Privacy Policy

Last Updated: January 13, 2026

Applyft Ltd. (“Company,” “we,” “us,” or “our”), a company organized under the laws of Cyprus, operates the Finestro: Learn AI mobile application (the “App”), along with its related software, services, features, and content (collectively, the “Service”). This Privacy Policy outlines how we collect, use, process, and protect your personal information when you use the App. It is an integral part of our Terms of Service. By accessing or using the App, you confirm that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Privacy Policy, you must cease using the App and may request deletion of your data as described below.

1. Definitions

For purposes of this Privacy Policy, the following definitions apply:

“Personal Data” (also referred to as “personal information”) means any information relating to an identified or identifiable natural person. This includes information that can directly or indirectly identify you, such as your name or email, as well as data that can be linked to you, like usage information or an identification number.
“Processing” means any operation performed on Personal Data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction of that data.
“GDPR” refers to the EU General Data Protection Regulation (EU) 2016/679.
“CCPA” refers to the California Consumer Privacy Act of 2018, “CPRA” refers to the California Privacy Rights Act amendments of 2020 (together, we refer to these as “CCPA/CPRA”).
“Data Controller” (or just “Controller”) means the person or organization that determines the purposes and means of the processing of Personal Data. In this case, Applyft Ltd is the Controller of your Personal Data.
Other Definitions: “Service” refers to the Finestro: Learn AI App and related services. “User” or “you” refers to the individual using the App. Other capitalized terms used but not defined in this Policy have the meanings given in our Terms of Service.

2. Scope and Applicability

This Privacy Policy applies exclusively to the use of the Finestro: Learn AI mobile application. It covers Personal Data collected through the App and how we process it. It does not apply to any other products, websites, or services of Applyft Ltd (including our web platform or any website content), which have their own privacy policies.

3. Identity and Contact Information of the Controller

The data controller responsible for your Personal Data is Applyft Ltd, the company that operates Finestro: Learn AI. Applyft Ltd is a company registered in Cyprus (Registration No. HE 461540) under Cyprus law. Our business address is:

Applyft Ltd

Flat/Office A, Parnithos 9, 4040 Germasogeia, Limassol, Cyprus.

You can contact us with any questions, concerns, or requests regarding your Personal Data or this Privacy Policy at [email protected]. For faster handling, please include the subject line “Privacy Inquiry” in your email. You may also send written inquiries to our postal address above (attention: Privacy Team). We will respond to privacy-related requests in accordance with applicable law (see Section 12 on user rights for more details).

4. Description of App Functionality

Finestro: Learn AI is an educational mobile application that provides personalized AI-driven learning experiences in the field of artificial intelligence and related topics. To help you understand why we collect certain data, here is an overview of what the App does and the features it offers:

Personalized AI Learning: The App delivers course content (including video lessons and interactive materials) tailored to your learning level and progress. It may adjust the difficulty or suggestions based on your performance.
Video Content and Tutorials: You can stream or view video lectures and tutorials within the App. These videos form a core part of the learning curriculum.
Practice Tasks and Quizzes: The App offers practical exercises, quizzes, or tasks to reinforce what you’ve learned. You might answer questions or solve problems in the App, and the App tracks your answers (for scoring and feedback to you, though user-generated text answers are not stored on our servers - see Section 6).
Progress Tracking: Finestro keeps track of your learning progress - for example, marking lessons or modules as completed, showing your quiz scores, and recording which content you have viewed. This allows you to resume where you left off and review your achievements.
User Account and Personalization: To log into the App you need to create an account. The App then personalizes your experience, such as greeting you by name, saving your preferences, and suggesting the next module in your learning path.

In summary, the App functions as a learning platform, using AI and analytics to customize content for you, providing video and interactive learning materials, and recording your progress. It does not engage in unrelated functions like social networking, advertising, or device utilities unrelated to learning. Understanding these functionalities will help explain why certain data is collected.

5. Categories of Personal Data Collected

When you use the Finestro mobile App, we collect limited categories of Personal Data necessary to provide and improve our Service. We are committed to collecting only what we need for the purposes stated in this Policy. The categories of data we collect are:

