← Back to Finessi

Privacy Policy

Effective date: April 26, 2026 · Last updated: April 26, 2026

1. Introduction

This Privacy Policy describes how Finessi ("Finessi," "we," "our," or "us") collects, uses, and shares information when you use the Finessi mobile application (the "App") or visit finessi.app (the "Site").

Finessi is a gamified personal finance app that helps you track expenses, set savings goals, and build money habits through an RPG-style interface. By using the App, you agree to this Policy. If you do not agree, please do not use the App.

2. Data Controller & Contact

The data controller is 104 Ventures LLC, a limited-liability company organised under the laws of the State of Wyoming, United States of America (operating as "Finessi").

Privacy contact: [email protected]

3. Information We Collect

3.1 Information you provide directly

  • Account data: full name, email address, password (stored as a bcrypt hash — we never see the plaintext), date of birth, country, timezone, preferred language, preferred currency.
  • Profile photo (optional).
  • Financial inputs: transaction amounts, dates, categories, subcategories, descriptions, and place names you record. Monthly income (optional). Savings goals you create.
  • Receipt and price-tag images you capture in the App for AI scanning.
  • Voice recordings when you use the voice-input feature to log an expense. Audio is sent to OpenAI for transcription and is not retained on our servers after processing.
  • Support communications when you email us.

3.2 Information from sign-in providers

If you sign in with Google, we receive your email, name, profile photo URL, and a stable user identifier (the "sub" claim) from Google. We use this only to identify your account.

3.3 Information collected automatically

  • Device and app data: platform (iOS / Android), app version, locale.
  • Authentication state: JWT access tokens and refresh tokens that keep you signed in for up to 14 days of inactivity.
  • Push notification token: when you enable notifications, we store the Expo Push token associated with your installation so we can send reminders.
  • In-app behaviour (telemetry): a pseudonymous device identifier, a session identifier that resets after 30 minutes of inactivity, the screen you are on, button taps, and lifecycle events (app open/background, login, feed submit, paywall shown, purchase outcome, etc.) with timestamps. We use this to understand which features are used, diagnose bugs, and improve the App.
  • Game state: XP, level, gold, streak counts, dragon evolution stage, quest progress, achievements.
  • Subscription state: your active product, period type, expiration date, and renewal flag, received from RevenueCat (see Section 6).

We do notcollect your phone's contacts, calendar, SMS, call history, photos library beyond what you select for upload, or precise location.

4. Device Permissions

The App requests these device permissions only when you use the related feature:

  • Camera: to scan receipts and price tags.
  • Microphone: to record voice expense entries.
  • Photo library / storage: to pick a profile photo.
  • Notifications: to send streak reminders, income reminders, and weekly summaries. You can revoke these at any time in your device settings or in Profile → Notifications.
  • Internet / network state: required for the App to communicate with our servers.

5. How We Use Your Information

We use the data described above to:

  • Provide the App's core expense-tracking, goal-setting, and gamification features (legitimate interest / contract).
  • Authenticate you and keep your session secure (contract).
  • Process receipt and voice inputs through AI to extract amounts and categories (contract).
  • Generate analytics, insights, and AI-written weekly summaries (contract).
  • Send transactional emails (verification, password reset, account-deletion confirmation) (contract).
  • Send the push notifications you have enabled (consent / legitimate interest).
  • Process subscription purchases, renewals, refunds, and entitlement checks (contract).
  • Detect and prevent fraud, abuse, and security incidents (legitimate interest).
  • Diagnose bugs and improve the App via telemetry (legitimate interest).
  • Comply with legal obligations.

We do not use your personal or financial data for advertising, profiling, or to train third-party AI models. We do not sell your data.

