Finzulet your money flow

Legal

Privacy Policy

Last updated: June 24, 2026 · Read time: ~5 minutes

Privacy-first by design. Finzu is a manual-entry app. We do not connect to your bank, process your payment details, or sell your data to anyone.

1. Who we are

Finzu is a personal finance application operated by its developer ("we", "us", "our"). We are the data controller for the personal data you provide when using this Service.

For privacy enquiries, contact us at privacy@finzu.me.

2. What data we collect

Account data — when you register, we collect your email address and an optional display name. Passwords are hashed and never stored in plain text.

Financial data you enter — all transaction amounts, account names, categories, notes, budgets, goals, and any other records you create in the app. This data is yours; we do not read or analyse it at the individual level.

Usage events — anonymised, aggregated analytics events such as "budget created" or "transaction added", sent to PostHog. These events never include transaction amounts, account names, or any financial values.

Error reports — when the app encounters an unexpected error, a report is sent to Sentry. These reports may include your browser version, OS, and a stack trace, but never financial data or account balances.

Payment data — handled entirely by Stripe (web) or by Apple / Google (native apps). We receive confirmation of subscription status but never your card number, expiry, or CVV.

Device & log data — standard server logs including IP addresses and request timestamps, retained for up to 30 days for security and debugging purposes.

3. How we use your data

We use your data to:

  • Provide, operate, and improve the Service.
  • Authenticate you and keep your account secure.
  • Sync your financial records across devices.
  • Send transactional emails (account creation, password reset, subscription receipts). We do not send marketing emails unless you opt in.
  • Detect and prevent fraud, abuse, and security incidents.
  • Understand aggregate usage patterns to improve the product (anonymised only).

We do not sell, rent, or trade your personal data. We do not use your financial data for advertising or profiling.

The legal basis for processing (under GDPR) is: contract performance (to provide the Service), legitimate interests (security and product improvement), and legal obligation where applicable.

4. Data storage & security

Your data is stored in Supabase, hosted on AWS in the EU (eu-central-1, Frankfurt). Data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256.

Access to the database is restricted by row-level security policies. Each user can only read and modify their own records. Even our support team cannot view your financial data without explicit permission and audit logging.

On your device, financial data is also stored locally in the browser's IndexedDB for offline access. This local store is cleared when you sign out.

Despite these measures, no method of electronic transmission or storage is 100% secure. We encourage you to use a strong, unique password and to enable biometric lock on the mobile app.

5. Third-party services

We share data with the following sub-processors:

ProcessorPurposeLocationData shared
SupabaseDatabase, auth, file storageEU (AWS Frankfurt)Account data, financial data
StripeWeb payment processingUS / EUEmail, subscription status
RevenueCatMobile IAP managementUSDevice ID, subscription status
PostHogProduct analyticsEUAnonymised usage events
SentryError monitoringUS / EUError stack traces, OS/browser

Each sub-processor is bound by a Data Processing Agreement (DPA) in accordance with GDPR Article 28. Transfers outside the EU are governed by Standard Contractual Clauses (SCCs).

6. Cookies & local storage

We use the following storage mechanisms:

  • Session cookie — set by Supabase to keep you signed in. Strictly necessary.
  • IndexedDB — stores your financial data locally for offline access. Cleared on sign-out.
  • PostHog cookie — a pseudonymous analytics identifier. You can opt out from within the app settings.

We do not use advertising cookies or tracking pixels. We do not share cookie data with advertisers.

7. Data retention

We retain your account and financial data for as long as your account exists. If you delete your account, all your personal data is permanently deleted from our servers within 30 days.

Anonymised, aggregated analytics data (e.g. "100 users created a budget this month") does not contain personal information and may be retained indefinitely for product improvement purposes.

Server logs are retained for 30 days. Stripe retains payment records as required by financial regulations (typically 7 years), independently of our retention policy.

8. Your rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your personal data ("right to be forgotten"). You can do this from Settings → Delete account, or by contacting us.
  • Portability — export your financial data in CSV format from Settings → Export all data.
  • Restriction — ask us to restrict processing of your data in certain circumstances.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact privacy@finzu.me. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Children's privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly. If you believe this has occurred, contact us at privacy@finzu.me.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by displaying a notice in the app at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent revision.

Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

11. Contact & DPO

For any privacy-related question, right request, or complaint:

Email: privacy@finzu.me
Support: finzu.me/support

See also: Terms of Service · Privacy FAQ

Privacy Policy · Finzu · Finzu