Identifiers: We collect a unique user identifier associated with your account (e.g. a user ID or username). This may also include your email address, which serves as your login identifier. We do not collect your real name or phone number through the App (unless you choose to provide it in your profile), but we do have your email from your account registration. The App uses your user ID/email to authenticate you and to associate your progress with your account.
Contact Information (Email Address): Your email address is part of your account information. We use it to log you into the App and to communicate with you for account-related issues (password resets, important service announcements, etc.). The App itself may not send emails, but our system will use your email for necessary communications. We do not collect any physical address or phone number via the App.
Usage Data: We automatically collect data about your activity within the App. This Usage Data includes information such as:
- Lesson and Content Views: which video lessons or tutorials you watch, and the timestamps of when you start or finish them.
- Module/Task Completion: which modules, quizzes, or practice tasks you complete and your results (e.g., quiz scores or task outcomes).
- App Navigation and Screen Views: which screens or pages you view in the App (for example, “Home,” “Course Curriculum,” “Profile”), how you navigate between them, and how long you spend on certain pages.
- Interaction Events: actions you take in the App (for instance, pressing play on a video, marking a lesson as complete, or clicking on certain buttons).
- Session Data: login and logout times, session duration, and how frequently you use the App.
This Usage Data is collected to enable core App functions (like saving your progress), to provide you feedback (like showing which lessons you’ve completed), and to help us improve the App (by understanding which features are most used or if users encounter difficulties).
Device and Technical Information: (Collected automatically as part of Usage Data) This includes technical details such as your device type (e.g., iPhone, Samsung Galaxy, etc.), operating system and version (iOS or Android version), unique device identifiers or an installation ID, and the App version in use. We may also collect network information like IP address and general location (city or country) derived from your IP when you use the App. This technical data is used for debugging, analytics, and ensuring compatibility and security (for example, we log IP addresses for security monitoring and to infer regional demographics, but we do not collect precise GPS location).
__Subscription Information. __We receive information about your subscription status (such as whether you have an active or expired subscription, the subscription plan type, and renewal dates). We do not receive or process your payment card details or other financial information.

Summary: In practical terms, the Personal Data we collect through the App is mainly your account identifier (and email) and information about how you use the App’s learning content.

We do not collect sensitive or extraneous personal details through the App. Our philosophy is to minimize data collection to only what is necessary to deliver and improve the Service. If in the future we need to access any new type of personal information or device feature, we will update this Privacy Policy and, if required, ask for your permission.

6. Purpose and Legal Basis for Processing

We process your Personal Data only for specific purposes and in accordance with a lawful basis under applicable data protection laws (like GDPR). Below we describe why we collect and use your data (the purpose), and the legal basis that permits us to do so:

Providing the Service (Performance of Contract): We use your data to operate the App and provide you with the features and services you expect. This includes using your user ID and email to authenticate you and let you log in, saving and retrieving your progress in courses, delivering the content (videos, lessons) you request, and recording your quiz results and module completions. We process this data because it is necessary to perform our contract with you - i.e., to deliver the educational service you subscribed to. Without this data, we cannot fulfill our obligations to provide the App’s functionality to you.
Personalization and Improvement (Legitimate Interests / Contract): We process usage data (like which lessons you viewed or your progress) to personalize your learning experience, such as recommending what to learn next or adjusting content difficulty. This personalization is part of providing the service (contractual necessity), and it’s also in our legitimate interest to improve our product’s usefulness. We analyze aggregated usage patterns to understand which features are most helpful or where users might be getting stuck, so we can improve the App’s content and usability (benefiting both us and users). We rely on legitimate interest for these analytics and improvements, ensuring that such processing does not override your rights and freedoms (we use data in an aggregated or pseudonymous form when possible, and you have rights to object as described in Section 12).
Communications and Customer Support (Performance of Contract and Legitimate Interests): If you contact us for help or we need to send you service-related communications, we will use your email to assist you. For example, if you request a password reset or have a support question, we process that data to help you (that’s part of providing the service you’ve asked for, so contractual necessity). Additionally, we might send occasional product updates or tips by email to our subscribers; we have a legitimate interest in keeping our users informed about new features or courses. We will always give you the option to opt out of such non-essential communications. Transactional or account-critical messages (like security alerts or critical updates about the Service) may be sent as needed to fulfill our legal obligations or our contract with you.
Compliance with Legal Obligations: We will process and retain certain data as necessary to comply with our legal obligations. For instance, under tax laws we may need to keep records of subscription purchases (which could include your email and transaction amounts, though purchases are done on the web). If law enforcement or regulatory authorities lawfully require information, we may process personal data to comply (after verifying the request’s validity). The legal basis for this is Article 6(1)(c) GDPR (processing necessary for compliance with a legal obligation). Similarly, under the CCPA we might need to maintain records of requests or disclosures. We only disclose what is required by law and will inform you when permitted.
Security and Fraud Prevention (Legitimate Interests and Legal Obligation): We process certain technical data (like IP addresses, device info, and usage logs) to monitor for and prevent fraudulent or unauthorized activity in the App. This helps keep your account and our Service secure. For example, we might detect if multiple IP addresses try to access your account in suspicious ways or if there are repeated failed login attempts, and use that information to protect against breaches. The legal basis is our legitimate interest in maintaining the security of our Service and users, and in some cases compliance with laws that require us to safeguard data.
Analytics and Service Improvement (Legitimate Interests): We use third-party analytics tools (like Amplitude) to collect analytics data about how users use our App (as detailed in Section 5, “Usage Data”). Our purpose is to understand user engagement and improve the Service’s content and features. We rely on legitimate interests for this processing - specifically, our interest in improving our educational platform and ensuring it meets users’ needs. We ensure that analytics data is handled in a way that minimizes privacy impact (for example, using user IDs instead of real names in analytics, and not collecting more data than necessary). You have the right to object to certain analytics processing (see Section 12 on your rights).
Marketing (Consent or Legitimate Interests for existing customers): Important: The App itself does not display ads or share data for advertising. However, Applyft Ltd may, outside of the App, use your email to send you newsletters or promotional offers related to Finestro. We do this only in accordance with applicable laws - for example, by obtaining your consent to marketing when you signed up, or under a “soft opt-in” exception for existing customers where allowed. You can unsubscribe from marketing emails at any time. We do not sell your data to advertisers (see Section 9).
__Subscription Management and Access Control (Performance of a contract): __We process information related to your subscription status (such as whether you have an active, expired, or canceled subscription and the applicable plan) in order to: grant, manage, and revoke access to premium educational content; administer subscriptions, renewals, and cancellations; provide customer support related to subscriptions and billing inquiries; and prevent misuse of free or premium access. This processing is necessary for the performance of a contract with you (Article 6(1)(b) GDPR). Certain subscription-related data may also be processed to comply with legal obligations, such as accounting, tax, or dispute resolution requirements (Article 6(1)(c) GDPR).

