Privacy Policy
Who We Are
FINIO ("we", "us", "our") is an AI-powered personal finance application. Our service helps users understand their spending, manage budgets, and identify savings opportunities by connecting to their bank accounts via open banking.
For the purposes of the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (personopplysningsloven), FINIO is the data controller responsible for your personal data.
Contact: hello@getfinio.com
Data We Collect
We collect only the data necessary to deliver FINIO's core functionality. We do not collect data for advertising purposes.
| Category | Data | Source |
|---|---|---|
| Identity | Name (first name only, used to personalise the app) | You, or retrieved via Tink open banking |
| Bank Transactions | Transaction date, description (merchant name), amount, currency, category | Your bank, via Tink by Visa (open banking) |
| Account Data | Account type, institution name (read-only reference only) | Your bank, via Tink by Visa |
| App Usage | Budget limits you set, categories you customise, opportunities you dismiss | Your interactions within FINIO |
| AI Conversations | Messages you send to the FINIO AI Advisor (compressed transaction context included) | Your interactions with the AI Advisor |
| Device | Device type, OS version, app version (for crash reporting and compatibility) | Automatically collected on app use |
We do not collect: bank credentials or passwords (handled entirely by Tink), payment card numbers, national identity numbers, biometric data, or data from users under 18.
How We Use Your Data
| Purpose | Description |
|---|---|
| Core service delivery | Displaying your transactions, calculating budgets, generating spending insights and savings opportunities |
| AI personalisation | Sending compressed transaction summaries to our AI model to generate personalised financial advice and dashboard insights |
| Affiliate referrals | Identifying relevant financial products (e.g. better loan rates, insurance) based on your spending patterns, and surfacing these as optional recommendations |
| Service improvement | Improving transaction categorisation accuracy and AI response quality using aggregated, anonymised data |
| Security & fraud prevention | Detecting anomalous access and protecting your account |
| Legal compliance | Meeting our obligations under GDPR, PSD2, and Norwegian financial regulation |
Legal Basis for Processing
We process your personal data under the following GDPR legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Connecting to your bank account and importing transactions | Your explicit consent (Article 6(1)(a) GDPR) |
| Providing budgeting and financial insights | Performance of a contract (Article 6(1)(b) GDPR) |
| AI-generated advice and personalisation | Performance of a contract (Article 6(1)(b) GDPR) |
| Surfacing affiliate financial product recommendations | Legitimate interests (Article 6(1)(f) GDPR) — you can opt out at any time |
| Security, fraud prevention, and legal compliance | Legal obligation / legitimate interests (Article 6(1)(c) and (f) GDPR) |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. You can do this by disconnecting your bank account in the app or by contacting us directly.
Third-Party Services
FINIO uses a small number of carefully selected third-party services to operate. Each is a data processor acting on our instructions.
| Provider | Role | Data Shared | Location |
|---|---|---|---|
| Tink by Visa | Open banking / PSD2 data aggregation | Bank connection consent; transactions retrieved on your behalf | EU (Sweden) |
| Supabase | Database and backend infrastructure | Transactions, budget data, app preferences | EU (Frankfurt, Germany) |
| Anthropic | AI inference (Claude API) | Compressed, anonymised transaction summaries for AI Advisor responses | USA (data processed under SCCs) |
We do not sell your data to any third party. We do not share your data with advertisers.
When data is transferred outside the EEA (specifically to Anthropic in the USA), we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR, including Standard Contractual Clauses (SCCs).
Data Retention
We retain your data only for as long as necessary to provide the service and meet legal obligations.
| Data Type | Retention Period |
|---|---|
| Transaction data | For the duration of your account, plus 30 days after deletion |
| Budget limits and app preferences | For the duration of your account |
| AI Advisor conversation history | Not stored server-side — processed in real time only |
| Account data | For the duration of your account, plus 30 days after deletion |
| Legal/compliance records | Up to 5 years as required by applicable law |
You can delete your account and all associated data at any time from the Profile & Settings screen in the app. Deletion is processed within 30 days.
Your Rights
Under GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at hello@getfinio.com. We will respond within 30 days.
Request a copy of all personal data we hold about you.
Request correction of inaccurate or incomplete data.
Request deletion of your data ("right to be forgotten").
Receive your data in a structured, machine-readable format.
Object to processing based on legitimate interests, including affiliate recommendations.
Disconnect your bank account and withdraw open banking consent at any time.
Request that we limit how we use your data in certain circumstances.
Lodge a complaint with Datatilsynet, Norway's data protection authority, at datatilsynet.no.
Security
We take data security seriously. FINIO uses the following measures to protect your data:
All data is stored in Supabase's Frankfurt (EU) data centre with encryption at rest and in transit. Bank credentials are never stored by FINIO — authentication is handled entirely by Tink's secure OAuth flow. Access to our database is restricted to authorised systems only. We do not log or store raw bank credentials at any point.
While we take all reasonable steps to protect your data, no system is completely immune to risk. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected users without undue delay.
Children
FINIO is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child under 18 has provided us with personal data, please contact us immediately and we will delete it.
Changes to This Policy
We may update this Privacy Policy from time to time as our service evolves or as legal requirements change. When we make material changes, we will notify you through the app and update the "Last updated" date at the top of this page.
Continued use of FINIO after changes take effect constitutes acceptance of the updated policy. If you disagree with any changes, you may delete your account at any time.
Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please reach out.
FINIO
Email: hello@getfinio.com
Website: getfinio.com
For data protection matters, including exercising your GDPR rights, please use the subject line: "Data Privacy Request"