FinVIFinVIBack to Home

Privacy Policy

Last Updated: October 27, 2025

This policy reflects our actual data retention practices and automated cleanup system.

1. Introduction

FinVI ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

This Privacy Policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

Your Rights:

You have the right to access, correct, delete, and export your personal data. You can exercise these rights at any time from your account settings or by contacting us at privacy@finvi.app.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when using the Service:

Account Information:

  • Email address (required)
  • Password (encrypted, never stored in plain text)
  • Display name (optional)
  • Profile picture (optional)

Usage Data:

  • Chat messages and conversations with our AI
  • Stocks added to your watchlist
  • Alert configurations and preferences
  • Search queries and interactions
  • Trade journal entries (Elite tier only)

Payment Information:

  • Billing name and address
  • Payment method details (processed by Stripe, we do not store card numbers)
  • Transaction history

Brokerage Data (Elite Tier):

  • Interactive Brokers account credentials (encrypted)
  • Portfolio holdings and positions
  • Trade history

2.2 Automatically Collected Information

We automatically collect certain information when you use the Service:

  • Device Information: IP address, browser type, operating system, device identifiers
  • Usage Analytics: Pages visited, features used, time spent, click patterns (via Vercel Analytics)
  • Log Data: API calls, errors, performance metrics
  • Cookies: Session cookies, authentication tokens, preference cookies

2.3 Third-Party Data

We integrate data from third-party sources to provide the Service:

  • Yahoo Finance: Stock prices, market data, company information
  • Reddit: Public posts from r/wallstreetbets for sentiment analysis
  • News APIs: Financial news articles and headlines

This data is publicly available and subject to the respective platforms' privacy policies.

3. How We Use Your Information

We use your information for the following purposes:

3.1 Provide the Service

  • Authenticate your account and maintain security
  • Process your chat messages through Claude AI
  • Monitor stocks in your watchlist
  • Send alerts and notifications
  • Sync your brokerage portfolio (Elite tier)
  • Generate personalized insights and analysis

3.2 Improve the Service

  • Analyze usage patterns to improve features
  • Train and refine our AI models (using anonymized data)
  • Fix bugs and improve performance
  • Develop new features based on user behavior

3.3 Communication

  • Send transactional emails (alerts, confirmations, receipts)
  • Respond to support inquiries
  • Send product updates and announcements (you can opt out)
  • Request feedback and conduct surveys

3.4 Legal and Security

  • Comply with legal obligations and regulations
  • Prevent fraud and abuse
  • Enforce our Terms of Service
  • Protect our rights and property

Legal Basis (GDPR):

We process your data based on the following legal grounds:

  • Contract: To provide the Service you subscribed to
  • Consent: When you explicitly consent (e.g., marketing emails)
  • Legitimate Interest: To improve our Service and prevent fraud
  • Legal Obligation: To comply with laws and regulations

4. How We Share Your Information

4.1 Service Providers

We share your information with trusted third-party service providers who help us operate the Service:

ProviderPurposeData Shared
SupabaseDatabase & AuthenticationAll account and usage data
Anthropic (Claude)AI chat responsesChat messages, stock queries
StripePayment processingName, email, billing info
VercelHosting & AnalyticsUsage data, IP addresses
ResendEmail deliveryEmail address, message content
SentryError monitoringError logs, stack traces

All service providers are contractually required to protect your data and use it only for the specified purposes.

4.2 We Do NOT Sell Your Data

Important Commitment:

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes. Your data is used solely to provide and improve the Service.

4.3 Legal Requirements

We may disclose your information if required by law or in response to:

  • Court orders or subpoenas
  • Government or regulatory requests
  • Legal proceedings or investigations
  • Protection of our rights, property, or safety

4.4 Business Transfers

If we are acquired, merge with another company, or sell our assets, your information may be transferred to the new entity. We will notify you before your information is transferred and becomes subject to a different privacy policy.

4.5 Aggregated Data

We may share anonymized, aggregated data that cannot identify you individually:

  • Usage statistics and trends
  • Market sentiment analysis
  • Product performance metrics

5. Data Security

5.1 Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption in Transit: All data transmitted via HTTPS/TLS 1.3
  • Encryption at Rest: Database encryption using AES-256
  • Password Security: Passwords hashed with bcrypt (never stored in plain text)
  • Access Controls: Role-based access, principle of least privilege
  • Regular Audits: Security audits and penetration testing
  • Monitoring: Real-time monitoring for suspicious activity

5.2 Data Storage

Your data is stored on secure servers provided by Supabase:

  • Location: United States (US-East-1, AWS)
  • Backup: Daily automated backups with 30-day retention
  • Redundancy: Multi-region replication for availability

5.3 Your Responsibility

You are responsible for:

  • Keeping your password secure and confidential
  • Enabling two-factor authentication (when available)
  • Notifying us immediately of any unauthorized access
  • Using a secure internet connection

5.4 Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify you within 72 hours of discovering the breach
  • Describe the nature and scope of the breach
  • Provide recommended actions to protect yourself
  • Notify relevant authorities as required by law

6. Data Retention

We retain your personal information only as long as necessary to provide the Service and comply with legal obligations. We run automated cleanup daily at 2:00 AM UTC to delete expired data.

