Finestro Privacy Policy

1. Introduction

Findmy LLC (the “Company,” “we,” “us,” or “our”), with offices at 150 East Palmetto Park Road, Suite 800, Boca Raton, FL 33432, USA, operates the Finestro website located at (finestro.io, finestro.ia) and related services, products, software, features, and content provided through it (collectively, the “Service”). This Privacy Policy outlines how we collect, use, process, and share your personal information when you use the Service. It is an integral part of our Terms of Service, and by accessing or using the Service, you confirm that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Privacy Policy, you must cease using the Service and may request deletion of your data as described below.

For purposes of this Policy, the following definitions apply:

  • “Personal Data” (or “personal information”) means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
  • “GDPR” refers to the EU General Data Protection Regulation (EU) 2016/679. “UK GDPR” refers to the UK’s data protection law (the UK Data Protection Act 2018 and retained EU GDPR). “EEA” refers to the European Economic Area (EU member states plus Iceland, Liechtenstein, and Norway); for purposes of this Policy, references to the EEA include the United Kingdom as having equivalent data protection principles.
  • “LGPD” refers to the Lei Geral de Proteção de Dados, Brazil’s General Data Protection Law.
  • “PIPEDA” refers to Canada’s Personal Information Protection and Electronic Documents Act.
  • Other capitalized terms used but not defined in this Policy have the meanings given in our Terms of Service.

2. Data Controller and Contact Information

For the purposes of applicable data protection laws (such as the GDPR and UK GDPR), the data controller of your Personal Data is Findmy LLC. Findmy LLC is a Delaware limited liability company with offices at 150 East Palmetto Park Road, Suite 800, Boca Raton, FL 33432, USA. If you have any questions, requests, or concerns regarding your Personal Data or this Privacy Policy, please contact us by email at [email protected]. Please include “Privacy Inquiry” in the subject line of your email so we can route your request to the appropriate team.

3. Information We Collect

We collect information about you in several ways: (1) information you provide directly to us, (2) information collected automatically when you use the Service, and (3) information from third parties or integrated services. We limit our collection to what is relevant for operating and improving Finestro. Below we explain the categories of Personal Data we collect.

3.1 Information You Provide Directly

  • Registration & Onboarding Data: When you sign up for an account or engage with our onboarding questionnaires, you provide certain information. This may include basic details like your name, email address, and a password, as well as demographic or profile information such as your age, gender, and responses to questions about your financial situation, goals, or mindset. We use your email to create and authenticate your account, to send important account communications (e.g. verification emails, password resets), and to respond to your inquiries. We hash and securely store your password (we do not keep it in plain text). Some profile questions could be optional (for example, about your investment goals or experience)l, but providing them can help us personalize the Service for you.
  • Communications: If you contact us by email, through a contact form, or via customer support channels, we will collect the information you provide in those communications (such as your name, contact details, and the content of your message). We use this information to assist you, respond to your requests, and improve our customer service.
  • AI Assistant Interactions: Finestro offers an AI-powered assistant (“Alex”) and other interactive features to enhance your learning experience. If you use the AI Assistant or similar tools, you will input text queries or prompts (collectively, “User Interaction Content”). We collect and process the content of your queries and the AI-generated responses as needed to provide you with the requested functionality. Important: Your User Interaction Content is used only for the purposes of delivering the Service (e.g., generating answers or recommendations for you) and, by default, for improving our AI models and services. We do not use these interactions for any unrelated purpose, and we do not share the full text of your queries or AI responses with any third party except the service providers that power our AI features (see Section 6 below). We treat your inputs as private and do not make them visible to other users. If you prefer that we do not retain your AI interaction data for service improvement, you may contact us to opt out of such use (see Section 7 on Your Rights). Note that the AI Assistant is intended for educational and informational purposes only and does not provide individualized financial advice (please refer to our Terms of Service for more details on this feature).
  • Payment Information: If you purchase a subscription or make any payments through the Service, you will provide payment details. However, all payment card information (such as credit card numbers, billing address) is collected and processed directly by our third-party payment processors (e.g., Stripe or Braintree, etc.) - we do not receive or store your full credit card number or sensitive payment details on our systems. We may receive from the payment processor a record of the transaction, which includes information like your name, the date/time of the transaction, the amount paid, and the payment method used (e.g., last four digits of your card, card type). We maintain these transaction records for billing history, receipts, and accounting purposes.
  • Sensitive Personal Data: We do not actively collect any sensitive personal data about you unless you choose to provide it. “Sensitive” data includes information like your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information, or information about your sex life or sexual orientation. We also do not request or intentionally store government-issued identification numbers or financial account numbers beyond what is needed for payment processing (and as noted, payment details are handled by third-party processors). We ask that you refrain from submitting any highly sensitive personal information to us unless it is necessary. In the context of Finestro, it is generally not required to provide sensitive data, for example, we do not need information about your health or ethnicity to provide our financial education Service. If you do include any sensitive personal data in your interactions with us or within the Service (for instance, in a support request or in free-text responses to the AI Assistant), that is at your discretion. We will handle such data in accordance with this Privacy Policy (e.g., using it only to fulfill your request or provide the Service) and will apply special care to protect it, but you should understand that including sensitive information in any online service can carry additional privacy risks. If you have concerns about sensitive data, please contact us and we will attempt to accommodate your preferences.

