Privacy Policy

Last updated: April 6, 2026

1. Data Controller

The data controller for the Service is:

Vadym Riazantsev (trading as Finalytics)
NIP: 6772515836
ul. Lipowa 3D, 30-702 Kraków, Poland
Data Protection Email: support@finalytics.app

Finalytics ("we", "us", "our") operates the Finalytics mobile application (the "Service"). Finalytics is not a licensed Account Information Service Provider (AISP). Bank account connectivity is provided through Enable Banking Oy, a licensed AISP, and through direct API integrations with supported banks (see Section 4).

This Privacy Policy explains how we collect, use, and protect your personal information when you use the Service, including when you connect your bank accounts through our open banking integration.

2. Information We Collect

Account information: When you register, we collect your name, email address, and authentication data (e.g., hashed passwords). If you sign in via Google or Apple, we receive your name and email from those providers. You may also upload a profile photo.

Financial data you enter: The transactions, accounts, categories, tags, and budgets you create within the app. This data is entered by you and stored to provide the Service.

Bank account data (via open banking): If you choose to connect a bank account, we access your payment account information through one of the following channels, depending on your bank:

• Enable Banking — a licensed Account Information Service Provider (AISP) authorized under PSD2 (EU Directive 2015/2366), used for European banks
• Direct bank API integration — for banks that provide their own public API (e.g., Monobank). In this case, you authorize access directly with your bank by providing a personal API token

In both cases, data is obtained based on your explicit consent. The data we retrieve includes:

• Account details: account holder name, IBAN, account type, and currency
• Account balances
• Transaction history: date, amount, currency, counterparty name, and transaction description

We access this data only after you explicitly authorize it through your bank's Strong Customer Authentication (SCA) process. During SCA you are redirected to your bank's own authentication page where you confirm access using your bank's security methods (e.g., two-factor authentication, biometric confirmation, or one-time password). We do not participate in or have access to this authentication process. We never receive, see, or store your bank login credentials at any point.

Device information: Device type, operating system version, and a temporary device or session identifier used for session management and security (e.g., detecting unauthorized access).

Biometric data: If you enable Face ID or Touch ID, biometric authentication is handled entirely by your device's operating system. We never receive, store, or transmit your biometric data.

3. Legal Basis for Processing

We process personal data under the following legal bases (GDPR Art. 6(1)):

• Contract (Art. 6(1)(b)): Account information and financial data you enter — necessary to provide the Service you signed up for
• Consent (Art. 6(1)(a)): Bank account data accessed via open banking — processed only after you explicitly authorize bank access through SCA. You may withdraw this consent at any time (see Section 4)
• Legitimate interest (Art. 6(1)(f)): Device information and security logs — necessary to protect your account and the Service from unauthorized access and abuse

We do not perform automated decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR).

4. Open Banking and Bank Data Access

4.1 Enable Banking (European banks)

When you connect a European bank account, data flows through Enable Banking Oy (business ID 2988499-7, Otakaari 5, 02150 Espoo, Finland). Enable Banking is authorized and regulated under PSD2 to provide Account Information Services (AISP). Enable Banking retrieves data from your bank based on your consent and transmits it to the Service.

Enable Banking processes your data in accordance with its own privacy notice: enablebanking.com/privacy.

4.2 Direct bank API integrations

For banks that offer their own public API (e.g., Monobank), we connect directly using a personal API token that you generate and provide. In this case, no third-party intermediary is involved — data flows directly between your bank and the Service. Your token is encrypted at rest (AES-256) and used solely for retrieving your financial data.

Bank account data is used exclusively for providing personal finance management features within the Service. We do not use it for credit scoring, profiling, marketing, or any purpose other than displaying your financial information back to you.

You may revoke bank data access at any time by:

• Disconnecting the bank account within the Finalytics app
• Revoking consent through your bank's own settings
• For Enable Banking connections: managing your data sharing consents at enablebanking.com/data-sharing-consents
• For direct API connections (e.g., Monobank): revoking your API token in your bank's app

5. Data Storage and Security

Your data is stored on secure servers within the European Union (DigitalOcean, EU region). We use industry-standard encryption for data in transit (TLS/HTTPS) and at rest. Bank connection tokens are encrypted using AES-256 before storage. Access tokens are stored in your device's secure storage (Keychain on iOS). We regularly review our security practices to protect your data.

6. Data Sharing and Sub-processors

We do not sell, rent, or share your personal financial data with third parties. We may share data only in the following cases:

• Enable Banking Oy (Espoo, Finland) — regulated AISP intermediary for retrieving bank account data on your behalf under PSD2
• DigitalOcean, LLC (USA, with EU data region) — cloud infrastructure hosting. Data is stored in EU data centers. Processing is governed by Standard Contractual Clauses (SCCs)
• Sentry (Functional Software, Inc., USA) — error monitoring to maintain Service stability. Only limited technical data is transmitted (e.g., error logs, device info, pseudonymized identifiers such as internal user ID). No financial transaction data is included. Processing is governed by SCCs
• Cloudinary Ltd. (Israel, with global CDN) — image storage and processing for user-uploaded profile photos. Images are stored and delivered via Cloudinary's infrastructure. Processing is governed by their privacy policy and DPA
• Apple Inc. / Google LLC — act as independent data controllers for authentication services used for account sign-in, if selected by you. Subject to their respective privacy policies
• Legal requirements: When required by law, court order, or governmental authority
• Safety: To protect the rights, safety, or property of our users or the public

7. International Data Transfers

Your financial data is stored on servers located within the European Union. Some sub-processors are based outside the EU: DigitalOcean and Sentry (USA) process data under Standard Contractual Clauses (SCCs); Cloudinary (Israel) operates under an EU adequacy decision. All transfers comply with GDPR Chapter V.

8. Cookies and Analytics

The mobile application does not use cookies. We do not currently use any third-party analytics services. If we introduce analytics in the future, this policy will be updated accordingly and only aggregated, non-personal data will be collected.

9. Your Rights

Under the GDPR and applicable data protection laws, you have the right to:

• Access your personal data stored in the Service
• Export your financial data in a portable format (data portability)
• Correct inaccurate personal information
• Delete your account and all associated data, including imported bank data. You can do this directly in the app via Settings → Profile → Delete Account, or by contacting us at support@finalytics.app
• Withdraw consent for data processing, including bank account access, at any time without affecting the lawfulness of processing based on consent before its withdrawal
• Restrict processing of your personal data
• Object to processing of your personal data based on legitimate interest
• Lodge a complaint with a supervisory authority. The competent authority in Poland is UODO (Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa)

To exercise these rights, contact us at support@finalytics.app. We will respond within 30 days.

10. Data Retention

• Account and financial data: Retained for as long as your account is active
• Bank connection data: When you disconnect a bank account, we stop retrieving new data from that account. Connection tokens are deleted immediately
• Security logs: Retained for up to 90 days for incident investigation, then automatically deleted
• Account deletion: When you delete your account, all personal data and financial records — including imported bank data — are permanently deleted within 30 days. Backups containing your data are purged within 90 days

11. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the application or via email. The "Last updated" date at the top of this page indicates when this policy was last revised.

13. Data Protection Contact

For questions, concerns, or requests related to your personal data and this Privacy Policy, contact the data controller:

Vadym Riazantsev (trading as Finalytics)
NIP: 6772515836
ul. Lipowa 3D, 30-702 Kraków, Poland
Email: support@finalytics.app