GDPR Compliance

Last updated: February 19, 2026

Company: Finlingo, Inc

1. Introduction

Finlingo, Inc is committed to compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This page outlines our GDPR compliance measures and your rights as a data subject.

2. Our Commitment to GDPR

We are committed to protecting your personal data and ensuring compliance with GDPR requirements:

Lawful, fair, and transparent processing of personal data
Purpose limitation - data collected only for specified purposes
Data minimization - collecting only necessary data
Accuracy - keeping data accurate and up-to-date
Storage limitation - retaining data only as long as necessary
Integrity and confidentiality - securing personal data
Accountability - demonstrating compliance with GDPR principles

3. Your Rights Under GDPR

As a data subject, you have the following rights:

3.1 Right of Access

You have the right to obtain confirmation as to whether we process your personal data and access to that data, along with information about how it's being used.

3.2 Right to Rectification

You have the right to have inaccurate personal data corrected and incomplete data completed.

3.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data under certain circumstances, such as when the data is no longer necessary for the original purpose.

3.4 Right to Restrict Processing

You have the right to restrict the processing of your personal data in certain situations.

3.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

3.6 Right to Object

You have the right to object to processing of your personal data for direct marketing purposes or based on legitimate interests.

3.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

4. How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

Email: support@finlingo.ai
Subject line: "GDPR Request - [Your Right]"
Include your account email and a description of your request

We will respond to your request within 30 days. You can also use our data deletion tool to request deletion of your data.

5. Data Processing Legal Basis

We process your personal data based on the following legal bases:

Consent: When you provide explicit consent for specific processing activities
Contract Performance: To fulfill our contractual obligations to you
Legal Obligation: To comply with applicable laws and regulations
Legitimate Interests: For our legitimate business interests, balanced against your rights

6. Data Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

Encryption of data in transit (HTTPS/TLS)
AES-256 encryption at rest for personally identifiable information (email, name) and sensitive financial identifiers
Server-side token invalidation on logout and password changes
Explicit consent enforcement before AI data processing
Access controls and authentication
Regular security assessments
Incident response procedures

7. Data Retention Schedule

In accordance with Article 5(1)(e), we enforce automated retention limits to ensure data is not kept longer than necessary:

Data Type	Retention Period
Account & profile data	Until account deletion
Financial transactions	Until account deletion
AI conversations	90 days
Spending insights	90 days
Transaction feedback	180 days
Notifications	30 days
Insight generation logs	30 days
Data export files	Until expiration (typically 7 days)

Stale data is automatically purged daily. Upon account deletion, all personal data is permanently removed from active systems within 30 days.

8. Sub-Processors

Per Article 28, we maintain Data Processing Agreements with the following sub-processors:

Sub-Processor	Purpose	Data Processed
Plaid, Inc.	Banking data connectivity	Account & transaction data
OpenAI	AI assistant (Finny)	Chat messages, transaction details (merchant names, amounts, dates, categories), account balances, spending patterns, income summaries, financial goals
Resend	Account-related email delivery (email verification, password reset, data export)	Email addresses
Expo	Push notification delivery	Device tokens
RevenueCat	Subscription management	Purchase & subscription status
PostHog	Product analytics	Anonymous usage data, page/screen views, session recordings (inputs masked)
Hostinger	Server infrastructure	All data (encrypted at rest)

9. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay.

10. Data Protection Officer

For questions or concerns about our GDPR compliance, please contact our data protection officer at support@finlingo.ai.

11. Supervisory Authority

If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection supervisory authority.

For EU residents, you can find your supervisory authority at: https://edpb.europa.eu

12. Contact Us

For any questions about our GDPR compliance, please contact us:

Finlingo, Inc

Email: support@finlingo.ai

Website: https://finlingo.ai