FinFlow — Privacy Policy
Last updated: April 4, 2026
1. Information We Collect
Account Information
When you create an account, we collect your email address and, if you sign in with Google, your name and profile picture as provided by Google. We do not collect passwords because authentication is handled by Supabase Auth.
Financial Data
You voluntarily provide financial information including:
- Transaction amounts, categories, and descriptions
- Budget goals and spending limits
- Recurring expense configurations
- Group expense records and split bill details
This data is stored securely and is only accessible to you and, where applicable, members of your expense groups.
Receipt Images
When you use receipt scanning, your receipt images are sent to Google Gemini or Claude (Anthropic) for text extraction depending on the scan mode. Images are processed in real-time and are not retained by FinFlow after processing. Google handles data according to Google's Privacy Policy and Anthropic handles data according to Anthropic's Privacy Policy.
Usage Data
We collect service usage data such as visited screens, feature usage patterns, and error diagnostics to improve reliability and user experience.
2. How We Use Your Information
We use your information to:
- Provide and maintain the FinFlow service
- Process and display your financial transactions
- Calculate group balances and split bill summaries
- Send in-app and optional email notifications about relevant activity
- Generate spending insights and budget progress metrics
- Improve product quality through diagnostics and aggregate analytics
We do not sell personal or financial data. We do not use financial records for advertising.
3. Data Storage & Security
Your data is stored in PostgreSQL infrastructure provided by Supabase. Data is encrypted in transit (TLS) and encrypted at rest.
FinFlow applies Row Level Security (RLS) policies so users can only access their own data and the shared data of groups they belong to.
The application is hosted on Vercel.
4. Google User Data
FinFlow uses Google OAuth to let you sign in with your Google account. During sign-in, we request the following Google API scopes:
- email — your Google account email address
- profile — your name and profile picture
How We Use Google Data
Your Google email address is used solely to create and identify your FinFlow account. Your name and profile picture are displayed within the app for personalization (e.g. your avatar in group settings). We do not use Google user data for advertising, marketing to third parties, or any purpose unrelated to providing the FinFlow service.
How Google Data Is Stored & Shared
Google profile data is stored in our Supabase-hosted database alongside your account record. It is not shared with any third party except as described in the Third-Party Services section below (Supabase for storage, Resend for email delivery). We do not sell or transfer Google user data.
Revoking Access
You can revoke FinFlow's access to your Google account at any time by visiting Google Account Permissions and removing FinFlow from the list of connected apps. You can also delete your FinFlow account entirely from the Settings page within the app, which removes all stored data.
5. Third-Party Services
FinFlow uses the following service providers:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database and authentication | Account and financial records |
| Google Gemini | Receipt OCR extraction | Receipt images for processing |
| Claude (Anthropic) | Receipt OCR extraction (bulk/split scanning) | Receipt images for processing |
| Vercel | Application hosting | Request and infrastructure logs |
| Resend | Email notifications | Email address and message payload |
| Stripe | Billing and subscriptions | Payment and subscription metadata |
| Google OAuth | Social login | Google account profile and email |
Each provider processes data under its own policies and terms.
6. Data Retention
Data is retained while your account is active. If you delete your account, related app data is removed. Operational backups may persist temporarily before scheduled purge windows complete.
7. Your Rights
You may request or perform:
- Access: export transaction data using CSV export in Settings
- Rectification: edit transaction records directly in the app
- Deletion: delete your account and associated app data in Settings
- Portability: receive data in machine-readable format
- Restriction requests: contact support for processing restrictions
EU users are protected under GDPR. California users are protected under CCPA/CPRA as applicable.
8. Cookies & Local Storage
FinFlow uses essential technologies only:
- Authentication cookies: required to keep users signed in
- Local storage: theme, language, and local settlement markers
We do not use ad-tech or behavioral tracking cookies.
9. Children's Privacy
FinFlow is not intended for children under 16. If you believe a child submitted personal data, contact support for immediate review.
10. Changes to This Policy
We may update this policy periodically. Material updates are reflected by updating the date at the top of this document and publishing the revised text on this page.
11. Data Controller
FinFlow is operated by Dávid Kalán. For data protection inquiries, the data controller can be reached at support@finflow.cash.
12. Contact
For privacy questions, contact: support@finflow.cash