud (Gemini) | AI transaction categorization | European Union region |
| Vercel | Frontend hosting | Frankfurt, Germany (EU) |
| Resend | Transactional email delivery | European Union region |
| Sentry | Error tracking and performance monitoring (no financial data processed) | European Union region |
We maintain signed Data Processing Agreements with all sub-processors and will notify you of any changes to this list.
6. Data Retention
We retain personal data only as long as necessary for the purposes described:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account, plus 30 days after deletion request |
| Transaction data | Duration of account (you may delete individual transactions at any time) |
| Usage logs | 90 days (anonymized thereafter) |
| Backup data | 30 days after primary data deletion |
7. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights regarding your personal data:
- Right of Access (Article 15): You may request a copy of all personal data we hold about you.
- Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
- Right to Erasure (Article 17): You may request deletion of your personal data ("right to be forgotten").
- Right to Restriction (Article 18): You may request we restrict processing of your data in certain circumstances.
- Right to Data Portability (Article 20): You may request your data in a machine-readable format (JSON or CSV).
- Right to Object (Article 21): You may object to processing based on legitimate interests.
- Rights related to automated decision-making (Article 22): You have the right not to be subject to decisions based solely on automated processing.
To exercise these rights, contact us at privacy@finpm.eu. We will respond within 30 days as required by GDPR. You also have the right to lodge a complaint with a supervisory authority (specifically the Autorité de protection des données / Gegevensbeschermingsautoriteit).
8. International Data Transfers
All personal data is stored and processed within the European Economic Area (EEA).Our primary infrastructure is located in Amsterdam, Netherlands and Frankfurt, Germany.
In rare cases where data must be transferred outside the EEA (such as for technical support), we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework for US-based services
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Binding Corporate Rules where applicable
9. Security Measures
We implement comprehensive technical and organizational security measures in accordance with GDPR Article 32:
- Encryption: TLS 1.3 for all data in transit; AES-256 encryption for data at rest
- Authentication: Secure password hashing, two-factor authentication, session management
- Access Control: Role-based access control, principle of least privilege
- Infrastructure: EU-only data centers, network segmentation, automated security patching
- Monitoring: Comprehensive audit logging, real-time threat detection
- Incident Response: Documented breach notification procedures, 72-hour notification commitment
10. Children's Privacy
FinPM is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@finpm.euand we will delete such data.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. For material changes:
- We will notify you via email and/or prominent notice in the application
- Notification will be provided at least 30 days before changes take effect
- Continued use after changes become effective constitutes acceptance
12. Contact Information
For privacy-related inquiries or to exercise your data protection rights:
Privacy Inquiries:
Email: privacy@finpm.eu
Response time: Within 30 days as required by GDPR
Data Protection Authority:
You have the right to lodge a complaint with your local supervisory authority (Autorité de protection des données / Gegevensbeschermingsautoriteit) if you believe we have violated your data protection rights.