Privacy Policy

Finatha (the "Service") is operated by an independent operator based in Doha, Qatar (the "Operator", "we", "us"), currently [Operator Legal Name], reachable at [Operator Address]. The Operator is the data controller for personal data processed through the Service.

For privacy questions, data subject requests, or to report a concern: privacy@finatha.app. We respond within 5 business days, and within statutory deadlines where they apply.

EU and UK representatives. Until a representative is formally appointed under Article 27 of the GDPR and the equivalent provision of the UK GDPR, EU and UK users may write directly to privacy@finatha.app. Where required by law, a representative will be appointed before active marketing in those regions and listed here.

This Privacy Policy covers the Finatha web app at finatha.app, the Finatha mobile app, and the Finatha marketing site. It explains what we collect, why, and your rights.

Finatha is a personal financial planning tool. We never move your money. We do not sell your data. We do not run advertising trackers.

Account data. Email address (and a hashed password if you set one). When you sign in with Google or Apple, the unique account identifier they return, your email, and (where you allow it) your name.

Profile data. Optional information you enter to personalise the product: name, nationality, employer name, country of residence, language, currency, payday cadence.

Financial planning data. Information you enter manually about your accounts, balances, transaction lines, salary structure, goals, bills, debts, remittances, and similar planning items. We never source this from your bank.

Usage and device data. IP address (truncated where possible), user agent, device type, OS, browser language, page events and clicks, error reports, performance metrics, approximate region.

Support correspondence. When you write to us, we keep the message and our reply.

Payment data. When you subscribe, our Merchant of Record (Lemon Squeezy) collects the payment data needed to process the transaction. We receive a subscription identifier, the plan, country, last 4 digits of the card, and renewal status. We do not see or store full card details.

Under the GDPR (and equivalent laws in the UK, Qatar, the UAE, KSA, and Bahrain), each use of personal data needs a legal basis. Ours are:

• Performance of a contract. Authenticating you, hosting your data, calculating planning outputs, providing paid features, processing payments, and delivering the Service you signed up for.
• Legitimate interests. Securing the Service against abuse and fraud, monitoring uptime and errors, improving the product based on aggregated usage, defending legal claims. We balance our interest against your rights and stop where your rights would override.
• Consent. Non-essential cookies (analytics, session-replay diagnostics, functional preferences), AI features that send your prompt to a third-party provider, marketing emails. You can withdraw consent at any time.
• Legal obligation. Tax, accounting, anti-fraud, and any other obligation imposed by applicable law.

We do not use your data for automated decisions that produce legal or similarly significant effects on you.

Some Finatha features use generative AI from OpenAI under their zero-retention API terms. When you use one:

• We send your prompt and a narrow window of relevant inputs to OpenAI.
• OpenAI does not retain your inputs or outputs beyond the time needed to return a response, and does not use them to train models.
• The output is generated by an AI model, may be wrong, and is not advice.
• Avoid pasting sensitive personal information beyond what the feature needs.

You can opt out by simply not using AI features. Doing so does not affect the rest of the Service.

We use first-party cookies that are strictly necessary to keep you signed in, secure your session, and remember your language and theme. With your consent, we use analytics, diagnostics, and functional cookies to understand product usage and personalise the product. Full details are in our Cookie Policy at finatha.app/cookies.

You can change your choice at any time using "Cookie Settings" in the footer or your browser controls. We honour Global Privacy Control.

We use a small number of vendors to operate the Service. The current list, with each vendor's purpose, location, and the safeguards in place, is published at finatha.app/sub-processors and updated when we change vendors. By using Finatha, you accept the use of these sub-processors.

Categories of sub-processor we use today:

• Managed database, authentication, and storage (Supabase).
• Application hosting (Vercel).
• Error monitoring (Sentry).
• Product analytics (PostHog), only with your consent.
• Transactional email delivery (Resend).
• Rate limiting and abuse protection (Upstash).
• Generative AI (OpenAI), only when you use AI features.
• Payment processing as Merchant of Record (Lemon Squeezy).
• Identity providers (Google, Apple), only if you sign in with them.

We give 30 days' notice of new sub-processors via the sub-processors page. You may object by writing to privacy@finatha.app, and may terminate if a change is material.