In summary, our processing of your data is limited to what is necessary to run the App, enhance your experience, communicate with you, ensure legal compliance, and improve our services. Under GDPR, the main legal bases we rely on are performance of contract, legitimate interests, and compliance with law. If we ever rely on consent (for example, for optional features or future marketing scenarios), we will make sure to obtain it expressly, and you will have the right to withdraw consent at any time. For California residents, these purposes correspond to “business purposes” under CCPA (such as providing the service, maintaining and improving quality, and security), and not to any “selling” of data.

7. Use of Third-Party Processors

To provide a reliable and feature-rich service, we use certain trusted third-party service providers (processors) to perform functions on our behalf. We only share data with them as necessary for the specific services they provide, and they are contractually bound to protect your data and use it only for our instructed purposes. The key third-party processors we use for the mobile App are:

Google Firebase (Google LLC): We use Firebase as a cloud infrastructure and development platform for the App. Firebase provides secure cloud storage and database services where we keep your account data and progress (for example, it may host the database that records which lessons you’ve completed). Firebase also offers tools like authentication, crash reporting, and analytics that we utilize to keep the App stable and secure . Firebase may process identifiers (like your user ID or device ID) and usage data on our behalf for these purposes. Google LLC, the provider of Firebase, is based in the United States.
Amplitude, Inc.: We use Amplitude as an analytics provider to help us understand user interactions with the App. Amplitude’s analytics SDK is integrated into the App and records events such as screen views, button clicks, and other usage metrics, tied to a pseudonymous user identifier. This helps us analyze aggregate user behavior (e.g., which lessons are most popular, where users drop off in a course) and improve the App’s design and content. Amplitude is a U.S.-based company and acts as our data processor, meaning it cannot use the data it collects from our App for any purpose other than providing analytics services to us. We have configured Amplitude to avoid collecting direct identifiers like your name; it mainly sees a user ID and usage events.
__App Store and Payment Platforms. __Subscriptions purchased through the Apple App Store or Google Play Store are processed by Apple Inc. or Google LLC respectively. These platforms act as independent controllers of payment data in accordance with their own privacy policies.

Data Safeguards and International Transfers: Whenever we use third-party processors, we ensure they are bound by strict data protection obligations. We have Data Processing Addendums (DPAs) in place with these providers, which include commitments to confidentiality, data security measures, and compliance with GDPR standards. Because providers like Google Firebase and Amplitude may process Personal Data on servers located in the United States or other countries outside the European Economic Area (EEA), we take additional steps to safeguard cross-border data transfers. In particular:

If your data is transferred from the EEA (or UK) to a country not deemed to have “adequate” data protection laws (such as the U.S.), we rely on EU Standard Contractual Clauses (SCCs) or an equivalent legal mechanism to ensure your data enjoys a level of protection essentially equivalent to EU standards. These are contractual commitments approved by the European Commission that bind the processor to protect your information.
We also assess our processors’ security practices and privacy certifications. Google and Amplitude have security and privacy programs in place (for example, Google is certified under ISO 27001 and similar standards). We monitor legal developments (such as the EU-US Data Privacy Framework) and will adapt our transfer mechanisms if needed to remain compliant.
All data we send to these processors is limited to what is necessary. For instance, Firebase will have your user ID and progress data, but not any extraneous info; Amplitude will have usage event data, but tied only to an internal ID. We do not transmit sensitive personal data to these third parties.
No Further Use or Sharing: Our agreements with processors forbid them from accessing or using your data for their own purposes or sharing it with unauthorized parties. They act solely on our instructions.

