Legal
Privacy Policy
Last updated: June 24, 2026 · Read time: ~5 minutes
1. Who we are
Finzu is a personal finance application operated by its developer ("we", "us", "our"). We are the data controller for the personal data you provide when using this Service.
For privacy enquiries, contact us at privacy@finzu.me.
2. What data we collect
Account data — when you register, we collect your email address and an optional display name. Passwords are hashed and never stored in plain text.
Financial data you enter — all transaction amounts, account names, categories, notes, budgets, goals, and any other records you create in the app. This data is yours; we do not read or analyse it at the individual level.
Usage events — anonymised, aggregated analytics events such as "budget created" or "transaction added", sent to PostHog. These events never include transaction amounts, account names, or any financial values.
Error reports — when the app encounters an unexpected error, a report is sent to Sentry. These reports may include your browser version, OS, and a stack trace, but never financial data or account balances.
Payment data — handled entirely by Stripe (web) or by Apple / Google (native apps). We receive confirmation of subscription status but never your card number, expiry, or CVV.
Device & log data — standard server logs including IP addresses and request timestamps, retained for up to 30 days for security and debugging purposes.
3. How we use your data
We use your data to:
- Provide, operate, and improve the Service.
- Authenticate you and keep your account secure.
- Sync your financial records across devices.
- Send transactional emails (account creation, password reset, subscription receipts). We do not send marketing emails unless you opt in.
- Detect and prevent fraud, abuse, and security incidents.
- Understand aggregate usage patterns to improve the product (anonymised only).
We do not sell, rent, or trade your personal data. We do not use your financial data for advertising or profiling.
The legal basis for processing (under GDPR) is: contract performance (to provide the Service), legitimate interests (security and product improvement), and legal obligation where applicable.
4. Data storage & security
Your data is stored in Supabase, hosted on AWS in the EU (eu-central-1, Frankfurt). Data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256.
Access to the database is restricted by row-level security policies. Each user can only read and modify their own records. Even our support team cannot view your financial data without explicit permission and audit logging.
On your device, financial data is also stored locally in the browser's IndexedDB for offline access. This local store is cleared when you sign out.
Despite these measures, no method of electronic transmission or storage is 100% secure. We encourage you to use a strong, unique password and to enable biometric lock on the mobile app.
5. Third-party services
We share data with the following sub-processors:
| Processor | Purpose | Location | Data shared |
|---|---|---|---|
| Supabase | Database, auth, file storage | EU (AWS Frankfurt) | Account data, financial data |
| Stripe | Web payment processing | US / EU | Email, subscription status |
| RevenueCat | Mobile IAP management | US | Device ID, subscription status |
| PostHog | Product analytics | EU | Anonymised usage events |
| Sentry | Error monitoring | US / EU | Error stack traces, OS/browser |
Each sub-processor is bound by a Data Processing Agreement (DPA) in accordance with GDPR Article 28. Transfers outside the EU are governed by Standard Contractual Clauses (SCCs).
7. Data retention
We retain your account and financial data for as long as your account exists. If you delete your account, all your personal data is permanently deleted from our servers within 30 days.
Anonymised, aggregated analytics data (e.g. "100 users created a budget this month") does not contain personal information and may be retained indefinitely for product improvement purposes.
Server logs are retained for 30 days. Stripe retains payment records as required by financial regulations (typically 7 years), independently of our retention policy.
8. Your rights (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — request deletion of your personal data ("right to be forgotten"). You can do this from Settings → Delete account, or by contacting us.
- Portability — export your financial data in CSV format from Settings → Export all data.
- Restriction — ask us to restrict processing of your data in certain circumstances.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, contact privacy@finzu.me. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
9. Children's privacy
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will delete it promptly. If you believe this has occurred, contact us at privacy@finzu.me.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by displaying a notice in the app at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent revision.
Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
11. Contact & DPO
For any privacy-related question, right request, or complaint:
Email: privacy@finzu.me
Support: finzu.me/support
See also: Terms of Service · Privacy FAQ