Some of our sub-processors are located in the United States and the European Union. When we transfer personal data outside your country of residence, we rely on:

• The Standard Contractual Clauses approved by the European Commission and the equivalent UK International Data Transfer Addendum, executed with each US-located processor.
• The EU-US Data Privacy Framework where the recipient is certified under it.
• Other lawful transfer mechanisms where required by your local data-protection law.

You can request a copy of the transfer safeguards we rely on by writing to privacy@finatha.app.

We keep personal data only as long as we need it:

• Active account data is kept while your account is active.
• After 24 months of inactivity, we email you and may delete data if you do not respond.
• Account deletion: financial planning data is removed from active systems within 30 days of your request, and from rotating backups within a further 30 days.
• Logs (security, error, access) are kept up to 12 months.
• Support correspondence is kept up to 24 months for service quality and dispute defence.
• Tax and accounting records related to subscriptions are kept for the period required by law (typically 5 to 10 years).

Anonymised, aggregated data that no longer identifies you may be kept indefinitely for product analytics.

We protect your data with industry-standard controls:

• Encryption in transit (TLS 1.2+) and at rest.
• Row-level security on the database so users only see their own rows.
• Principle of least privilege for any administrative access, with audit logging.
• Secrets stored in a secure manager, rotated regularly.
• Multi-factor authentication on internal admin tooling.
• Continuous dependency and vulnerability scanning.
• Backups and disaster-recovery plans.

No system is perfectly secure. If you suspect a vulnerability, please report it to security@finatha.app.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and at the latest within 72 hours where required by Article 33 of the GDPR (and equivalent provisions of UK GDPR, Qatar PDPL, UAE PDPL, KSA PDPL, and any other applicable law). We will inform affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten").
• Restrict how we process your data.
• Object to processing based on legitimate interests.
• Portability of the data you provided, in a machine-readable format.
• Withdraw consent at any time, where processing relies on consent.
• Not be subject to a decision based solely on automated processing that produces legal effects on you.
• Complain to a supervisory authority.

To exercise these rights, write to privacy@finatha.app. We may need to verify your identity. We do not charge for these requests except for manifestly unfounded or excessive ones.

Supervisory authorities you can contact:

• Qatar: National Cyber Security Agency / Compliance and Data Protection Department.
• United Kingdom: Information Commissioner's Office (ICO), ico.org.uk.
• European Union: your member state's data protection authority. A list is at edpb.europa.eu.
• United Arab Emirates: UAE Data Office (mainland), DIFC Commissioner of Data Protection (DIFC), ADGM Office of Data Protection (ADGM).
• Saudi Arabia: Saudi Data and AI Authority (SDAIA).
• Bahrain: Personal Data Protection Authority.

If you are a California resident, the California Consumer Privacy Act and the California Privacy Rights Act give you specific rights. We do not sell or share your personal information for cross-context behavioural advertising. We do not knowingly collect or sell the personal information of minors under 16.

Categories collected. Identifiers (email, account ID), commercial information (subscription, purchase history), internet activity (page events, error reports), geolocation (approximate region), inferences (product preferences). The sources, purposes, and recipients are described elsewhere in this policy.

Your rights. Right to know, right to delete, right to correct, right to limit the use of sensitive personal information (we do not collect sensitive personal information beyond account credentials), right to non-discrimination for exercising these rights, right to opt out of sale and sharing (we already do not sell or share).

Authorised agents. You may designate an authorised agent in writing to make a request on your behalf. We will verify your identity through your account credentials.

To submit a request, email privacy@finatha.app. The "Do Not Sell or Share My Personal Information" right is satisfied by default; we do not sell or share.

Finatha is for users 18 and older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, write to privacy@finatha.app and we will delete the account and data promptly.

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or in-app at least 14 days before the change takes effect. The current version is always at finatha.app/privacy and shows a "last updated" date. Earlier versions are available on request.

For privacy questions, data subject requests, or to report a concern: privacy@finatha.app Security: security@finatha.app General support: support@finatha.app Postal: [Operator Address], Doha, Qatar.

We respond within 5 business days, and within statutory deadlines where they apply.