Aside from Firebase and Amplitude, we may use additional processors for specific operational needs (for example, Stripe for processing payments on the web platform, or email service providers to send emails). Each of these is carefully vetted for security and privacy compliance. We will update this Policy and notify you if we introduce any new significant processor that handles Personal Data, as required by law or platform rules.

8. No Data Sharing With Advertisers or Third Parties

We do not share, sell, or rent your Personal Data to third-party advertisers or other external parties for their own marketing or commercial purposes. In other words:

No Selling of Personal Information: We do not sell your data. “Selling” in the context of privacy laws like the CCPA/CPRA includes disclosing personal information to third parties for monetary or other valuable consideration. We do not engage in this. In fact, Finestro is subscription-funded, and we have no reason to monetize your data in this way.
No Sharing for Targeted Advertising: The App does not display third-party ads, and we do not share your personal information with ad networks, data brokers, or social media companies for targeted advertising purposes.
Limited Disclosure to Service Providers Only: The only circumstances under which we disclose your data to any third party are those described in Section 7 (trusted service providers processing data on our behalf) or as described in Section 6 (legal obligations, security reasons). These service providers are not allowed to use your data for anything other than providing services to us. For example, Firebase cannot use your data to improve Google’s marketing; Amplitude cannot use it to enrich their own profiles. They act under our instructions only .
Aggregated Insights: We may share aggregated or anonymized insights publicly or with partners - for instance, publishing a statistic like “Finestro learners watched a total of 10,000 hours of videos last month.” Such information will not contain any Personal Data or identify any individual. We only share these kinds of non-identifiable data to highlight usage trends or success stories, and even then we’re cautious.
No Third-Party Analytics Sharing: Aside from the processors we employ (like Amplitude), we are not sending your usage data to any third-party analytics or tracking services for their independent use. And Amplitude itself is contractually barred from sharing that data onward. We also do not implement any third-party Software Development Kits (SDKs) in the App that would collect data for third parties outside of our control (for example, we don’t have social media login SDKs or ad SDKs that siphon data).
Compliance and Safety Exceptions: The only time we might share data with a third party that isn’t a service provider is if we are legally compelled or need to in order to protect rights and safety - for example, responding to a lawful request by law enforcement, or disclosing information in connection with a legal claim or to enforce our Terms of Service. Even in these cases, we will verify that the request is valid and share only the minimum necessary information (and when permitted, we’ll inform you of such requests).

To reiterate: your personal information stays within the Finestro ecosystem and its essential service partners. We do not give or trade it to outside companies for advertising, profiling, or any unrelated purposes. This commitment also means that under the CCPA’s definitions, we do not “share” your personal info for cross-context behavioral advertising. If this ever changes (which we do not anticipate), we will update this Policy and provide any required opt-out mechanisms, but our plan is firmly to keep your data private and used only to serve you in the context of Finestro.

9. Mobile Permissions

We designed the App to function without needing access to your personal device information or sensors. No special device permissions are required to use Finestro. When you install or use the App, you should not see any permission prompts, because we don’t need those capabilities. If in the future we introduce a feature that requires a permission, we will update this Policy and the App will explicitly prompt you for consent at that time. As of now, however, Finestro can be fully used without granting any device permissions.

10. Data Retention Policy

We retain Personal Data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Our retention practices are designed to comply with GDPR, CCPA, and other applicable laws, and to follow the principle of data minimization. Here is how we handle retention:

Active Account Duration: If you are an active user of Finestro (meaning you have a valid subscription and have logged into the App or used the Service recently), we will retain your Personal Data for as long as is necessary to provide you with the Service. This includes keeping your account information and learning progress so that you can continue where you left off.
S__ubscription-related information__ is retained for as long as necessary to manage your access to the Service and to comply with legal obligations (e.g. accounting or dispute resolution).
12-Month Inactivity Rule: If your account becomes inactive for an extended period, we will not retain your data indefinitely. In general, if you have not accessed the App or used the Service for 12 consecutive months, we may deem your account inactive. At that point, we reserve the right to delete or anonymize your Personal Data associated with that account as a privacy safeguard (we would remove personal identifiers and either delete the account or convert data into an aggregated form). We believe 12 months is a reasonable period in case you return, but beyond that, holding your data is likely unnecessary. Note: We may send you a reminder notice (to your email on file) before deletion in case you want to retain your account.
User-Requested Deletion: If you request deletion of your account or personal data (see Section 12 on how to do this), we will delete your data within 30 days of the verified request, often much sooner. Once deletion is executed, your Personal Data will be removed from our active databases. Some information, as noted below, may be retained in backups or logs for a short period or as required by law, but will be disposed of in accordance with our retention procedures.
Retention for Legal Obligations: In some cases, we might need to retain certain data for longer than the active period or after an account deletion, if required to meet legal obligations. For example, financial transaction records (subscription payment records) might be kept for a statutory period (e.g., several years) as required by tax law or accounting rules. Similarly, if a dispute or legal issue arises, we may retain relevant information until it is resolved. We always limit this to what is necessary and legally mandated. Any data retained for these reasons will be isolated from routine use and only used for the specified legal purpose.
Backup and Archive Copies: Our systems may maintain encrypted backup copies of data (to ensure services can recover from outages or errors). When we delete data from our active systems, it might persist in backups for a short duration until those backups are cycled out or overwritten. We have policies to ensure that backup data is not restored except as needed for disaster recovery, and that it is fully purged on a rolling schedule. In any case, if we have deleted data because of your request or inactivity, we will not reintroduce it; and if any backup retains fragments, we will purge them as soon as feasible through our backup rotation.
Anonymized & Aggregated Data: After the retention period or upon deletion, we may retain anonymized or aggregated information (which is no longer Personal Data). For example, we might keep overall usage statistics or learning metrics that are not tied to any user’s identity. This data helps us improve our services and business operations, and since it has no personal identifiers, we may keep it indefinitely.
Ongoing Review: We periodically review the data we hold and erase or anonymize any Personal Data that is no longer needed for any legitimate purpose. If you feel your data has been kept longer than necessary, you have the right to contact us and request its deletion or explain your situation (see Section 11 on rights). We will always be transparent about our data practices and make adjustments if appropriate.

To summarize: Active users’ data is kept to serve them, inactive accounts are purged after 12 months, and prompt deletion is performed upon request (generally within 30 days). We do not keep your personal information longer than we need it. Our retention schedule is aligned with providing you service efficiently while respecting your privacy over time.

11. User Rights under GDPR and CCPA/CPRA

As a user of Finestro (and depending on your residency), you have robust rights regarding your Personal Data. We are committed to honoring your rights under the GDPR, CCPA/CPRA, and other applicable laws. The following is a summary of your privacy rights and how you can exercise them:

Rights Under GDPR (for users in the European Economic Area and equivalent jurisdictions):

Right to Access: You have the right to request a copy of the Personal Data we hold about you, as well as information on how we use it. This is often called a Subject Access Request. Upon request, we will provide you with confirmation of whether we’re processing your data and supply you with a copy of the data, along with details about the purposes of processing, the categories of data, any third parties with whom it’s shared, and the retention period.
Right to Rectification: If any of your Personal Data is inaccurate or incomplete, you have the right to ask us to correct or update it. For example, if you notice your email address or profile information is wrong in our records, you can request an update. We strive to keep your data accurate and will promptly make corrections upon verification.
Right to Erasure (Deletion): You have the right to request that we delete your Personal Data . This is also known as the “right to be forgotten.” Upon your deletion request (and verification of your identity), we will erase your Personal Data from our systems, unless an exemption applies (such as if we are required to keep certain data for legal reasons). Section 13 below details the Account Deletion Procedure, which is the process to exercise this right.
Right to Restrict Processing: You can ask us to limit or “pause” the processing of your Personal Data in certain circumstances - for example, if you contest the accuracy of the data, or if you object to us processing it on legitimate interest grounds (we would then stop processing until we have addressed your objection). While processing is restricted, we will just store your data securely and not use it.
Right to Data Portability: You have the right to obtain your Personal Data in a commonly used, machine-readable format, and to have that data transmitted to another controller (where technically feasible). In practice, this might mean we provide you with a structured file (like JSON or CSV) containing your account data and usage history, so you can port it to another service if you wish. This right applies to data you provided to us and that we process by automated means based on your consent or a contract. We will assist with such requests as required by law.
Right to Object: You have the right to object to our processing of your Personal Data when that processing is based on legitimate interests (or on public interest/exercise of official authority, which we do not engage in). If you object, we will evaluate whether our legitimate grounds for processing override your privacy rights. If they do not, or if your objection is to processing for direct marketing, we will cease the processing in question. For example, you can object to our use of your data for analytics; or if we were to send marketing emails under legitimate interest, you can opt out at any time, and we will stop.
Right to Withdraw Consent: Where we rely on your consent for any processing (currently, we generally do not rely on consent except possibly for optional features or marketing), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we did prior to withdrawal, and it may mean some features (that required consent) will no longer function. We will make it as easy as possible to withdraw consent (for example, through unsubscribe links or in-app settings where applicable).
Right to Lodge a Complaint: If you believe we have infringed your data protection rights, you have the right to lodge a complaint with a supervisory authority (Data Protection Authority) in your country. We would, however, appreciate the chance to address your concerns directly first - we are committed to resolving any privacy issues in good faith. You can always contact us at [email protected] regarding any complaints or questions.

