Effective April 26, 2026

Privacy Policy

Finvy is a financial wellness platform. We collect the minimum information needed to help you reduce debt and improve your financial habits. We never sell your data. This policy explains what we collect, why, who we share it with, and how to control it.

1. Information we collect

1.1 Information you provide

• Account details: name, email, password (stored as a hash).
• Financial inputs you enter: debts, balances, APRs, minimum payments, income, pay schedule, safety buffer, primary goal.
• Conversations with the Finvy Coach (if you chat with the in-app assistant).

1.2 Information from connected accounts

If you link a bank or credit card via Plaid, we receive: account balances, account and routing numbers (used only for ACH initiation), recent transactions, and account metadata (institution, account type). We never see or store your bank credentials. Plaid is the system of record for the link; you can revoke access in your settings at any time.

1.3 Information collected automatically

• Device, browser, and IP address (for security and fraud detection).
• Usage events (which features you use; not tied to advertising).
• Cookies necessary to keep you signed in and protect your session.

2. How we use your information

• To deliver the dashboard, recommendations, and AI coaching.
• To initiate payments you explicitly approve.
• To detect and prevent fraud or unauthorized account access.
• To send transactional emails (confirmations, receipts, alerts).
• To improve the product (aggregated analytics, never identified).
• To meet legal, tax, and accounting obligations.

We do not use your financial data to train AI models and we do not share it with advertisers.

3. Service providers we share data with

Finvy uses a small set of vetted vendors. Each receives only what they need to do their job, under contractual confidentiality. As of the effective date above:

• Supabase: stores your account, profile, debts, payments, and conversation history. SOC 2 Type II.
• Vercel: hosts the application. Does not access your financial data; only sees standard web request metadata.
• Plaid: provides the bank-link layer. Subject to Plaid's own privacy policy and end-user terms.
• Google (Gemini): powers the Finvy Coach. We send your financial summary plus your messages with the prompt context; Google does not retain or train on this data per the Gemini API privacy terms.
• Anthropic (Claude): backup AI model. Same data handling; not retained or used for training.
• Stripe (when subscriptions launch): handles billing for Pro plans. Card details never touch our servers.
• Banking-as-a-Service partner (when ACH payments launch): routes the actual payment from your linked account to your creditor.

4. Data retention

• Active account data: retained for the life of your account plus 7 years for financial record-keeping.
• Authentication and security audit logs: 2 years.
• Coach conversation logs: 180 days, deletable from your account at any time.
• Plaid raw webhook payloads: 30 days.
• Deleted accounts: 30-day soft-delete grace period, then hard delete of PII. Pseudonymized financial records may be retained for compliance.

5. Security

• AES-256 encryption at rest, TLS 1.3 in transit.
• Passwords stored as Argon2id hashes with per-user salt.
• Bank credentials never handled directly; Plaid token exchange is the only mechanism.
• Biometric login on supported devices (Face ID, Touch ID, Android biometric).
• Session tokens refreshed every 15 minutes; idle logout at 30 minutes.
• SOC 2 Type II in progress; annual third-party penetration test.

6. Your rights

Regardless of where you live, Finvy users can: access their data, export it as JSON or CSV, request corrections, and delete their account from the Account screen.

6.1 California (CCPA / CPRA)

California residents have the additional right to know which categories of personal information we collect, request deletion, and opt out of any "sale" of personal information. Finvy does not sell personal information; the do-not-sell control is surfaced in Settings as a preventive measure.

6.2 GDPR (EU and UK users)

If you reside in the EU, UK, or EEA, you also have the right to data portability, restriction of processing, and lodging a complaint with your supervisory authority. Email hello@finvysmartbudgeting.com to exercise any of these rights.

7. Children

Finvy is not directed at children under 18 and we do not knowingly collect data from minors. If you believe a minor has created an account, contact hello@finvysmartbudgeting.com and we will remove it.

8. Changes to this policy

We will update this page when our practices materially change. The effective date at the top tells you which version is current. Significant changes will be notified by in-app banner and email at least 30 days before they take effect.

9. Contact

Questions or requests: hello@finvysmartbudgeting.com. We reply within 30 days, faster for time-sensitive requests.