Privacy Policy
Last updated: February 18, 2026
1. Information We Collect
Account Information
When you create an account, we collect your email address and, if you sign in with Google, your name and profile picture as provided by Google. We do not collect passwords because authentication is handled by Supabase Auth.
Financial Data
You voluntarily provide financial information including:
- Transaction amounts, categories, and descriptions
- Budget goals and spending limits
- Recurring expense configurations
- Group expense records and split bill details
This data is stored securely and is only accessible to you and, where applicable, members of your expense groups.
Receipt Images
When you use receipt scanning, your receipt images are sent to Google Gemini for text extraction. Images are processed in real-time and are not retained by FinFlow after processing. Google handles data according to Google's Privacy Policy.
Usage Data
We collect service usage data such as visited screens, feature usage patterns, and error diagnostics to improve reliability and user experience.
2. How We Use Your Information
We use your information to:
- Provide and maintain the FinFlow service
- Process and display your financial transactions
- Calculate group balances and split bill summaries
- Send in-app and optional email notifications about relevant activity
- Generate spending insights and budget progress metrics
- Improve product quality through diagnostics and aggregate analytics
We do not sell personal or financial data. We do not use financial records for advertising.
3. Data Storage & Security
Your data is stored in PostgreSQL infrastructure provided by Supabase. Data is encrypted in transit (TLS) and encrypted at rest.
FinFlow applies Row Level Security (RLS) policies so users can only access their own data and the shared data of groups they belong to.
The application is hosted on Vercel.
4. Third-Party Services
FinFlow uses the following service providers:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database and authentication | Account and financial records |
| Google Gemini | Receipt OCR extraction | Receipt images for processing |
| Vercel | Application hosting | Request and infrastructure logs |
| Resend | Email notifications | Email address and message payload |
| Stripe | Billing and subscriptions | Payment and subscription metadata |
| Google OAuth | Social login | Google account profile and email |
Each provider processes data under its own policies and terms.
5. Data Retention
Data is retained while your account is active. If you delete your account, related app data is removed. Operational backups may persist temporarily before scheduled purge windows complete.
6. Your Rights
You may request or perform:
- Access: export transaction data using CSV export in Settings
- Rectification: edit transaction records directly in the app
- Deletion: delete your account and associated app data in Settings
- Portability: receive data in machine-readable format
- Restriction requests: contact support for processing restrictions
EU users are protected under GDPR. California users are protected under CCPA/CPRA as applicable.
7. Cookies & Local Storage
FinFlow uses essential technologies only:
- Authentication cookies: required to keep users signed in
- Local storage: theme, language, and local settlement markers
We do not use ad-tech or behavioral tracking cookies.
8. Children's Privacy
FinFlow is not intended for children under 16. If you believe a child submitted personal data, contact support for immediate review.
9. Changes to This Policy
We may update this policy periodically. Material updates are reflected by updating the date at the top of this document and publishing the revised text on this page.
10. Contact
For privacy questions, contact: support@finflow.cash