Privacy Policy — FinFlow

Effective date: June 9, 2026

This Privacy Policy describes how FinFlow ("we", "us", or "our") collects, uses, and shares information when you use the FinFlow mobile application (package: com.flowdev.finflow; the "Service"). By using the Service, you agree to the collection and use of information as described here.

Information We Collect

We may collect the following types of personally identifiable information:

Email address
First and last name, nickname, and profile avatar
Device information: hardware model, OS name and version, screen size, language, country, time zone, unique device identifiers (e.g. IDFA), device mute status
Location data (city/region level, for currency and map features)
Images captured via camera (for receipt scanning)
Voice input (for speech-to-text transaction entry)
Calendar events (when you enable calendar integration)
Usage and analytics data

All collected information is retained and used solely as described in this Privacy Policy.

Account & Data Backup

FinFlow allows you to create an account via Google, Facebook, or Apple Sign In. When you register through one of these services, we collect your primary account information — including email, name, nickname, and avatar — and sync it to our servers to enable data backup and restore functionality.

If you grant access to a third-party social account, we may also receive data already associated with that account (such as your name or email). You can revoke this access at any time in your device's account settings.

Device Permissions

The app requests the following device permissions, each used only for the stated purpose:

Camera — to scan receipts and QR codes.
Microphone — to enable voice input for transaction entry.
Location — to attach location to transactions and display maps. Location is collected only while the app is in use and only if you grant permission.
Biometrics / Face ID / Fingerprint — for local app lock. Biometric data never leaves your device.
Calendar — to create reminders and scheduled transactions. Calendar data is not uploaded to our servers.
Notifications — to send reminders and alerts you configure.

You can revoke any permission at any time in your device's system settings.

Backend & Data Storage

Your account data and transaction history are stored on our backend infrastructure, which uses the following services:

Firebase / Cloud Firestore (Google) — cloud database for syncing your data across devices. See Firebase Privacy Policy.
Supabase — backend platform used for authentication and data storage. See Supabase Privacy Policy.

Analytics

We use PostHog to collect anonymized usage analytics. This helps us understand how features are used and improve the app. PostHog may collect device identifiers, session data, and in-app events. No personally identifiable financial data is sent to PostHog. See PostHog Privacy Policy.

We also use Google Analytics for Firebase and Firebase Crashlytics for crash reporting and performance monitoring. See Firebase Analytics Policy and Firebase Crashlytics Policy.

Advertising

The free tier of the app displays ads served by Appodeal. Appodeal may collect device identifiers and usage data to serve relevant ads. See Appodeal Privacy Policy.

You can opt out of personalized advertising by enabling "Limit Ad Tracking" in your device's system settings.

AI & Machine Learning Features

FinFlow uses on-device and cloud-based AI for the following features:

Receipt scanning (OCR) — powered by Google ML Kit, which processes images on-device to extract text. Images are not sent to Google's servers. See ML Kit Terms.
AI chat assistant — your messages may be sent to an AI backend to generate responses. No financial account credentials are included in these requests.
AI-generated account backgrounds — generated images are processed server-side and do not contain personal financial data.

Other Third-Party Services

The app also integrates the following services:

Log Data

In the event of an error, we collect diagnostic log data through third-party tools. This may include your device's IP address, device name, OS version, app configuration, the time and date of the error, and other diagnostic statistics.

Cookies

The app itself does not use cookies. However, third-party SDKs integrated in the app may use cookies or similar tracking technologies. You can configure your device to limit such tracking; note that doing so may affect some functionality.

Service Providers

We may engage third-party companies to facilitate the Service, perform analytics, serve ads, or assist us in understanding how the Service is used. These providers are given access to your data only to perform their designated tasks and are contractually prohibited from using it for any other purpose.

Security

We use commercially accepted measures to protect your personal information, including encrypted storage (flutter_secure_storage) for sensitive local data. However, no method of internet transmission or electronic storage is 100% secure, and we cannot guarantee absolute security.

Links to Other Sites

The Service may contain links to external websites not operated by us. We have no control over, and assume no responsibility for, the content or privacy practices of external sites. We recommend reviewing the privacy policy of any third-party site you visit.

GDPR — Legal Basis for Processing

If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases:

Consent — you have given explicit consent for a specific purpose.
Contract performance — processing is necessary to fulfill an agreement with you.
Legal obligation — processing is required by applicable law.
Vital interests — processing is necessary to protect life.
Legitimate interests — processing is necessary for our legitimate business interests.

Your Rights under the GDPR

If you are within the EU/EEA, you have the right to:

Access — request a copy of the personal data we hold about you.
Correction — request correction of inaccurate or incomplete data.
Erasure — request deletion of your personal data.
Object — object to processing based on legitimate interest or for direct marketing.
Data portability — receive your data in a structured, machine-readable format.
Withdraw consent — withdraw consent at any time; this may limit certain features.

To exercise any of these rights, contact us. We may verify your identity before processing the request. You also have the right to lodge a complaint with your local Data Protection Authority.

CCPA — Your Rights (California Residents)

If you are a California resident, you have the right to:

Notice — know what categories of personal data are collected and why.
Access — request disclosure of personal data collected about you in the past 12 months.
Deletion — request deletion of personal data collected in the past 12 months.
Opt out — opt out of the sale of your personal data to third parties.
Non-discrimination — exercising your rights will not result in denial or reduced quality of service.

To exercise your CCPA rights, contact us by email. We will respond to verifiable requests within 45 days (extendable by an additional 45 days with prior notice), free of charge.

Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will delete it immediately. If you are a parent or guardian and believe your child has submitted personal data to us, please contact us.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. We recommend reviewing this page periodically.

Contact Us

If you have any questions about this Privacy Policy or your personal data, contact us at: info@fin-flow.xyz