Rights Under CCPA/CPRA (for California residents): If you are a resident of California, USA, you are entitled to certain rights over your personal information under the CCPA as amended by CPRA, in addition to the rights above (many of which overlap). These include:

Right to Know: You have the right to request that we disclose the specific pieces and categories of personal information we have collected about you, the categories of sources from which the information was collected, the business or commercial purpose for collecting (or sharing, if applicable) the information, and the categories of third parties with whom we have disclosed your information. Essentially, you can ask for a report of what personal data we have about you and how we obtained and use it.
Right to Delete: You have the right to request that we delete personal information we collected from you, subject to certain exceptions (similar to the GDPR right to erasure). Once we receive and verify your deletion request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. Possible exceptions under CCPA include if the information is needed to complete a transaction or provide a service you requested, to detect security incidents, to comply with legal obligations, etc. We will inform you if any such exception applies in responding to a deletion request.
Right to Correct: Under the CPRA, California residents also have the right to request correction of inaccurate personal information. This aligns with the GDPR right to rectification. If you notice any incorrect data we hold about you, let us know and we will correct it.
Right to Opt-Out of Sale or Sharing: CCPA gives you the right to direct a business that sells or shares personal information to third parties to stop doing so (the “Do Not Sell or Share” right). However, we do not sell or share your personal information as defined in CCPA. Therefore, there is no need for you to opt out - we treat all users as opted-out by default.
Right to Non-Discrimination: We will never discriminate or retaliate against you for exercising any of your privacy rights. This means we won’t deny you our service, charge you a different price, or provide a lesser quality of service just because you made a request under CCPA (such as asking for your data or deleting your data). The Service is provided at a fixed subscription rate and exercising privacy rights will not change that. We do not offer financial incentives in exchange for your data that would require disclosures under CCPA.
Authorized Agent: You may designate an authorized agent to make requests on your behalf under CCPA. If you choose to do so, we will take steps to verify that the person is authorized to act for you, usually by requiring a signed permission and directly confirming with you (the user) that you gave the agent permission. This is to protect your data from unauthorized access by someone falsely claiming to be your agent.

How to Exercise Your Rights: To exercise any of your rights above (whether under GDPR, CCPA, or other privacy laws), you can contact us by email at [email protected] with the subject line “Privacy Request” (or a similar clear subject). In your request, please: (a) specify which right you seek to exercise (e.g., access, deletion, correction, data portability, etc.), and (b) provide enough information for us to verify your identity. Typically, we will need at least your name and the email associated with your Finestro account, and we may request additional info if necessary to confirm it’s you (this is for your security - we need to be sure we’re fulfilling requests for the right person). Verification might involve replying to an email from that account or providing a recent usage detail that only you would know.

Response Time: We will respond to privacy rights requests as soon as possible. Under GDPR, we generally have one month to respond (which can be extended by two further months for complex requests, but we’ll inform you if that’s the case). Under CCPA, we aim to respond within 45 days of receiving your verifiable request (with an extension of another 45 days if needed, in which case we’ll let you know). If we cannot fulfill your request in whole or in part, we will explain the reason (for example, if a legal exception applies or if the request is excessive). For access requests, we will provide the information in a readily usable format, typically electronically. For deletion or correction requests, we will confirm once we have deleted/corrected your data (or explain if any portion had to be retained for reasons permitted by law).

Overlap of Rights: Many of the rights under CCPA align with those under GDPR. We will ensure compliance with the strictest applicable standard for your case. For instance, even if you’re not a California resident, you still have deletion and access rights under GDPR. And if you’re a California resident, know that by honoring GDPR rights we’re largely also fulfilling CCPA requirements (plus the no-sale promise makes it straightforward). Our approach is to respect all users’ fundamental privacy rights, regardless of jurisdiction, and then layer on any specific requirements as needed per region.

12. Account Deletion Procedure

We understand that you may at some point wish to delete your Finestro account and remove your Personal Data from our systems. This section outlines the procedure to request account deletion and what to expect:

