Back to sign in

Privacy Policy

Last updated: May 8, 2026

1. Who we are

Finanz.my (“Finanz.my”, “we”, “us”) is a personal finance application. The organisation responsible for your personal data (the data controller) is:

  • [Legal entity name]
  • [Registered address]
  • Privacy enquiries: [privacy contact email]

Replace the bracketed fields before publishing. If you operate only as an individual, describe yourself accordingly and provide a valid contact address or email for privacy requests.

2. Scope

This policy describes how we collect, use, store, and share personal data when you use the Finanz.my website and related services (the “Service”). It applies whether you sign in with email (magic link), Google, or any other method we offer.

By using the Service, you acknowledge this policy. If you do not agree, please do not use Finanz.my.

3. Data we collect

3.1 Account and authentication

  • Email address (required for account creation and, where applicable, magic-link sign-in).
  • Optional profile details you provide or that we receive from Google sign-in (for example first name, profile picture URL or stored avatar).
  • Google account identifier when you link or sign in with Google.
  • Session data and security artefacts needed to keep you signed in (for example session identifiers, expiry times). Magic-link tokens and one-time codes are stored in hashed form, not in plain text.
  • Account status (for example active vs waitlisted) and internal roles where relevant for access control.

3.2 Financial and productivity data you enter

To provide core features, we process data you choose to store in the Service, including for example: transactions (dates, amounts, labels, notes), categories and budgets, merchants, net-worth positions and entries, import metadata, project names, and sharing relationships between accounts where you use shared projects.

This information may reveal detailed information about your income, spending, assets, and liabilities. You decide what to enter; we use it to display and compute insights inside the product as you configure it.

3.3 Imported files and automated parsing (AI)

When you upload files (for example bank or card exports) and use features that extract transactions automatically, we may send file content or derived text to Google’s Gemini API (Google LLC / Alphabet) so that structures or rows can be interpreted and mapped into your account. That processing can include sensitive financial details contained in your documents.

Google processes such requests under its own terms and privacy policies; we recommend reviewing Google’s Privacy Policy and Google AI terms as applicable. Do not upload files you are not allowed to share with such providers.

3.4 Technical and operational data

  • Server and application logs may include IP addresses, timestamps, error messages, and coarse usage signals needed to operate and secure the Service.
  • Email delivery for transactional messages (magic links, account notices, etc.) uses SMTP as part of our OVH hosting setup; message metadata (recipient, subject, delivery status) is processed in that flow.
  • Merchant logos may be resolved via third-party logo services using merchant domains or identifiers you already store (where that integration is enabled).

4. Purposes and legal bases (EEA / UK)

Where the GDPR or UK GDPR applies, we rely on the following bases:

  • Performance of a contract — to provide the Service, authenticate you, store your data, and honour sharing features you enable.
  • Legitimate interests — to secure accounts, prevent abuse, debug and improve reliability, and communicate essential service messages (for example account activation or deletion confirmations), balanced against your rights.
  • Consent — where required for optional processing (for example certain marketing cookies or non-essential analytics if we add them later). We will describe separate consent flows if that changes.

Automated parsing via Gemini is used because you choose to run an import; where required, we treat that as part of performing the Service you requested or, where applicable, legitimate interests in offering import tooling, with transparency as described in section 3.3.

5. Sharing and subprocessors

We do not sell your personal data. We share data only as needed to operate the Service, including with:

  • OVH — The Finanz.my application, the servers it runs on, and storage for the data you create in the Service are hosted with OVHcloud. Transactional email (magic links, account notices, etc.) is sent via SMTP using the same OVH-hosted setup.
  • Google — OAuth sign-in and, when you use automated import parsing, Gemini API processing as described above.
  • Other users — when you participate in a shared project, participants you invite or who invite you may see project-scoped financial data according to the permissions you grant.

We require service providers to protect personal data appropriately and to process it only on our instructions where they act as processors.

6. International transfers

Hosting of the application and of your stored Service data is handled primarily through OVH (usually in the European Economic Area, depending on datacentre location). Separately, features that rely on Google (sign-in or Gemini-assisted imports) may involve processing in the United States or other countries. Where transfers are not covered by an adequacy decision, we use appropriate safeguards such as Standard Contractual Clauses where required, unless another lawful mechanism applies.

7. Retention

We keep personal data for as long as your account exists and as needed to provide the Service, comply with law, resolve disputes, and enforce agreements.

When you delete your account (where we offer account deletion), we delete or irreversibly anonymise personal data linked to that account within a reasonable period, except where we must retain limited records for legal, security, or accounting obligations.

Security logs may be kept for a limited retention window proportionate to their purpose.

8. Security

We implement technical and organisational measures appropriate to the sensitivity of financial data, including access controls, encryption in transit (HTTPS), protection of credentials and secrets, and prudent handling of session tokens. No method of transmission or storage is perfectly secure; use strong, unique passwords where relevant and protect access to your email inbox used for magic links.

9. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict processing of, or export your personal data, and to object to certain processing. You may also withdraw consent where processing is consent-based, without affecting prior lawful processing.

To exercise these rights, contact us using the privacy email above. You may also lodge a complaint with your local supervisory authority (for example the CNIL in France if you reside there).

10. Children

Finanz.my is not directed at individuals under 16 (or the minimum digital-consent age in your region). We do not knowingly collect personal data from children. If you believe we have, please contact us so we can delete it.

11. Changes

We may update this policy from time to time. We will post the revised version on this page and adjust the “Last updated” date. Material changes may be communicated by email or in-product notice where appropriate.

12. Related documents

Our Terms of Service describe rules for using Finanz.my and should be read together with this policy.