Privacy Policy

1. Who we are (Data Controller)

The data controller for Finintel is Leiswer International, a sole-proprietorship business based in Pune, Maharashtra, India.

Email: privacy@finintel.app

For questions about your personal data or to exercise any of the rights below, contact us at the email above.

2. Our privacy principles

• Minimum data. We collect only what we need to operate Finintel.
• No bank access. Finintel never asks for or stores bank credentials, account numbers, or transaction data.
• No sale of data. We do not sell personal data to anyone, ever.
• No advertising trackers. We do not use third-party advertising networks or behavioural ad pixels.
• Encrypted by default. All data is encrypted in transit (TLS 1.3) and at rest (AES-256).

3. What data we collect

4. Legal bases (GDPR)

If you are in the EEA, UK, or other GDPR-aligned jurisdictions, the legal bases on which we process your data are:

• Contract: we need your account, decision, and billing data to deliver the service you've signed up for.
• Legitimate interests: usage data and security logging to keep the service safe, debug issues, and improve it. We balance these against your rights and you can object at any time.
• Consent: for optional analytics or marketing emails — only when you explicitly opt in, and you can withdraw consent at any time.
• Legal obligation: tax records, fraud prevention, court orders.

5. How we share data

We share data only with vetted service providers who help us operate Finintel. These are:

• Hosting & database: Supabase (data stored in the EU/US per region settings).
• Application hosting: Vercel.
• Payments: our merchant of record (acts as legal seller for paid plans, handles cards, taxes, invoicing).
• Email delivery: transactional email provider for sign-up confirmations, password resets, receipts.
• Customer support: support ticketing tool.

Each provider is bound by a Data Processing Agreement and may only process data on our instructions. We do not share data with advertisers, brokers, or any other third parties.

We may disclose data if legally required (court order, regulatory request) or to protect rights, safety, or property — but we will challenge overbroad requests where we lawfully can.

6. International transfers

Some of our service providers are based outside India and the EEA. Where personal data is transferred internationally, we rely on Standard Contractual Clauses (SCCs) or equivalent legal mechanisms to ensure adequate protection.

7. How long we keep data

• Active accounts: we keep your data while your account is active.
• Closed accounts: we delete or anonymise your decision data within 90 days of account closure, except where retention is required by law (e.g. tax records, typically 7 years).
• Backups: backups containing deleted data may persist for up to 30 days before being purged on rotation.
• Logs: server and security logs are retained for 90 days.

8. Your rights

Depending on your jurisdiction, you may have some or all of the following rights over your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — ask us to delete your data, subject to legal retention.
• Portability — receive your data in a machine-readable format.
• Restriction & objection — limit how we process your data, or object to processing based on legitimate interests.
• Withdraw consent — at any time, where processing is based on consent.
• Lodge a complaint — with your local data protection authority. In India, this is the Data Protection Board under the DPDP Act, 2023.

To exercise any of these rights, email privacy@finintel.app. We will respond within 30 days.

9. Children

Finintel is not directed to children under 18. We do not knowingly collect data from children. To enforce this, we collect your birth year at sign-up and reject sign-ups where the user would be under 18. If you believe a child has bypassed this check and provided us data, please contact support@finintel.app and we will delete it promptly.

10. Cookies & similar technologies

We use a minimum set of cookies and local storage:

• Strictly necessary — for authentication and session management. These cannot be disabled if you want to use the service.
• Functional — to remember preferences (theme, locale).
• Analytics — privacy-respecting, aggregated analytics to understand product usage. No cross-site tracking.

We do not use advertising or behavioural cookies.

11. Security

We follow industry-standard security practices: TLS 1.3 in transit, AES-256 at rest, hashed and salted passwords, row-level security on the database, principle-of-least-privilege access control, regular dependency updates, and incident response procedures. No system is perfectly secure, but we take this seriously and will notify affected users of any breach affecting their personal data within 72 hours of confirmation, in line with applicable law.

12. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email or in-app notice. The "Last updated" date at the top of this page reflects the latest revision.