6. Service Providers We Share Data With

We share the minimum data necessary with the following processors, each bound by data-protection terms:

  • Railway (hosting & database): stores your account, transactions, game state, telemetry events, and notification preferences. Data is encrypted in transit (TLS) and at rest.
  • Google (Sign-In): when you choose Google sign-in, Google verifies your identity and returns the data described in Section 3.2.
  • Google Play Billing: processes subscription purchases on Android. Payment details are handled by Google; we do not see card numbers.
  • Apple App Store (if applicable): processes purchases on iOS.
  • RevenueCat: tracks subscription entitlements across stores. Receives your Finessi user ID, country, and purchase events.
  • Expo Application Services: delivers push notifications via the Expo Push and Firebase Cloud Messaging (FCM V1) infrastructure. Receives your Expo push token and notification payload.
  • Google Firebase Cloud Messaging: delivers Android notifications. Receives the FCM device token.
  • OpenAI: processes receipt images, price-tag images, voice audio (Whisper), and AI-assistant prompts. Inputs are not used by OpenAI to train their models per their API terms; outputs are returned to us and shown to you in the App.
  • Resend: sends transactional emails (verification codes, password reset, account-deletion confirmation). Receives your email address.

We may also disclose data when required by law, in response to valid legal process, to protect our rights or the safety of users, or in connection with a corporate transaction (with notice to you).

7. International Data Transfers

Some of our processors (e.g., OpenAI, Google, Railway, RevenueCat) operate servers in the United States and other jurisdictions outside your country of residence. By using the App you consent to these transfers. Where required (e.g., for users in the EEA / UK), we rely on Standard Contractual Clauses or equivalent safeguards.

8. Data Retention

  • Account, financial, and game data: retained while your account is active.
  • Telemetry events: retained for up to 90 days, then deleted or aggregated.
  • Voice recordings: not retained on our servers — passed to OpenAI for transcription and discarded after the response is returned.
  • Receipt images: retained while linked to a transaction; deleted when the transaction or account is deleted.
  • After account deletion: personal data is deleted within 30 days, except where retention is required by law (e.g., tax records) or for legitimate fraud-prevention purposes.

9. Security

  • All traffic between the App and our servers is encrypted with HTTPS / TLS.
  • Passwords are hashed with bcrypt; we cannot recover plaintext passwords.
  • Authentication uses short-lived JWT access tokens with refresh tokens and a 14-day sliding-session expiry.
  • Database access is restricted to authorized services and encrypted at rest.
  • HTTP security headers (Helmet), per-endpoint rate limiting, and OWASP-aligned input validation are enforced server-side.

No method of transmission or storage is 100% secure. If you suspect unauthorized access to your account, contact us immediately at [email protected].

10. Your Rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data — most fields are editable in the App.
  • Delete your account and associated personal data.
  • Export your transaction history (CSV is available in Analytics → Export).
  • Object to or restrict processing.
  • Withdraw consent for notifications or other consent-based processing at any time.
  • Lodge a complaint with your local data-protection authority.

To exercise these rights, email [email protected] or use the in-app and web account-deletion flows described in Section 11.

11. Account Deletion

You can delete your account in two ways:

  • In the App: Profile → Settings → Delete Account.
  • On the web: finessi.app/delete-account — submit a request and we will delete your account within 30 days.

When your account is deleted, we erase your profile, transactions, goals, game state, telemetry, push token, receipt images, and voice-recording references. Encrypted backups are purged on their normal rotation cycle (within 35 days). Some records may be retained where required by law.

12. Children's Privacy

Finessi is not directed to children under 13 (or the equivalent minimum age in your jurisdiction — 14 in some countries, 16 in the EEA for consent-based processing). We do not knowingly collect personal data from children below the applicable age. Sign-up requires a date of birth and we block under-13 registration.

If you believe a child has provided us with personal data, please contact [email protected] and we will delete it.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be announced in-app or by email. The "Last updated" date at the top of this page shows when the Policy was most recently revised. Continued use of the App after changes constitutes acceptance.

14. Contact

Questions or requests about this Privacy Policy:

[email protected]