How to Request Deletion: To delete your account, please contact our support team by sending an email to [email protected] with the subject line “Account Deletion Request” (or similar). You should send the request from the email address associated with your Finestro account, if possible, to help us verify ownership. In the body of your email, you can simply state that you wish to have your account deleted. You can also use an in-app deletion feature, and your account will be automatically deleted within the term specified in the Processing the Deletion sub-section; we will treat those requests the same way.
Verification of Identity: For your security, we will need to verify that the request is coming from you (the account owner). If you emailed from the registered email, that is usually sufficient verification. In some cases, we might reply asking you to confirm certain account details (like last login date or a progress metric) just to ensure no one else is trying to delete your account maliciously. We will act on deletion requests once proper verification has been completed.
Processing the Deletion: After verification, we will deactivate and delete your account and associated Personal Data. We aim to complete account deletions within 5 business days after verification, and in all cases we will complete it within 30 days (which is the typical maximum allowed by law for fulfilling deletion requests). During this processing time, you will likely be logged out of the App and lose access as we work on removing your data.
Scope of Deletion: Deleting your account means that all Personal Data we have collected about you through the App (and any linked systems like our databases, analytics, etc.) will be removed or anonymized. This includes your profile information, email (as an identifier), learning progress, usage logs tied to your ID, and any support communications. Once deleted, this data cannot be recovered, and you will not be able to restore your learning progress or account. If you ever wish to use Finestro again, you would need to create a new account (and re-subscribe if your subscription had lapsed).
Third-Party Processors: We will also instruct our third-party processors to delete the data they hold on our behalf as part of providing the service. For example, your entries in our Firebase database, analytics events in Amplitude associated with your user ID, etc., will be deleted or disassociated from you. Please note that some processors (like analytics services) might retain raw event logs for a brief period per their internal retention, but they will be disassociated from any identifiers we provide or under an obligation to delete as per our request.
Confirmation: After we have deleted your account, we can (upon request) send you a confirmation email stating that your account has been deleted. This serves as a record for you. If for any reason we are unable to delete certain data (due to a lawful exemption), we will inform you in our response, but as of now, because we collect minimal data, typically all user data can be purged unless there’s a legal need to keep a transaction record as noted.
Exceptions - Legal Retention: As described in Section 10, there may be some information we retain even after account deletion if required (e.g., payment records for auditing, or keeping an email in a suppression list to honor a no-contact request). However, this data would no longer be connected to an active account and would only be stored for the necessary period and purpose. We do not keep your learning content or progress once you’ve requested deletion, and any such retained items are things that generally do not include sensitive personal details.
Reversing Deletion: Once an account deletion is completed, it is final. We cannot undo it. If you change your mind before the deletion is completed, you can try to contact us quickly to cancel the request. But after the fact, the only way to use Finestro again is to start fresh.

We strive to make the account deletion process straightforward and swift, because we respect that you have the right to have your data removed. There is no charge for processing a deletion request. Account deletion is separate from simply uninstalling the App - if you delete the App from your device but do not request account deletion, your account data may remain on our servers (for the 12-month inactivity period) until it’s automatically removed due to inactivity or until you request deletion. To fully terminate your relationship and data with Finestro, please follow the above procedure to request deletion.

13. Children’s Privacy (18+ Only)

Audience of the Service: Finestro: Learn AI is intended for adults and users aged 18 and over. Our content and services are designed for individuals at or above the age of majority (18 in most jurisdictions). We do not target or market the App towards children or minors.

No Use by Under-18: If you are under 18 years old, you are not permitted to use the Finestro App or Service. We do not knowingly allow minors under 18 to register or use the platform, and we do not knowingly collect any Personal Data from individuals under 18. Our Terms of Service also stipulate that users must be 18 or older (or the age of majority in their country) to create an account and use Finestro.

No Data Collection from Children: Because we do not allow under-18 users, we obviously do not knowingly collect information from them. We do not ask for age during the mobile App usage; however, if through our web subscription process or other interactions we become aware of a user’s age and find that we have inadvertently collected data from someone under 18, we will take prompt steps to delete that data and terminate the minor’s account.

Parental Supervision: We strongly advise that parents or guardians ensure their children do not access the Finestro App if they are underage. If a minor (under 18) is interested in learning AI, they should do so through appropriate child-friendly resources and with parental guidance, not through our Service which is for adult learners.

In our registration flows and marketing, we do not solicit birth dates or any age information for the App usage. In the event we suspect a user is under 18 (for instance, if a support query reveals it), we reserve the right to ask for proof of age or confirmation of parental consent. If neither is provided, we will delete the account to ensure compliance. This is to protect young users’ privacy and safety.

Note to Parents/Guardians: If you become aware that your child under 18 has created a Finestro account or is using our Service without your consent, please contact us immediately at [email protected]. We will take appropriate action to investigate and, if verified, delete the minor’s personal information. We appreciate your cooperation in keeping minors safe online.

In summary, Finestro does not permit use by children or minors, and we have implemented measures to prevent and eliminate any minor’s data from our systems. This stance is both for legal compliance and because the content is tailored for an adult or professional audience.

14. Updates to the Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will let you know by appropriate means so that you can review the new Policy. Here’s what to expect regarding updates:

Notification of Changes: If we make any material changes to how we handle your Personal Data, we will provide you with notice in advance, as required by law. This could be through an email to the address associated with your account, or a notice on our website. The form of notice may depend on the significance of the changes and legal requirements. Minor updates (like clarifications that do not materially affect your rights) may be simply posted in the Privacy Policy with a new effective date.
“Last Updated” Date: We will always indicate the date of the latest revision at the top of this Policy (see the date under the title). You should check this date to see if the Policy has been updated since your last read. We encourage you to review this Privacy Policy periodically for any changes.
Opportunity to Review: Whenever we update the Policy, we will give you the opportunity to review the revised terms before they take effect. In some cases, particularly if you are an active user around the time of a major update, we might prompt you to actively review and accept the new Policy (for example, you might see a pop-up or message upon logging into the App that asks you to agree to the updated Policy). For less significant changes, continuing to use the App after the new Policy is effective may be taken as your acceptance of the changes (where permitted by law).
Consent for Significant Changes: If any update would significantly affect the way we use your data, and if by law we need to get your consent for such use, we will either obtain your consent or give you a clear chance to opt out before the change is applied to you. We strive not to make unexpected changes, but in the rapidly evolving field of technology and education, we want to ensure we can adapt while respecting your privacy choices.
Archive of Versions: For transparency, we maintain previous versions of this Privacy Policy (and/or a change log) which we can provide upon request, so you can see how the Policy has evolved.
If You Disagree: If you do not agree with any changes to the Privacy Policy, you have the right to stop using the App and Service. You may also request the deletion of your data (as per Section 13). We hope, of course, that our updates will be acceptable, as they are generally aimed at improving clarity or enhancing privacy protection. We will never reduce your rights under this Privacy Policy without your explicit consent.
Continued Use: Your continued use of the Finestro App following the posting or communication of an updated Privacy Policy will signify your acknowledgement and (to the extent permitted by law) acceptance of the revised Policy. We will remind you of this in any notice we send about changes.

In essence, we pledge to handle any changes to this Policy in a transparent and fair manner, keeping you informed and in control. We value your trust and will not surprise you with material changes without proper notice.

15. Governing Law

This Privacy Policy, its subject matter, and its formation are governed by the laws of Cyprus. By using the Finestro App and related services, you agree that any disputes or claims arising out of or in connection with this Privacy Policy (including non-contractual disputes or claims) will be subject to the jurisdiction and laws of Cyprus.

For users in the European Union, this choice of law does not deprive you of the protection of mandatory provisions of the law of your country of residence. We ensure that we comply with applicable data protection laws including the GDPR, which apply across the EU.

If any dispute arises regarding this Privacy Policy, we will first seek to resolve it amicably. You agree to contact us to attempt to resolve any issue before taking formal legal action. In the unlikely event of a legal claim, it will be adjudicated in the competent courts of Cyprus, unless otherwise required by a consumer protection law that allows you to choose different courts (for example, in some cases EU consumers might bring claims in their home country).

No Waiver of Rights: Nothing in this section is intended to limit your statutory rights or any legal remedies you have under applicable privacy laws. It simply clarifies which jurisdiction’s law governs the interpretation of this Policy.

Legal Authority: Our representation of governing law is mainly to ensure consistency. Applyft Ltd, being based in Cyprus, operates under Cyprus and EU law. As such, our handling of Personal Data is deeply informed by EU privacy regulations (GDPR) irrespective of this clause.

If you have questions about how this section might apply to you, feel free to contact us for clarification. In all cases, we strive to act in accordance with the laws that apply to us and to you as a user.

16. Contact Details for Privacy Inquiries

If you have any questions, concerns, or requests regarding this Privacy Policy or your Personal Data, please do not hesitate to reach out to us. We are here to help and address any issues related to privacy or data protection. You may contact us through the following:

Email: [email protected]. This is the dedicated email for privacy and support inquiries. Please include a clear subject line (e.g., “Privacy Inquiry” or “Data Subject Request”) so we can direct your query to the appropriate team. We endeavor to respond to all valid inquiries promptly, typically within a few business days. If you are exercising a specific right (like an access or deletion request), kindly refer to Section 11 and 12 above for the information to include; we will guide you through any additional verification steps via email.
Postal Mail: Applyft Ltd – Privacy Team, Flat/Office A, Parnithos 9, 4040 Germasogeia, Limassol, Cyprus. If you prefer to send us a written letter, you can mail it to our office address. Please indicate it’s a privacy-related inquiry on the envelope. Do note that postal inquiries may take longer to receive and respond to, especially internationally. Email is generally faster.
In-App Support (if available): If the App offers a support or contact feature, you can send a message through that channel. Simply state your privacy question or request. Our support team will route it to the privacy officer or appropriate personnel. We treat in-app support messages about privacy with the same care as email requests.

When contacting us, please provide sufficient information for us to understand your question and to verify your identity if you are requesting specific data or actions. For example, if you have an account under a different email than the one you’re writing from, let us know that detail (without sharing sensitive info) so we can locate your account.

Data Protection Authority Contact: While we encourage you to contact us first, you also have the right to contact the Cyprus Commissioner for Personal Data Protection or your local data protection authority regarding any concerns. Contact information for the Cyprus DPA can be found on their official website. We will cooperate with any official inquiries.

Thank you for reading our Privacy Policy. We take your privacy seriously and appreciate the trust you place in Finestro: Learn AI. If anything is unclear or you need further information, please reach out using the above contact details. Your feedback on our privacy practices is also welcome, as it helps us maintain the highest standards of transparency and user protection.