3.2 Information Collected Automatically

  • Device and Technical Information: When you use our Service, we automatically collect certain information about the device and browser you use. This includes data such as your device’s IP address, operating system type and version (e.g., Windows, macOS, iOS, Android), device model, browser type and version (e.g., Chrome, Safari), language and region settings, and other technical identifiers. We also record the date and time you access the Service and how your device interacts with our Service. We collect this information to ensure the Service functions properly on different devices and browsers, to adapt the interface to your device, and to maintain the security and integrity of our Service (for example, using IP addresses to detect potential malicious activity or to approximate your general location for fraud prevention). This technical data also helps us diagnose performance issues and improve compatibility. We do not derive your precise geolocation from your IP address or device settings; at most, we can infer a general location (such as city or country), which we use to understand our user base distribution and to serve content (like language or currency) appropriately.
  • Usage Information: We collect information about your activity on the Service – essentially, how you use and interact with Finestro. This Usage Data includes details such as the features or content you use and view, the frequency and duration of your sessions, the pages or screens you visit, links or buttons you click, and the flow of your navigation through our Service. For example, we might log that a user completed a particular lesson, took a quiz, or used the Invest Hub simulator, including timestamps. We also track subscription status and history (e.g., whether you are on a trial or paid plan, your enrollment date, and renewal dates). If the Service includes advertisements or offers, we record interactions with those (such as impressions or clicks). Additionally, we collect diagnostic information like crash reports, error logs, and load times to help us identify and fix technical issues. This Usage Data helps us understand which parts of the Service are most popular or useful, how users progress through our content, and where improvements may be needed.
  • Referral Information: If you arrived at Finestro by clicking a link or advertisement on a third-party site, or via a referral from a partner, we may collect information about that referral source. This might include data such as the website or campaign that led you to us (for instance, the specific ad or marketing campaign ID, or the referral code used). We use this information to evaluate the effectiveness of our marketing efforts and partnerships. For example, knowing which ad campaigns result in sign-ups helps us optimize our marketing spend. This referral data may be collected via URL parameters, cookies, or tracking pixels as described below.
  • Cookies and Similar Technologies: Like most online services, we use cookies and similar tracking technologies to recognize you and collect information automatically. Cookies are small text files that a website(s) stores on your device which allow us or our partners to distinguish your browser or device. We (and authorized third parties) use cookies for a variety of purposes, such as keeping you logged in, remembering your preferences, and gathering analytics about usage of the Service. For example, if you adjust certain settings or complete a tutorial, we might use a cookie to remember your progress. We also use tracking pixels and scripts (such as the Facebook/Meta Pixel and the TikTok Pixel) which work with cookies to track user actions and measure the effectiveness of ads. These technologies help us understand aggregate usage patterns (e.g., how many users return to the site, which pages are visited most often, how users move through our sign-up flow) and also enable us to personalize content and advertising for you. The information collected via cookies and trackers can include the technical and usage data described above, as well as unique identifiers associated with your device or browser, and information about your interactions with our Service (for instance, that you visited a certain page or clicked a particular button). We utilize both session cookies (which expire when you close your browser) and persistent cookies (which remain on your device for a set period or until you delete them).Your Choices: You have control over cookies: most web browsers allow you to manage or delete cookies. You can set your browser to refuse certain cookies or to alert you before accepting them. Please note that if you disable cookies, some parts of the Service may not function properly (for example, you may have to log in each time, or certain preferences might not be remembered). To learn more about managing cookies, you can consult your browser’s help documentation. In addition, there are industry opt-out sites for interest-based advertising, such as the Network Advertising Initiative (NAI), the Digital Advertising Alliance (DAA), and the European Interactive Digital Advertising Alliance (EDAA). Using these tools, you can opt out of many advertising cookies at once.
  • Analytics Data: We use third-party analytics services (like Google Analytics and Amplitude) to help collect some of the Usage Data described above. These services use cookies and similar technologies to gather information about how users navigate and use our Service. They may record data such as your device information, pages visited, time spent on pages, links clicked, and conversion events. Importantly, we have configured these analytics tools to avoid collecting personally identifying information whenever possible. For example, we may employ IP address anonymization for Google Analytics (so that your full IP is not stored). The analytics providers process data only on our behalf and per our instructions (they are considered our “data processors”). We use the insights from these analytics to improve the Service (e.g., identifying which content is most engaging). If you wish, you can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, or use your browser’s Do Not Track feature as noted in Section 13, which we honor for analytics opt-out where feasible.

3.3 Information from Third Parties

  • In certain cases, we may obtain information about you from third-party sources:
  • Third-Party Login or Integrations: If we offer a feature that allows you to register or log in via a third-party account (such as Google, Facebook, etc.), we would receive from that third party the information you authorize for sharing (for example, your name and email from your Google account). We will use any such information in accordance with this Privacy Policy. Note: if you choose to link a third-party account, you should review the privacy settings and policies of that provider, as their handling of your data will be governed by their own rules. (As of the Last Updated date of this Policy, Finestro primarily uses its own registration system and may not support social logins, but we include this notice for completeness should such features be added.)
  • Advertising & Marketing Partners: We may receive information from marketing partners or platforms to understand ad campaign performance or user demographics. For example, if we run an ad on Facebook that you click, Facebook may later provide us aggregated data about actions taken (e.g., how many people who saw the ad signed up). This information typically does not include your personal identifiers, it’s used in aggregate form to measure effectiveness of our advertising. In some cases, we might receive your information from referral partners who promote Finestro. We treat any such incoming third-party data in line with what’s described here and only use it for the purposes for which it was provided (e.g., attributing a referral or customizing our marketing approach).

In all cases, any information we obtain from third-party sources will be combined with information you provide and information collected automatically, and treated according to this Privacy Policy.

4. How We Use Your Information

We process your Personal Data for the following purposes, and rely on appropriate legal bases (outlined in Section 5) for each purpose. In essence, we use the collected information in order to operate and improve the Service, communicate with you, personalize your experience, and fulfill our obligations. Below we describe each of these purposes in more detail:

4.1. To Provide and Maintain the Service: We use your information to operate the Finestro platform and deliver core features and content to you. This includes using your registration information to create and secure your account, authenticating your logins, and enabling you to access the educational materials, tools, and personalized plans. We process the inputs you provide (for example, your responses to our questionnaire or queries to the AI Assistant) to generate the results or content you request. We also use technical data to ensure the Service works correctly on your device, to adapt to your screen size or language, and to monitor the Service’s uptime and performance. Maintaining the Service also involves routine administrative and technical activities like backing up our database, updating software, and cybersecurity measures. In short, we use whatever information is necessary to provide you with the services and features you have requested and to ensure Finestro is running smoothly. This also means fixing errors or bugs you might encounter - e.g. if an error log or crash report indicates something didn’t load properly for you, we will use that information to troubleshoot the issue. Without processing your personal data for these core functions, we would not be able to offer the Service to you.