6.1 Short-Term Data (Less than 30 days)

  • Stock price cache: 15 minutes (real-time market data)
  • Chart data cache: 7 days (historical price charts)
  • Alerts and notifications: 7 days after creation
  • Reddit sentiment data: 30 days (social sentiment analysis)

6.2 Medium-Term Data (90 days)

  • Usage analytics: 90 days (feature usage, performance metrics)
  • API cost logs: 90 days (billing and usage tracking)
  • Portfolio upload history: 90 days (screenshot upload logs)
  • Screenshot deletion logs: 90 days (compliance audit trail)

6.3 Long-Term Data (1 year)

  • Chat history: 1 year from last update (conversations and messages automatically deleted after 1 year)
  • Chat sessions: 1 year (deleting a session cascades to all messages)

Note: Chat history older than 1 year is automatically deleted to minimize data storage and protect your privacy.

6.4 Financial Records (7 years)

  • Subscription history: 7 years (required for tax compliance and financial auditing)
  • Payment records: 7 years (legal obligation under tax law)
  • Transaction history: 7 years (billing disputes and tax purposes)

Financial records are retained for 7 years as required by tax regulations.

6.5 Permanent Data (Until Account Deletion)

  • Account profile: Email, name, preferences (core account data)
  • Watchlist stocks: Your tracked stocks and interests
  • Portfolio positions: Your holdings and positions
  • User preferences: Settings and customizations
  • Usage windows: Quota and limit tracking

This data is retained until you delete your account, as it's essential for providing the Service.

6.6 Account Deletion

Immediate Deletion:

When you delete your account via Settings → Privacy → Delete Account:

  • Your account and all personal data are permanently deleted immediately
  • We provide a final data export before deletion (your right to data portability)
  • Deletion cascades to all related data (chat, watchlist, portfolio, alerts, analytics)
  • Financial records are retained for 7 years as required by law, but anonymized
  • Aggregated, anonymized analytics may be retained for product improvement

Automated Cleanup:

We run automated data retention cleanup daily at 2:00 AM UTC. Old data is automatically deleted according to the retention periods above. You can view the retention status in Settings → Privacy.

7. Your Privacy Rights

7.1 GDPR Rights (EU Users)

If you are located in the European Economic Area (EEA), you have the following rights:

  • Right to Access (Article 15): Request a copy of your personal data
  • Right to Rectification (Article 16): Correct inaccurate or incomplete data
  • Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
  • Right to Restriction (Article 18): Limit how we use your data
  • Right to Portability (Article 20): Export your data in a machine-readable format
  • Right to Object (Article 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time (where consent is the legal basis)

7.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request information about the personal data we collect and how we use it
  • Right to Delete: Request deletion of your personal data
  • Right to Opt-Out: Opt out of the sale of personal data (Note: we do not sell data)
  • Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

7.3 How to Exercise Your Rights

You can exercise your privacy rights in the following ways:

Self-Service (Account Settings):

  • Access and download your data: Settings → Privacy → Export Data
  • Update your information: Settings → Account
  • Delete your account: Settings → Account → Delete Account
  • Manage email preferences: Settings → Notifications

Contact Us:

  • Email: privacy@finvi.app
  • Subject: "Data Rights Request - [Your Request]"
  • Include: Your account email and description of your request
  • Response time: Within 30 days (GDPR) or 45 days (CCPA)

8. Cookies and Tracking

8.1 Cookies We Use

We use the following types of cookies:

TypePurposeDurationEssential
AuthenticationKeep you logged in7 daysYes
PreferencesRemember your settings1 yearNo
AnalyticsUnderstand usage patterns2 yearsNo
SecurityPrevent fraud and abuseSessionYes

8.2 Managing Cookies

You can control cookies through:

  • Browser settings (block or delete cookies)
  • Our cookie consent banner (manage preferences)
  • Account settings → Privacy → Cookie Preferences

Note: Disabling essential cookies may prevent you from using certain features of the Service.

8.3 Do Not Track

Our Service does not currently respond to "Do Not Track" (DNT) browser signals. However, you can manage tracking through cookie settings and opt-out of analytics.

9. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If we discover that we have collected information from a child under 18, we will delete that information immediately. If you believe we have collected information from a child, please contact us at privacy@finvi.app.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws.

We ensure that such transfers comply with applicable data protection laws by:

  • Using Standard Contractual Clauses (SCCs) approved by the European Commission
  • Ensuring adequate safeguards are in place
  • Processing data only in countries with adequate data protection laws

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email notification to your registered email address
  • In-app notification when you next log in
  • Prominent notice on our website
  • Updating the "Last Updated" date at the top of this policy

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Privacy Inquiries: privacy@finvi.app

Data Protection Officer: dpo@finvi.app

Support: support@finvi.app

Address: FinVI, Inc., 123 Market Street, San Francisco, CA 94103

13. Supervisory Authority (EU Users)

If you are located in the EEA and believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with your local data protection supervisory authority.

Find your supervisory authority: European Data Protection Board

Your Consent

By using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.