Privacy Policy

What we collect

Account info: name, email, phone, password hash (argon2; we never see your plaintext password), avatar, time zone, locale.

Workspace info: business name, type, industry, state, fiscal year, accounting method, employees & roles, and the invitations you send.

For external reviewers signing up via invite: firm name, license number, license jurisdiction, full address, phone (E.164). We use these to help workspace owners verify the right person was invited.

Financial data: bank connections, transactions, invoices, bills, receipts, ledgers, tax data, reports, and the AI model proposals about all of them.

Product usage: pages visited, features used, errors encountered. We do not sell this.

Device info: user-agent, IP address, OS, app version (for the mobile app), 2FA / biometric status.

How the AI improves from your data

FinXteam's AI CPA-grade Brain becomes more consistent and useful over time by learning from the feedback you and your reviewers give, the rules you approve, and your workspace's transaction history. We use these signals to improve categorization, reconciliation, and exception handling for your workspace, with human review kept at the center — outputs remain review-ready drafts that you or your invited CPA approve before anything becomes final.

Any use of data to improve our underlying models is limited to aggregated and anonymized signals; we do not train on individual records without explicit consent, and we do not sell your data.

Why we collect it

To give you the product — bookkeeping, reconciliation, reporting, tax prep, alerts, multi-user collaboration.

To secure your account (rate limits, 2FA, anomaly detection, refresh-token rotation).

To improve the product (debugging, model training on aggregated and anonymized signals — never on individual records without explicit consent).

To comply with the law (audit logs, financial-record retention, tax-filing rules).

Who can see your data

Workspace members you grant access to. Owners control the membership list. External reviewers see only what the owner has granted them and only for the access window the owner set.

Plaid (for bank connections), Resend (for email), Stripe (for payments), Mixpanel (for product analytics) — each acts as a sub-processor on our behalf under their own privacy commitments.

Law enforcement, with proper legal process. We resist over-broad requests.

Nobody else. We don't sell your data.

Where it lives

Postgres in AWS (US region by default), encrypted at rest. Backups are encrypted and held for 30 days.

Transit between you and us is TLS 1.2+ with HSTS preload.

Application secrets and OAuth keys live in our hosting provider's secret store, never in source control.

How long we keep it

Active accounts: as long as the account is open.

Closed accounts: financial records for the period required by US accounting and tax law (7 years for most documents). After that, deleted or anonymized.

Audit logs: append-only and retained as part of the financial record. We never tamper with or delete them once written.

Your rights

Export — get a copy of your data in a portable format. Request from inside the app or by email.

Delete — close your account and have us delete or anonymize what isn't under legal retention. The process completes within 30 days.

Correct — fix anything inaccurate. Most things are editable in the product; for the rest, email us.

Object — opt out of analytics or marketing email at any time without losing product access.

Children

FinXteam is for businesses and the people running them. We don't knowingly collect data from anyone under 16.

Contact

Email privacy@finxteam.com for any privacy question, data-export request, or deletion request.