4.2. To Manage Your Account and Provide Support: We process personal data to administer your user account and to assist you when you reach out for help. For example, we use your email (or phone number, if provided for contact) to communicate with you about your account status, to send password reset links upon request, or to notify you of changes to your subscription. If you contact us with a support question or issue, we will review your information (such as your account details and any relevant usage logs) and the content of your request in order to respond. This may involve accessing your account settings or usage history to replicate an issue and find a solution. We also use your information to manage preferences or settings you configure in your account (for instance, if you opt-in or opt-out of certain features or communications, our systems will record and honor those preferences). Providing effective customer service is an important part of our contract with you, so we use whatever information is necessary (and appropriate) to fulfill your inquiries and requests. This can include technical support, answering questions about content, or processing requests to exercise your data rights.

4.3. To Communicate With You: We use your contact information to send you important administrative or transactional communications related to the Service. This includes messages such as confirmation emails when you register, welcome emails with guidance on getting started, notifications about changes to our Terms of Service or this Privacy Policy, alerts about security or privacy issues, and receipts or invoices for your purchases. These communications are necessary for us to perform the Service and keep you informed. They are not promotional in nature, and you cannot opt out of receiving critical service announcements (aside from canceling your account) because we need to ensure you receive them. In addition, if you have opted in to receive marketing communications from us (or if otherwise permissible under applicable law), we will use your email address (or other provided channel) to send you newsletters, updates, and offers about our products and services. For example, we may send tips on how to better use Finestro, information about new features like the AI Assistant or Invest Hub improvements, or special promotions for subscription upgrades. You can always opt out of marketing emails by clicking the “unsubscribe” link in any such email, or by contacting us directly - we will respect and execute such opt-outs promptly. We may use third-party email services to manage and deliver our email communications, but these providers are only allowed to use your email for sending our messages and not for other purposes (see “Service Providers” in Section 6). Note: opting out of marketing emails will not affect your receipt of important service-related communications (described above) which we will still send when necessary.

4.4. For Research, Analytics, and Service Improvement: We analyze the information we collect about users’ interactions with our Service in order to understand usage trends and make improvements. This means using data like device information, usage logs, and feedback to gain insights into how our product is performing and how it can be enhanced. For example, we might evaluate which lesson modules are most frequently completed or where users tend to drop off in a tutorial, and then use that insight to improve our content or user interface. We might perform A/B testing (showing different users slight variations of content or layout) and measure the results to see which version is more effective. We also monitor the effectiveness of new features (like the AI Assistant) by analyzing how often they’re used and gathering user feedback or success rates, which helps us refine those features. In doing so, we often work with aggregated or pseudonymized data whenever possible, for instance, generating statistics on overall feature usage rather than focusing on any single user. If we use analytics cookies or similar technologies to assist in this (as described in Section 3.2), we will do so in compliance with applicable requirements. The end goal of processing data for this purpose is to continuously improve the content, functionality, and security of Finestro, providing a better experience for all users. In some cases, research and development may involve machine learning: for example, we may use a sample of anonymized user queries to the AI Assistant to train or fine-tune the AI models that power it. If you have opted out of such use of your data, however, your queries will be excluded from model training datasets. All improvement-related processing is done under careful controls to protect your privacy (e.g., using internal analytics tools or trusted partners, and stripping out direct identifiers whenever feasible).

4.5. To Personalize Content and Advertising: We want to make the Finestro experience as relevant as possible to each user. We may use the information we have about you to personalize the content you see on the Service, for example, recommending certain articles or courses based on your past activity or showing you a tailored financial plan based on the goals you’ve shared. Additionally, we work with advertising partners to deliver relevant advertisements about our Service on other websites or platforms you may visit, as well as potentially within the Finestro Service itself. For instance, we might use Facebook, Google, or other ad networks to show you Finestro promotions, and we might use data like your device identifiers or cookies to retarget our ads to you (so that if you visited our site but didn’t sign up, we could show you an ad later reminding you of Finestro). This is generally known as interest-based or personalized advertising. We may also tailor the ads or offers within our Service (if any) based on your interests, for example, if you have shown interest in advanced investing topics, we might show you offers for related advanced courses. Any advertising or marketing use of data is done in accordance with applicable law, for example, in certain jurisdictions we will only do targeted advertising if you have given consent for advertising cookies. Your choices: You have the ability to influence how your data is used for advertising. As mentioned above, you can opt out of third-party advertising cookies by using industry tools like NAI or DAA opt-out pages, or by adjusting your mobile device settings to limit ad tracking. On the web, enabling your browser’s Do Not Track (DNT) signal or using browser extensions can also reduce tracking. Keep in mind that even if you opt out of personalized ads, you may still see non-targeted ads for Finestro (or other services); they just won’t be tailored using cookies or your behavior.

4.6. To Process Payments: When you make a purchase or subscribe to Finestro’s paid offerings, we process the necessary Personal Data to complete the transaction. This includes using your payment information to charge the correct amount, verifying that the payment was successful, and updating your account’s subscription status. Our use of your data for payments also covers activities like sending you billing receipts or notifications of upcoming subscription renewals, and handling any billing-related inquiries or disputes. As noted, we rely on third-party payment processors, so much of this processing is actually done by them on our behalf, but we retain enough information (like transaction IDs and subscription identifiers) to manage your billing internally. Processing payments inherently involves sharing data with the payment gateway and banks involved, and we ensure that industry-standard security measures (such as encryption) are in place for these flows. Without using your data in this way, we couldn’t charge you or provide paid features you sign up for, so this processing is essential when you choose to make use of paid services.

