Privacy Policy

1. Data Controller

FINBL LLC, located at 7901 4TH ST N SUITE 300, ST PETERSBURG, FL 33702, United States (hereinafter «FINBL», «we» or «the Platform»), is the data controller for your personal data. This Privacy Policy describes how we collect, use, store and protect your data in accordance with the General Data Protection Regulation (GDPR - Regulation EU 2016/679), the revised Payment Services Directive (PSD2) and applicable data protection legislation.

2. Data We Collect

Personal identification data

• Full name and display name
• Email address
• Phone number (optional)
• Date of birth
• Country of residence
• Profile picture (optional)
• Language and timezone preferences

Financial data

Obtained via Open Banking/PSD2, in read-only mode:

• Account name, type and partial IBAN (last 4 digits) of your bank accounts
• Balances (available and current) and currency
• Transaction history: amounts, merchants, descriptions, dates and categories
• Financial goals and spending limits set by you
• Loan and debt information entered by you

Document data

• Uploaded financial documents (invoices, receipts, contracts, payslips, tax returns, bank statements)
• Text extracted via OCR and AI analysis
• Document metadata (name, type, size, upload date)

AI interaction data

• Conversation history with the AI assistant
• Message content (questions and answers)
• Assistant contextual memory (financial patterns and insights)
• Chat usage metrics (tokens consumed, model used)

Technical and usage data

• Browser type and operating system
• IP address
• Platform interaction data
• Alert history

Payment data

Processed exclusively by Stripe (we never store card data). We only store your Stripe customer ID and subscription information.

3. Legal Basis for Processing

We process your data under the following GDPR legal bases:

• Performance of a contract (Art. 6.1.b): service provision, account management, payments and subscriptions.
• Explicit consent (Art. 6.1.a): access to banking data via Open Banking/PSD2, document analysis and AI conversations.
• Legitimate interest (Art. 6.1.f): service communications, security, fraud prevention and service improvement.
• Legal obligation (Art. 6.1.c): compliance with legal and tax obligations.

4. Purposes of Processing

• Account management: registration, authentication, profile setup and preferences.
• Banking aggregation: connection with your banks via Open Banking (PSD2) for read-only access to accounts and transactions.
• Financial analysis: transaction categorization, report generation, goal tracking and debt management.
• AI assistant: processing queries via artificial intelligence for personalized financial analysis.
• Document management: storage, OCR analysis and information extraction from financial documents.
• Payment processing: subscription management and billing via Stripe.
• Service communications: operational notifications, financial alerts and service updates.
• Security: account protection, unauthorized access detection and fraud prevention.
• Service improvement: aggregated and anonymized analysis of platform usage.

5. Recipients and Data Processors

We share your data only with the following processors, bound by data processing agreements (DPA):

• Supabase Inc. (US) — Database, authentication and storage for all account data.
• Enable Banking Oy (Finland, EU) — PSD2 banking aggregation, bank data and encrypted credentials.
• Stripe Inc. (US) — Payment processing: email, name and billing data.
• OpenAI Inc. (US) — Natural language processing: conversation and document content.
• Resend Inc. (US) — Email delivery: email address.

We do not sell, rent or share your personal data with third parties for marketing purposes. We may share data when required by law, court order or competent authority.

6. International Data Transfers

FINBL LLC is based in the United States. To ensure adequate protection, transfers outside the EEA are covered by:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
• EU-US Data Privacy Framework, where recipients are certified.
• Supplementary technical security measures (encryption in transit and at rest).

Enable Banking Oy, our Open Banking provider, is based in Finland and operates entirely within the EEA.

7. Data Retention Periods

• Account and profile data: while the account is active + 30 days after deletion request.
• Banking and transaction data: while the account is active + 5 years (tax/accounting obligation).
• AI conversations: 2 years from last interaction, or until manual deletion.
• AI assistant memory: while the account is active, deletable by the user.
• Uploaded documents: while the account is active, individually deletable.
• Billing data (Stripe): 7 years (tax obligation).
• Security logs: 30 days.
• Session cookies: session duration.

After the stated periods, data is securely deleted or irreversibly anonymized.

8. Data Subject Rights

Under the GDPR (Arts. 15-22), you have the following rights:

• Right of access (Art. 15): request a copy of all your personal data.
• Right to rectification (Art. 16): correct inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your personal data.
• Right to restriction (Art. 18): request that we restrict processing of your data.
• Right to data portability (Art. 20): receive your data in a structured format (JSON/CSV).
• Right to object (Art. 21): object to processing based on legitimate interest.
• Right not to be subject to automated decisions (Art. 22): request human intervention.
• Right to withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, send an email to privacy@finbl.com. We will respond within 30 days.

9. Data Security

Technical measures

• Encryption in transit: all communications use HTTPS/TLS 1.3.
• Encryption at rest: data is stored encrypted on servers.
• Banking credential encryption: bank sessions encrypted with AES-256-GCM.
• Secure authentication: JWT tokens with httpOnly cookies and automatic renewal.
• Row Level Security (RLS): database-level data isolation.

Organizational measures

• Restricted access based on the principle of least privilege.
• Periodic security reviews.
• Access monitoring and suspicious activity detection.

10. Children's Data

FINBL is not intended for individuals under 16 years of age. We do not knowingly collect data from anyone under 16. If we discover that we have collected data from a minor without proper parental consent, we will delete it immediately. If you are a parent or guardian, contact privacy@finbl.com.

11. Automated Decisions and Profiling

FINBL uses automated systems for AI-based transaction categorization, personalized financial analysis and rule-based automated alerts. These automated decisions do not produce legal effects and do not significantly affect you. They are informational tools to help you manage your finances. You may request human review by contacting privacy@finbl.com.

12. Open Banking and PSD2

Access to your banking data is conducted exclusively via Open Banking under the PSD2 Directive:

• Read-only: FINBL can never make payments or modify your bank accounts.
• Explicit consent: each connection requires your authorization from your bank.
• Renewal: PSD2 consents have a maximum validity of 90 days.
• Revocation: you can revoke access at any time from FINBL or directly with your bank.

Our provider Enable Banking Oy is registered as an AISP and regulated under PSD2.

13. Changes to this Policy

We may update this Policy periodically. For substantial changes, we will notify you by email at least 30 days in advance and post a notice on the Platform.

14. Supervisory Authority

If you believe your data processing violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority in your country of residence. For users in Spain: Spanish Data Protection Agency (AEPD) — www.aepd.es

15. Contact

For any inquiries regarding this Privacy Policy or the processing of your personal data: