Privacy Policy

Last updated: January 29, 2026

1. Introduction

Finolio ("we", "our", "the Service") is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and Spanish data protection law (LOPDGDD).

2. Data Controller

The data controller responsible for your personal data is Finolio, contactable at privacy@finolio.imagineourfutures.org.

3. Data We Collect

We collect the following personal data:

  • Account information: name, email address, encrypted password
  • Financial data: transactions, bank account names, card names, budgets, savings goals, and categories you create
  • Usage data: sign-in times, IP addresses, and browser information (for security and analytics)

4. Legal Basis for Processing

We process your data based on:

  • Contract performance: to provide the Service you signed up for
  • Legitimate interest: security monitoring, fraud prevention, and service improvement
  • Consent: for optional communications (you can withdraw at any time)

5. How We Use Your Data

Your data is used exclusively to:

  • Provide and maintain the Service
  • Authenticate your identity and secure your account
  • Send essential service communications (password resets, security alerts)
  • Improve the Service based on aggregated, anonymized usage patterns

We do not sell, rent, or share your personal financial data with third parties for marketing purposes.

6. Data Storage and Security

Your data is stored on servers within the European Union. We protect your data using:

  • Encrypted passwords (bcrypt hashing)
  • HTTPS encryption for all data in transit
  • Access controls and authentication on all systems
  • Regular security reviews

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data will be permanently removed within 30 days, except where we are legally required to retain certain records.

8. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access: request a copy of all data we hold about you
  • Rectification: correct inaccurate personal data
  • Erasure: request deletion of your data ("right to be forgotten")
  • Portability: receive your data in a machine-readable format
  • Restriction: limit how we process your data
  • Objection: object to processing based on legitimate interest

To exercise any of these rights, contact us at privacy@finolio.imagineourfutures.org.

9. Cookies

We use only essential cookies required for the Service to function (session authentication). We do not use tracking cookies, advertising cookies, or third-party analytics.

10. Third-Party Services

We use the following third-party services that may process your data:

  • Email delivery: Brevo (for transactional emails such as password resets)

All third-party processors are GDPR-compliant and process data under our instructions.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email. Continued use of the Service constitutes acceptance of the updated policy.

12. Supervisory Authority

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.