4.7. To Enforce Our Terms and Prevent Fraud/Misuse: We are committed to maintaining a trusted and secure environment, so we use personal data to enforce our agreements and policies, and to detect or prevent harmful, fraudulent, or illegal activities. This can include monitoring for violations of our Terms of Service. We may use certain data (like device identifiers or IP addresses) to ensure one individual isn’t creating multiple free trial accounts in a manner that violates our terms. If we suspect that an account is engaged in fraud or abuse (such as using stolen credit cards, engaging in harassing behavior on any community features, or attempting to hack or spam our systems), we will investigate using the data we have, this might involve reviewing account activity logs or sharing information with law enforcement if appropriate. We also use your information to protect our rights, property, and safety, as well as those of our users and others. This type of processing is aimed at keeping Finestro safe and trustworthy for everyone.

4.8. To Comply with Legal Obligations: Finally, we will process and/or disclose your Personal Data when necessary to comply with our legal obligations. This includes situations such as responding to lawful requests by public authorities or law enforcement (e.g., complying with a court order or valid subpoena), fulfilling our regulatory reporting duties, or meeting financial and tax record-keeping requirements. For example, under U.S. law we might be required to retain and report certain transaction information for tax purposes or to prevent money laundering. If we receive a request from a government agency concerning a user’s data, we will only comply if the request is legally valid and necessary. We may also use or preserve data as needed to exercise our legal rights or defend against legal claims, for instance, retaining certain account records if we are in a litigation hold or if a dispute arises with a user. Additionally, we may disclose information if we believe in good faith that it’s necessary to prevent an imminent harm (such as to prevent fraud or to protect someone’s safety), though this typically falls under legal obligations or our legitimate interests in safety. In summary, when the law requires us to process or share data, we will do so, but we will limit the Personal Data to what is necessary and will ensure any disclosure is properly authorized.

5. Legal Basis for Processing (EEA, UK, Brazil, and Canada)

If you are located in a jurisdiction that requires a lawful basis for processing personal data (such as under the GDPR in the European Union, UK GDPR in the United Kingdom, or similar laws), we only process your Personal Data when we have a valid legal basis to do so. This section explains the legal grounds we rely on for the processing activities described above:

  • Consent: In cases where we are required to obtain your consent (or opt-in) before processing your data, we will do so. For example, we rely on your consent to send you direct marketing emails or newsletters (if you are not an existing customer or if law otherwise mandates consent). Where we process sensitive personal data (as defined by applicable law), we will generally only do so with your explicit consent or if you voluntarily provide such data to us. You have the right to withdraw your consent at any time for future processing (see Section 7 on Your Rights), which will not affect the lawfulness of processing based on consent before its withdrawal.
  • Contract Performance: Much of our data processing is carried out because it is necessary to perform our contract with you. When you sign up for Finestro, you agree to our Terms of Service, which forms a contract for us to provide the Service. We need to process certain personal data to fulfill our obligations under that contract, for example, using your registration and profile data to create your account and allow you to log in, using your input to generate your personalized financial plan or to provide AI Assistant responses, and processing your payment details to provide the paid features you’ve subscribed to. If you request customer support or make use of our interactive features, those are also part of the services we provide under our contract. In short, we process data that is necessary for providing the core Service that you expect from us, and without such data, we would be unable to perform the services as promised.
  • Legitimate Interests: In some cases, we process your data based on our legitimate interests, that is, we have a genuine and legitimate reason to use your data in a way that doesn’t overly infringe on your rights and interests. We make sure to consider and balance any potential impact on you (both positive and negative) and your rights before we process data on this basis. Examples of processing under legitimate interests include: using analytics to improve and personalize our Service (we have a legitimate interest in understanding how people use Finestro so we can make it better, which also benefits users), engaging in direct marketing of our products to existing customers (to an extent allowed by law, often called the “soft opt-in”), preventing fraud and securing our platform (we have a legitimate interest in protecting our business and users from misuse), and sharing data within our corporate family for internal administrative purposes. We only rely on legitimate interests where those interests are not outweighed by your data protection rights. You have the right to object to processing based on legitimate interests in certain cases (see Section 7).
  • Legal Obligation: We will process your Personal Data when necessary for compliance with a legal obligation to which we are subject. This is straightforward, if the law requires us to do something with your data, we will do it. Typical examples include retaining records to comply with tax laws, responding to legally binding requests for data (like a court order), or handling user information in accordance with consumer protection laws. Another example is fulfilling our obligations under data protection laws themselves, such as honoring your privacy rights requests (we need to process your email address and possibly other data to respond to an access or deletion request, as required by law).

For Brazilian users: In compliance with the LGPD, we note that the above bases correspond to LGPD legal bases such as your consent (Art. 7(I)), when needed; performance of a contract (Art. 7(V)); legitimate interests of the controller (Art. 7(IX)), balanced against your rights; and compliance with legal obligations (Art. 7(II)). We will also rely on other bases as appropriate (for instance, credit protection or the regular exercise of rights in judicial processes, if applicable).

For Canadian users (PIPEDA): We will typically obtain your consent for the collection, use, or disclosure of personal information, except where otherwise permitted by law. By using the Service, you consent to our data practices as described, and you may withdraw consent for non-essential uses. Some of our processing may also be under what PIPEDA recognizes as reasonable purposes for our business, in line with your expectations (we always strive to meet the PIPEDA principles of accountability, transparency, and individual access, among others).

If you have any questions about the legal basis on which we collect and use your personal information, please contact us (see Section 14 “Contact Us”).

