This app is in test mode and currently under review. Features may not work as expected. Do not enter sensitive information.
FinelytFinelyt

Privacy Policy

Effective Date: March 31, 2026 · Last Updated: March 31, 2026

1. Introduction

Finelyt ("we," "us," "our," or "the Company") operates the website www.finelyt.com and the Finelyt mobile application (collectively, "the Service"). This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you access or use our Service.

BY ACCESSING OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY. IF YOU DO NOT AGREE, YOU MUST IMMEDIATELY CEASE ALL USE OF THE SERVICE.

This Privacy Policy is incorporated into and forms part of our Terms of Service.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: Name, email address, and password (stored in encrypted form) when you register.
  • Payment Information: Billing details processed through our third-party payment processor (Stripe). We do not store your full credit card number, CVC, or bank account details on our servers.
  • Communications: Any messages, feedback, or support requests you send to us.

2.2 Email Data (Read-Only Access)

When you connect your email account (Gmail or Outlook), we access your emails in read-only mode exclusively to identify subscription-related information, including:

  • Receipts, invoices, and billing confirmations
  • Subscription renewal and cancellation notices
  • Payment confirmations and charge notifications

We never store, read, or process the content of your personal, social, or non-subscription-related emails. We use secure OAuth 2.0 connections and never have access to your email password. We cannot send, delete, modify, or forward your emails.

2.3 Automatically Collected Information

  • Device and Browser Information: IP address, browser type and version, operating system, device type, unique device identifiers.
  • Usage Data: Pages visited, features used, click patterns, time spent on pages, referral URLs, crash reports.
  • Cookies and Similar Technologies: Session cookies, authentication tokens, and analytics identifiers (see Section 7).

2.4 Information from Third-Party Services

When you sign in using Google OAuth, we may receive your name, email address, and profile picture from Google. We do not receive or store your Google password.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

  • Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you have subscribed to.
  • Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as connecting your email account.
  • Legitimate Interests (Art. 6(1)(f) GDPR): Service improvement, fraud prevention, and security. Our legitimate interests do not override your fundamental rights and freedoms.
  • Legal Obligation (Art. 6(1)(c) GDPR): Where processing is required to comply with applicable law.

4. How We Use Your Information

We use collected information strictly for the following purposes:

  • Providing, maintaining, and improving the subscription management Service
  • Automatically identifying and tracking your subscriptions from email data
  • Processing payments and managing your Finelyt subscription
  • Sending transactional communications (billing receipts, account alerts, renewal reminders)
  • Responding to support inquiries
  • Detecting, preventing, and addressing fraud, abuse, security threats, and technical issues
  • Complying with legal obligations, court orders, and enforceable governmental requests
  • Enforcing our Terms of Service

We do not use your data for targeted advertising, profiling, or selling to third parties.

5. Data Sharing and Disclosure

We do not sell, rent, trade, or otherwise commercialize your personal information. We may share information only in the following limited circumstances:

  • Service Providers: Trusted third-party processors (e.g., Supabase for database hosting, Stripe for payments, Vercel for hosting) who are contractually bound to process data only on our behalf and in compliance with this Policy.
  • Legal Compliance: When required by law, subpoena, court order, or governmental regulation, or when we believe disclosure is necessary to protect our rights, safety, or property.
  • Business Transfers: In connection with a merger, acquisition, bankruptcy, reorganization, or sale of assets. You will be notified via email and/or prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.
  • With Your Explicit Consent: For any purpose not described here, only with your prior, informed, and explicit consent.

6. Data Security

We implement robust security measures including:

  • TLS/SSL encryption for all data in transit
  • AES-256 encryption for data at rest
  • OAuth 2.0 with PKCE for email authentication (no passwords stored)
  • Row Level Security (RLS) policies ensuring users can only access their own data
  • Principle of least privilege for internal data access
  • Regular security reviews and dependency updates

DISCLAIMER: Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and are not liable for unauthorized access resulting from circumstances beyond our reasonable control, including but not limited to hacking, cyberattacks, or breaches of third-party services.

7. Cookies and Tracking Technologies

We use the following types of cookies:

  • Strictly Necessary Cookies: Authentication tokens and session management. These are essential for the Service to function and cannot be disabled.
  • Analytics Cookies: Anonymous usage statistics to improve the Service. You can opt out via browser settings.

We do not use advertising cookies, cross-site tracking pixels, or social media tracking widgets.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our service providers operate. Where required by law, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the service provider's certification under an applicable data transfer framework.

9. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes described in this Policy, or as required by law. Specifically:

  • Account Data: Retained while your account is active and for up to 30 days after deletion to allow recovery.
  • Email Tokens: OAuth tokens are stored only while your email is connected. Disconnecting your email immediately revokes and deletes all tokens.
  • Subscription Data: Retained while your account is active. Deleted upon account deletion.
  • Billing Records: Retained for up to 7 years to comply with tax and accounting obligations.
  • Server Logs: Automatically purged after 90 days.

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

10.1 All Users

  • Access: Request a copy of all personal data we hold about you.
  • Correction: Update or correct inaccurate information via your account settings.
  • Deletion: Request permanent deletion of your account and all associated data.
  • Disconnect Email: Revoke email access at any time, instantly stopping all email scanning and deleting stored tokens.
  • Data Export: Export your subscription data in standard formats (CSV).
  • Opt-Out: Unsubscribe from marketing emails at any time (transactional emails cannot be opted out of while your account is active).

10.2 EEA, UK, and Swiss Residents (GDPR)

  • Right to Restriction: Request restriction of processing of your personal data.
  • Right to Portability: Receive your personal data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to Lodge a Complaint: File a complaint with your local Data Protection Authority.

10.3 California Residents (CCPA/CPRA)

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected.
  • Right to Delete: Request deletion of personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • No Sale of Personal Information: We do not sell your personal information as defined by the CCPA.
  • No Sharing for Cross-Context Behavioral Advertising: We do not share your personal information for cross-context behavioral advertising as defined by the CPRA.

To exercise any of these rights, contact us at privacy@finelyt.com. We will respond within 30 days (or sooner if required by applicable law).

11. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@finelyt.com. We will take prompt steps to delete such information from our systems.

12. Third-Party Services

Our Service integrates with or relies on the following third-party services, each governed by their own privacy policies:

  • Supabase (database and authentication hosting)
  • Stripe (payment processing)
  • Vercel (web hosting and deployment)
  • Google APIs (Gmail read-only access and OAuth authentication)
  • Microsoft Graph API (Outlook read-only access)

We are not responsible for the privacy practices of third-party services. We encourage you to review their privacy policies independently.

13. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email and/or prominent notice on the Service within 72 hours of becoming aware of the breach, as required by applicable law. We will also notify relevant supervisory authorities where required.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email notification and/or prominent notice on the Service at least 30 days before they take effect. Non-material changes take effect immediately upon posting.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree, you must stop using the Service and delete your account.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@finelyt.com
Support: Contact Support

For GDPR-related inquiries, you may also contact your local Data Protection Authority.