Privacy Policy

What Data We Collect

The finsava.com landing page collects only one piece of personal information: your email address, submitted voluntarily through the registration form.

The Finsava application protects your financial data with encryption at rest and strict access controls. All financial data — transactions, budgets, savings goals, AI conversations, and ML models — is secured within your account.

How We Use Your Data

Email addresses collected through registration are used solely to operate your account and send notifications about Finsava updates. We do not sell, share, or rent your email to any third party.

Third-Party Services

• Vercel — The finsava.com landing page is hosted on Vercel. Vercel may collect standard web analytics (IP addresses, browser metadata) as part of its hosting infrastructure. See Vercel's Privacy Policy.
• SimpleFin — If you enable bank sync in the self-hosted app, transaction data is routed through SimpleFin's API. This connection is initiated and controlled entirely by you on your own server. See SimpleFin's website.
• Plaid (sub-processor under GDPR Art. 28) — Bank account connection and transaction data retrieval (12,000+ institutions). Plaid acts as a data sub-processor on Finsava's behalf under a Data Processing Agreement. Credential isolation: Your bank login credentials are entered directly into Plaid's secure hosted interface (Plaid Link) and never touch Finsava's servers. Finsava receives only a short-lived authorization token. Data Finsava receives from Plaid: transaction data (dates, amounts, descriptions, merchant names, currency codes), account metadata (account name, type, balance), and institution information. Finsava does not receive your bank login credentials, account numbers, or routing numbers. Transaction data is periodically synced, not real-time. See Plaid's End User Privacy Policy.

Aggregated Data and Model Training

To improve transaction categorization accuracy for all users, Finsava may train machine learning models on anonymized, aggregated data. This aggregated data contains only merchant/payee description text and spending category labels. It does not contain your name, email, account numbers, transaction amounts, account balances, dates, or any other personally identifiable information.

A minimum of two distinct users must independently categorize the same merchant description before any data point enters the aggregated training set. Contested categorizations (where users disagree) are excluded entirely. No individual user's data can be reconstructed from the aggregated model.

Legal basis (GDPR): Legitimate interest (Article 6(1)(f)) in improving service quality. The processing involves only anonymized, aggregated data that cannot reasonably identify any individual.

Opt out: You may request that your categorizations be excluded from future model training by contacting support@finsava.com.

Data Retention

Account data is retained while your account is active. You can delete your account and all associated data at any time from the Settings page, or contact us at the address below.

Self-Managed Deployment

As an alternative option, you can run Finsava on your own hardware. In this configuration, all financial data is stored in a local SQLite database on your machine. Specifically:

• No telemetry or usage tracking is collected.
• No data is sent to Finsava or any third party by default.
• AI processing happens locally via Ollama — your prompts and financial context never leave your device.
• There is no cloud sync unless you explicitly configure it yourself.
• You have full control to inspect, export, or delete your data at any time.

Finsava Cloud Service

Finsava operates as a hosted service where Finsava acts as a data processor for your financial information. The following disclosures apply:

• Data storage: Your financial data will be stored on hosted PostgreSQL servers. All data is encrypted in transit (TLS) and at rest.
• AI processing: Cloud AI processing uses Claude (Anthropic). Your financial context is sent to Anthropic's servers for processing. AI features can be disabled at any time in Settings. Self-managed deployments can use local AI via Ollama instead.
• Sub-processors: Finsava Cloud uses the following sub-processors: cloud hosting provider (for database and application hosting), Anthropic Claude (cloud AI), Stripe (subscription billing — receives email, name, payment method), Plaid (bank sync), SimpleFin (bank sync), Resend (transactional emails), and Vercel (landing page hosting).
• Data location: Cloud data may be stored and processed in the United States. If you require data to remain in a specific jurisdiction, please consider the self-hosted deployment option.
• Data portability: You can export all of your data at any time using the built-in data export feature (Settings → Export My Data).
• Account deletion: You can permanently delete your account and all associated data at any time from the Settings page.

Claude AI Disclosure

Finsava uses Claude (by Anthropic) for two distinct Pro-tier features. Each sends different data; the scope is different for each.

1. AI categorization (background)

Classifies transactions. Sends only the merchant description and a list of your category labels. No amounts, no dates, no account names, no balances.

2. AI chat assistant (on-demand)

When you open a chat with the assistant, Finsava builds a financial-context summary and sends it with every message so the model can give specific advice. Concretely, every chat message sends:

• Year-to-date spending total and projected annual spending
• Projected year-end spending by category (all tracked categories)
• Year-to-date income, monthly income, projected annual income
• Budget vs. actual for every budget you've set
• Top 15 spending categories (YTD)
• Last 6 months of monthly income, expenses, and net cash flow
• Projected annual savings and savings rate
• Your prior messages in the current chat session

This is more than the summaries sent by the categorization pipeline — it is effectively your financial profile for the current year. We disclose this explicitly so you can make an informed choice. If you do not want this data sent to Anthropic, do not open the chat assistant. AI insights on the dashboard (which use local Gemma) are unaffected.

Retention & disabling

• Anthropic's data processing terms apply to all data sent to Claude. See Anthropic Terms of Service.
• AI chat is Pro-only and can be disabled by switching to the Free tier or by simply not opening the chat panel.
• For self-managed deployments, local AI via Ollama (Gemma 4) is available as an alternative where no financial data leaves your machine.

Cookies

The Finsava application uses the following cookies:

• finapp_token — httpOnly authentication cookie for your login session. Cannot be read by JavaScript.
• finapp_viewing_as — httpOnly cookie used when viewing a shared account. Set only when the account sharing feature is active. Contains only the numeric user ID of the account being viewed.

We do not use tracking cookies, analytics cookies, advertising cookies, or third-party cookies. The finsava.com landing page uses only essential cookies set by our hosting provider (Vercel).

We Do Not Sell Your Data

Finsava does not sell, rent, lease, or share your personal information or financial data with any third party for monetary or other valuable consideration. This applies to all users across all tiers and deployment methods.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

• Right to know: You have the right to request information about the categories and specific pieces of personal information we collect, use, and disclose.
• Right to delete: You have the right to request deletion of your personal information. For the landing page, email us to request removal. For Finsava Cloud, use the account deletion feature in Settings.
• Right to opt-out: Finsava does not sell or share your personal information for cross-context behavioral advertising.
• Non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Finsava does not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

Your Rights (GDPR)

If you are located in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time

To exercise any of these rights, contact us at privacy@finsava.com. We will respond within 30 days.

Security Transparency

Finsava is built with a privacy-first architecture. All data is encrypted in transit and at rest. Bank credentials are encrypted at rest. AI processing uses Claude (Anthropic); self-managed deployments can use local AI via Ollama.

Contact

If you have any questions about this Privacy Policy, please contact us at privacy@finsava.com.