6. How We Share Your Information

We treat your Personal Data with care and confidentiality. We do not sell your Personal Data to third parties for money, and we do not share it with third parties for their own independent marketing purposes. However, we do share your information with certain trusted third parties in the following circumstances, and only for the purposes described in this Privacy Policy:

  • Service Providers (Processors): We employ reputable third-party companies and individuals to perform services on our behalf, in support of the Service’s functionality and our operations. These third parties act as our data processors, meaning they are contractually bound to process Personal Data only under our instructions and for the purposes we specify. We share data with service providers only to the extent needed for them to carry out their work, and we require them to protect your information and not use it for anything outside the scope of what we’ve agreed. Categories of service providers we use include:
    • Cloud Hosting and Infrastructure: We use cloud infrastructure providers (e.g., Amazon Web Services) to host our website, databases, and servers. Personal Data is stored on their secure servers, but controlled by us (they do not access your data except as needed for maintenance of the service).(See their privacy policies for more on their data practices.)
    • Data Analytics: We use analytics services (such as Google Analytics and Amplitude) to collect and analyze Usage Data, as discussed in Section 3. These providers process data like device identifiers and site usage events to provide aggregated insights to us. They act on our behalf and are not permitted to use the data for their own purposes.(See their privacy policies for more on their data practices.)
    • Payment Processing: For handling subscription payments and transactions, we utilize third-party payment processors (like Stripe, Braintree, etc.). When you make a payment, these processors receive your payment details directly and process the transaction. They may share with us limited info such as a transaction ID and status for record-keeping. These payment providers are compliant with PCI-DSS and other financial security standards. (See their privacy policies for more on their data practices.)
    • Email and Communications: We use service providers to help send out emails and other messages. For example, we may use email delivery platforms to send verification emails, newsletters, or support responses. These providers hold your email address and any necessary content of the message to send it on our behalf, but they cannot use your email for their own marketing.
    • Advertising and Marketing Partners: We integrate with advertising networks and platforms (such as Google Ads, Facebook/Meta Ads, TikTok Ads) to promote Finestro to new users and to track the success of our marketing campaigns. This involves placing cookies or pixels as described in Section 3.2. We may share hashed or anonymized identifiers (like a hashed version of your email or an ad ID) with these platforms to help reach you or audiences similar to you. Note that we do not share personal details like your name or financial data with ad networks for their independent use, the data shared is typically limited to what’s needed for matching users and measuring conversions (e.g., an indicator that a user signed up after seeing our ad). Advertising partners also act as processors in the context of serving our ads; any data we provide is only to be used to serve or measure our campaigns, not for the partners’ own purposes.
    • AI and Machine Learning Services: In order to provide certain features like our AI Assistant, we may send your data to third-party AI service providers that power these features. For instance, if our AI Assistant “Alex” uses an external AI API (such as OpenAI, Google Cloud AI, or another AI platform) to generate responses, then when you ask a question, the content of your query may be securely transmitted to that AI provider’s servers, which analyze the text and return an answer. We only transmit the information that is necessary for the service (often just your query text, not your personal details). These AI partners are strictly bound to use your data solely for the purpose of providing the AI functionality to us. As of the date of this Policy, our providers do not use API-submitted data to improve their services, or allow opting out if they do. We also ensure data is encrypted in transit to these services for security. (If you would like more information about the privacy practices of any specific AI vendor we use, please refer to their respective privacy policy or contact us.)
  • In all cases, our service providers are chosen for their trustworthiness and security capabilities. We take steps to ensure they handle Personal Data with at least the same level of care as we do. We also execute Data Processing Addendums (including Standard Contractual Clauses where required for international data transfers) with these providers to ensure compliance with applicable laws. Our service providers may change over time, but we will update this Policy or notify users as appropriate if we add any new significant processors. (Note: Examples of current providers are given in parentheses above for transparency, but we reserve the right to change providers or use equivalents without specifically updating the Policy each time, though the categories of recipients will remain consistent.)
  • Legal Compliance and Safety: We may disclose your information to courts, law enforcement agencies, government authorities, or other third parties when we believe such disclosure is required or appropriate under applicable law. For example, we will respond to subpoenas, warrants, or other legal orders for information if we have a good-faith belief that the request is legally valid. We may also share information when we believe it’s necessary to protect our rights, property, or safety, or that of our users or others. This can include sharing data in connection with investigating or preventing fraud, security issues, or other harmful activity. If you engage in illegal activities, violate our Terms of Service, or pose a threat to any person, we may preserve and share your information with appropriate authorities to facilitate their investigation or to take action. We will only share the information that is reasonably required in the situation, for instance, if we receive a report of a stolen credit card used on our Service, we might share account and transaction info with law enforcement.
  • Business Transfers: If we are involved in a business transaction such as a merger, acquisition, reorganization, sale of assets, or bankruptcy, your Personal Data may be disclosed to a party (e.g., an acquiring entity or its advisors) as part of due diligence or transferred to a successor or affiliate as part of the final transaction. For example, if another company acquires Finestro or all/most of our business, personal data of our users will typically be one of the transferred assets so that the service can continue to operate. In such cases, we will ensure that the receiving party agrees to protect your Personal Data in a manner consistent with this Privacy Policy, and we will provide notice of any significant change in data handling.
  • Affiliated Companies: We may share your information with our current or future affiliates and subsidiaries (i.e., companies under common ownership or control with Findmy LLC). These affiliated entities will process your data only for purposes consistent with this Policy. For instance, if Findmy LLC has a parent company or an affiliate that assists in providing technology or customer support, we might share data with them. We ensure that any intra-group data sharing complies with relevant laws (including executing intercompany data protection agreements as needed). All persons or divisions with access will adhere to the same obligations of confidentiality and security.
  • With Your Consent or at Your Direction: Aside from the situations above, we will share your Personal Data with third parties when you direct us to or expressly consent to such sharing.

7. Your Privacy Rights

Depending on your location and applicable law, you may have certain rights regarding your Personal Data. We are committed to honoring these rights and have processes in place to enable you to exercise them. These rights may include:

  • Right to Access: You have the right to request a copy of the Personal Data we hold about you. This means you can ask us to confirm whether we’re processing your personal information and provide you with a copy of that information in a common format, along with details about how we use it.
  • Right to Rectification: You have the right to request that we correct any inaccurate or incomplete Personal Data we have about you. If you realize that the information you provided is wrong or has changed (for example, you have a new email address), please let us know, and we will update our records. In many cases, you can directly correct and update certain information through your account profile tools.
  • Right to Erasure (Deletion): You have the right to request deletion of your Personal Data. This is also known as the “right to be forgotten.” Upon your request, we will delete your personal information, provided that there are no lawful reasons for us to retain it. Note that this right is not absolute, sometimes we may need to keep certain data for legal compliance (e.g., transaction records for tax purposes) or legitimate business purposes. We outline our data retention practices in Section 12. If you request deletion, we will explain if any data must be retained and why. Deleting your data may involve terminating your Finestro account, after which you would no longer have access to the Service.
  • Right to Restrict Processing: You have the right to ask us to limit or “pause” the processing of your Personal Data in certain circumstances. For example, if you contest the accuracy of the data or have objected to processing (see below) and we are considering your request, you may request that we restrict processing during that period. When processing is restricted, we will store your data securely and not use it except to the extent allowed (e.g., to protect the rights of others or as needed for legal reasons).
  • Right to Object: You have the right to object to our processing of your Personal Data when such processing is based on our legitimate interests or is for direct marketing purposes. If you object to processing for direct marketing, we will stop using your data for that purpose immediately (this is typically accomplished by you unsubscribing from our emails or adjusting cookie preferences for targeted ads, which we honor). If you object to processing based on legitimate interests, we will evaluate your request and will no longer process the data in question unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if processing is needed for legal claims. For example, you might object to analytics tracking, if so, we would consider if we can provide the service without that tracking or offer an opt-out.
  • Right to Data Portability: For data that you provided to us and that we process by automated means on the legal basis of consent or contract, you have the right to obtain that data in a structured, commonly used, machine-readable format and to have it transmitted to another controller where technically feasible. In plain terms, this means you can ask for an electronic file of the personal data that you have given to us (e.g., your profile data and perhaps your interactions/content submissions that are linked to you) and we will provide it in a format like CSV or JSON, or other that can be read by a computer. You can then keep it for your own purposes or reuse it with another service. This right exists to facilitate data mobility between services.
  • Right to Withdraw Consent: If we are processing your Personal Data based on your consent, you have the right to withdraw that consent at any time. For example, if you consented to receive marketing emails, you can unsubscribe (withdrawing consent for that specific use). Withdrawing consent will not affect the legality of any processing we conducted prior to your withdrawal, and it won’t affect processing under other bases (for instance, if we still need certain data to perform a contract with you). If you withdraw consent for something like the AI Assistant retaining your inputs for improvement, we will stop the relevant processing going forward.
  • Right to Lodge a Complaint: If you believe that we have infringed your data protection rights or handled your Personal Data unlawfully, you have the right to file a complaint with a data protection supervisory authority. The appropriate authority may depend on your country or state of residence. For example, in the European Union you can contact the supervisory authority in the Member State where you live or work, or where the issue occurred; in the UK you can contact the Information Commissioner’s Office (ICO); in Brazil you can contact the National Data Protection Authority (ANPD); in Canada you can reach out to the Office of the Privacy Commissioner (OPC). We would appreciate the chance to address your concerns directly before you do this, so we encourage you to contact us first, but you are free to seek assistance from regulators at any time.

These rights are not absolute and they may have certain conditions or limitations under applicable law. For instance, we might not be able to fully comply if a request is unduly excessive or jeopardizes the rights of others, but we will always respond and explain our decision.

Exercising Your Rights: To exercise any of your applicable privacy rights (other than lodging a complaint with an external authority), you may contact us at [email protected]. Please clearly state your requestб for example, “I am requesting access to my personal data” or “Please delete my account and all related data.” For your privacy and security, we will need to verify your identity before processing certain requests, especially for access, deletion, or portability. We may ask you to provide information that matches our records (such as verifying your email address or other account details) to ensure you are the account holder. We will respond to your request within the timeframe required by law (generally within 30 days for most laws like GDPR, with the possibility of extension if necessary). If we need more time or cannot fulfill your request, we will inform you of the reason (subject to any legal restrictions). There is no fee for exercising your rights unless the requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request (but we would provide an explanation in such cases).

Additional Notice for Brazilian Users (LGPD): In addition to the rights listed above, users in Brazil have rights under the LGPD including: the right to confirmation of the existence of processing, the right to anonymization, blocking or deletion of unnecessary or excessive data or data processed in non-compliance with the law, and the right to information about entities with which we have shared your data. We believe these are largely covered by the rights described in this section. We will handle requests from Brazilian users in accordance with the LGPD’s requirements. If needed, you can designate an authorized agent to make requests on your behalf (we will take steps to verify the agent’s authority and your identity).

Additional Notice for Canadian Users: While PIPEDA does not enumerate rights in the same way as GDPR, you have the right to access the personal information we hold about you and the right to request correction of any inaccuracies. You also have the right to challenge our compliance with PIPEDA’s principles by contacting us or the Office of the Privacy Commissioner of Canada. We will assist with your access requests and provide you with your information, subject to any exceptions permitted by law (for example, information that would reveal personal data about another individual). If you withdraw consent for certain processing (where consent was the basis), we will stop that processing, provided no legal exception applies.

We are committed to respecting all users’ rights irrespective of location. Even if you are not in a region with specific privacy laws, we will endeavor to honor your requests about your Personal Data to a reasonable extent. If you have any questions or concerns about your rights or how to exercise them, please contact us at the email provided above.

8. Age Requirements

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18 years old. If you are under 18, you must only use the Service with parental or guardian consent. Parents or legal guardians should supervise the use of our Service by minors and are responsible for ensuring that minors’ use is in accordance with this Policy.

If we become aware that we have inadvertently collected Personal Data from a child under 18 without appropriate consent, we will take immediate steps to delete such information from our records. If you believe that a child under 18 may have provided us with personal information without your (the parent’s) consent, please contact us at [email protected] immediately, and we will investigate and promptly remove the data in question. We do not sell the personal data of minors under 18 as defined by applicable laws (including the Children’s Online Privacy Protection Act, COPPA, in the U.S., which generally applies to children under 13, and similar laws). Our commitment is to protect children’s privacy and comply with all relevant laws and regulations regarding children’s data.

9. International Data Transfers

Finestro is a global service, and your Personal Data may be transferred to, stored in, and processed in countries other than your own. In particular, the data we collect is often stored on servers in the United States and may also be processed in the European Union (for example, if we have team members or contractors in the EU, or if we use European-based infrastructure) or other jurisdictions. This means that your information could be subject to privacy laws that are different from those in your home country.

However, regardless of where your data is processed, we protect it in accordance with this Privacy Policy and take appropriate safeguards to ensure its security and integrity. When we transfer Personal Data from individuals in the EEA, UK, or Switzerland to countries that the European Commission (or relevant UK/Swiss authorities) has not deemed to have an “adequate” level of data protection (such as the United States), we rely on approved legal mechanisms to ensure your data remains protected. These mechanisms may include:

  • Standard Contractual Clauses (SCCs): We may incorporate the latest EU Standard Contractual Clauses (and UK International Data Transfer Addendum, as applicable) into our contracts with recipients of the data. These clauses are legal commitments that bind the recipient to protect the data according to EU-level standards, even if local laws are different.
  • International Frameworks: If applicable, we may rely on approved frameworks such as the EU-U.S. Data Privacy Framework or Swiss-U.S. framework (if our company or a relevant processor is certified under such a program) to facilitate lawful transfer.
  • Other Lawful Bases: In some cases, we may make a transfer pursuant to your consent (for example, if you initiate a connection to a service hosted outside the EU, you will be deemed to consent to the transfer necessary to fulfill your request), or because the transfer is necessary to perform a contract with you.

We also require that our service providers and partners, regardless of location, maintain adequate security measures and, where required by law, enter into data processing agreements including transfer safeguards.

Your Rights and Protections: If you are a resident of the EEA, UK, or certain other jurisdictions, you have rights to be informed about and object to certain international transfers. We have put the above measures in place to protect your data when transferred internationally, and we remain responsible for it as the controller.

If you have questions about our international data handling, please contact us. By using our Service or providing information to us, you acknowledge the transfer of your personal data across borders as described here, and understand that the data may become subject to the laws of the destination country.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make material changes to how we handle your Personal Data, we will provide you with notice in advance of the change becoming effective, as required by law. This may include a prominent notice on our website(s), in Services notification, or an email notification to the address associated with your account. We will indicate at the top of the Policy the date of the latest revision (see “Last Updated” date).

Whenever we update the Policy, we will give you the opportunity to review the revised terms. If you continue to use the Service after the new Privacy Policy has taken effect, this will constitute your acceptance of the changes. However, if any changes require your consent (for example, if we plan to use your Personal Data for a new purpose that requires consent under applicable law), we will obtain your consent accordingly.

We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. If you do not agree with any updates or changes, you should cease using the Service and may request that your data be deleted.

11. California Privacy Rights (CCPA and “Shine the Light” Law)

This section applies solely to residents of California, USA, and supplements the rest of our Privacy Policy. It describes how we handle personal information of California consumers and the rights that California consumers have under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and California’s “Shine the Light” law.

Categories of Personal Information Collected: In the 12 months preceding the Last Updated date of this Policy, we have collected the following categories of personal information (as defined by CCPA) about California consumers through the Service: identifiers (like name, email address, IP address); personal information categories listed in California Civil Code §1798.80 (such as payment information, limited to transactional records since we don’t store card numbers); characteristics of protected classifications; internet or other electronic network activity information (device and usage data as detailed in this Policy); geolocation data (to the limited extent of general location via IP); and inferences drawn from the above (e.g., a user’s potential interests or preferences based on usage). We collect these categories of information from the sources and for the purposes described in Sections 3 and 4 of this Policy.

Disclosure of Personal Information: We may disclose the above categories of personal information to third parties for our business purposes, as described in Section 6 (e.g., to service providers like cloud hosts, analytics providers, payment processors, etc., and in other limited circumstances like legal compliance). In the past 12 months, we have disclosed the following categories of personal information for business purposes, with reference to CCPA categories: Identifiers (to service providers like email and payment processors), Customer Records information (transaction data to payment processors), Commercial information (subscription details to payment processors for billing), Internet/Network Activity (to analytics and security service providers), and Geolocation (IP-based region to analytics/security providers). We do not use or disclose sensitive personal information for purposes that California law gives a right to limit (such as using sensitive data for inferring characteristics).

Sale and Sharing of Personal Information: We do not “sell” personal information for monetary consideration, and we also do not “share” personal information as defined under CCPA/CPRA (i.e., we do not disclose personal information to third parties for cross-context behavioral advertising purposes). In other words, we have not sold or shared California consumers’ personal information with third parties for their own marketing or advertising. All data sharing we engage in is for the business purposes described in this Policy (service provision, analytics, etc.). Therefore, the opt-out rights related to the sale or sharing of personal information are not applicable in our case. We also do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

California Consumer Rights under CCPA: If you are a California resident, you have the following rights with respect to your personal information (subject to certain limitations under the law):

  • Right to Know: You can request that we disclose what personal information we collect, use, disclose, and sell/share. This includes the specific pieces of personal info we have about you, the categories of personal info collected, the categories of sources, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You can request that we delete personal information we have collected from you, subject to certain exceptions (such as if we need to retain it to provide the Service or for legal reasons, similar to the exceptions described under GDPR rights).
  • Right to Correct: You can request that we correct inaccurate personal information that we maintain about you.
  • Right to Opt-Out of Sale/Sharing: As noted, we do not sell or share personal data in the sense defined by CCPA. If that ever changes, we will provide a “Do Not Sell or Share My Personal Information” link or mechanism for you to opt out.
  • Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond what is allowed (e.g., we might use a collected age for access control, which are permitted uses, and we don’t use sensitive data like that for inferring characteristics).
  • Right of Non-Discrimination: We will not discriminate against you for exercising any of these rights. That means we won’t deny you our services, charge you different prices, or provide a different quality of service just because you exercised your privacy rights. However, please note that if the exercise of your privacy rights renders us unable to provide certain features (for example, if you request deletion of all your data, we cannot very well continue to provide you with an account), then that may affect your use of the Service.

To exercise any of your California rights, you (or your authorized representative) can contact us at [email protected]. We may need to verify your identity (for example, by confirming information we have on file or asking for additional details) before fulfilling your request, as required by law. California law permits you to use an authorized agent to make a request on your behalf, but we will require proof of the authorization and still take steps to verify the identity of the consumer associated with the request.

“Shine the Light” Law: California’s “Shine the Light” law (Civil Code Section §1798.83) allows users who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes (as defined in that law). We do not share personal information with unaffiliated third parties for their own direct marketing purposes without your consent. Nonetheless, if you are a California resident, you may make a “Shine the Light” request once per year. To do so, please email us at [email protected] with the subject line “Request for California Shine the Light Information”. In your request, please attest to the fact that you are a California resident and provide a current California address for our response. We will provide you any relevant information required by law for the preceding calendar year, or inform you that we do not engage in the type of sharing covered by the law (which is currently the case). Please note that the Shine the Light law does not cover all information sharing, our response will be limited to information relating to covered categories of personal information and sharing.

For more details about our privacy practices, you can refer to the main body of this Privacy Policy. The rights provided to California consumers under CCPA largely overlap with the GDPR rights described in Section 7, and we have a single process to handle requests, so you can use the contact methods in Section 7 or above to reach us.

12. Data Retention

We will retain your Personal Data only for as long as reasonably necessary to fulfill the purposes outlined in this Privacy Policy. In practice, this means we keep your information for as long as you have an account or ongoing relationship with us, and for a certain period thereafter as needed to comply with legal obligations or protect our interests.

For example, we retain account information and profile data while your account is active. If you delete your account (or it’s been inactive for a long time), we will initiate deletion of personal data associated with your account, except for data we are required or permitted to keep by law. Typical reasons we might keep some data after account deletion or last use include:

  • Legal and Regulatory Compliance: We may need to retain certain records to comply with laws (e.g., tax and purchase records for a number of years as required by financial regulations, records of opt-out requests to demonstrate compliance with privacy laws, etc.).
  • Dispute Resolution: If you have ever had a dispute with us or if we reasonably anticipate a potential dispute or complaint, we might retain relevant information as needed to resolve it. For instance, if there was a refund issue or a chargeback, we keep records of communications and transactions to address any follow-ups.
  • Security and Fraud Prevention: We may retain data necessary to detect/prevent fraud or abuse. For example, we might keep a minimal record that an email address was associated with a banned account to prevent re-registration by the same person, even after the full account data is deleted.
  • Backup Systems: Like many companies, we utilize periodic backups of our databases. Personal Data removed from our live systems might persist for a short period in encrypted backups until those backups are cycled out or destroyed. We limit retention of such backups and ensure they are stored securely. Any restoration from backups (which is rare, usually only for disaster recovery) will re-delete information that was supposed to be deleted, as part of the restoration process.

In general, if you ask us to delete your data, we will do so and only retain whatever is necessary. When Personal Data is no longer needed, we either delete it or anonymize it (so it can no longer be associated with you). For example, we might convert a dataset into an aggregate statistical report that contains no personal identifiers and retain that aggregated information indefinitely for business analysis.

To give some illustrative retention periods: basic account data is typically kept for a short period (30-60 days) after account deletion in case of accidental deletion or reactivation, then removed; communications like support emails may be retained for 1-2 years (unless a longer period is required) to help us reference past interactions if you contact us again; analytics data is generally retained in aggregate form and personal identifiers in analytics logs are deleted or anonymized after 14 months by Google Analytics by default, etc. Financial transaction records are often kept for 7 years (to comply with accounting laws). These are general guidelines and may change.

If you have specific questions about our data retention policies for different types of data, feel free to contact us. We aim to not hold on to Personal Data longer than necessary and to securely dispose of information once it is no longer needed.

13. Control tracking

You have different means to control tracking: for example, you can disable certain cookies (as discussed in Section 3.2) or use private browsing modes or browser extensions that block trackers. We do honor any specific opt-out mechanisms provided by the tools we integrate. For instance, if you use the Google Analytics opt-out add-on, our Google Analytics script will respect that and stop tracking on our site for that browser. Similarly, if an ad platform provides an opt-out cookie and you have it present, our integration with that platform will acknowledge it.

Third-party services that we use may have their own policies regarding DNT. For example, some might honor DNT and some might not. We do not make any representations for third-party behavior, so we encourage you to review the privacy policies of those services (e.g., Google, Facebook, etc.) to learn about their commitments.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how Findmy LLC handles your Personal Data, please do not hesitate to contact us. We value your privacy and will do our best to address any issue.

Data Controller: Findmy LLC

Address: 150 East Palmetto Park Road, Suite 800, Boca Raton, FL 33432, USA

Email: [email protected]

When reaching out via email, please include a clear subject line (e.g., “Privacy Inquiry” or “Data Subject Request”) and provide as much detail as possible about your question or request, along with your contact information. This will help us respond more efficiently. We may need to verify your identity for certain requests as noted in Section 7.

We will respond to your inquiries as soon as reasonably possible, generally within 30 days or earlier if required by law.

Thank you for reading our Privacy Policy.

We are dedicated to protecting your personal information and enabling you to use Finestro with confidence.