Privacy Policy

2.1 Information You Provide Directly

When you create an account, subscribe to our Services, or communicate with us, we may collect the following:

• Account Information: Full name, email address, phone number, company name, job title, and billing address.
• Financial Data: Bank account details, transaction records, invoices, receipts, expense reports, tax identification numbers, and other financial documents you upload or connect to our platform.
• Business Information: Company registration details, industry classification, business size, revenue data, and organizational structure.
• Payment Information: Credit/debit card numbers, billing details, and payment history (processed through PCI DSS-compliant third-party payment processors).
• Communications: Messages, emails, support tickets, and feedback you send to us.

2.2 Information Collected Automatically

When you interact with our Services, we automatically collect certain technical and usage information:

• Device and Browser Information: IP address, device type, operating system, browser type and version, device identifiers, and language preferences.
• Usage Data: Pages visited, features used, actions taken, session duration, clickstream data, and interaction patterns with our AI agents.
• Log Data: Server logs, error reports, and performance metrics.
• Cookies and Tracking Technologies: We use cookies, web beacons, pixels, and similar technologies to enhance your experience and analyze usage patterns. See Section 9 (Cookies and Tracking Technologies) for more details.

2.3 Information from Third-Party Sources

We may receive information about you from third-party sources, including:

• Financial Institutions: When you connect your bank accounts or financial systems through our platform (via secure APIs such as Plaid or similar providers).
• Accounting Software: Data imported from connected accounting platforms (e.g., QuickBooks, Xero, Zoho Books).
• Business Verification Services: Company registration data, credit bureau information, and identity verification services.
• Analytics Providers: Aggregated usage and performance data from third-party analytics services.

2.4 Sensitive Financial Information

Given the nature of our Services, we process sensitive financial information, including bank account numbers, transaction histories, tax information, and financial statements. We treat this data with the highest level of security and apply enhanced protection measures as described in Section 7 (Data Security).

3.1 Service Delivery and Operations

• Providing and maintaining our AI-powered financial intelligence Services, including data ingestion, transaction recording, invoice management, and fraud detection.
• Operating our specialized AI agents (Data Ingestion Agent, Transaction Agent, Invoice Agent, Fraud Detection Agent, Insights Agent, and CFO Orchestrator) to deliver personalized financial insights.
• Processing transactions, generating reports, and delivering financial analytics.
• Authenticating users and managing account access through multi-tenant data isolation.

3.2 Improvement and Development

• Training, improving, and refining our AI models and algorithms to enhance accuracy and performance (using anonymized and aggregated data only).
• Conducting research and development to build new features and services.
• Analyzing usage patterns to optimize user experience and platform performance.

3.3 Communication

• Sending transactional communications such as account confirmations, security alerts, and service updates.
• Providing customer support and responding to inquiries.
• Sending marketing communications with your consent, including product updates, newsletters, and promotional offers (you may opt out at any time).

3.4 Legal and Compliance

• Complying with applicable laws, regulations, and legal processes.
• Detecting, preventing, and investigating fraud, security breaches, and other potentially illegal or prohibited activities.
• Enforcing our Terms of Service and other agreements.
• Responding to lawful requests from government authorities and regulators.

Contractual Necessity

Processing is necessary to perform our contract with you and deliver the Services you have requested.

Legitimate Interests

Processing is necessary for our legitimate business interests, such as improving our Services, preventing fraud, and ensuring platform security, provided these interests do not override your rights and freedoms.

Legal Obligation

Processing is necessary to comply with applicable legal and regulatory requirements.

Consent

Where required by law, we obtain your explicit consent before processing your personal data for specific purposes, such as marketing communications. You may withdraw your consent at any time.

5.1 Service Providers and Partners

We share information with trusted third-party service providers who assist us in operating our platform, including cloud infrastructure providers (e.g., Amazon Web Services), payment processors, identity verification services, analytics providers, and customer support tools. These providers are contractually bound to protect your data and may only use it to perform services on our behalf.

5.2 Financial Institution Partners

With your authorization, we share data with financial institutions and accounting platforms to facilitate data synchronization, bank account connections, and integrated financial reporting.

5.3 Legal and Regulatory Disclosures

We may disclose your information when required by law, regulation, legal process, or governmental request; to enforce our Terms of Service or protect our rights, privacy, safety, or property; or to detect, prevent, or address fraud, security, or technical issues.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for research, analytics, benchmarking, and industry reporting purposes.

Retention Schedule

Upon expiration of the applicable retention period, we securely delete or anonymize your data using industry-standard methods, including cryptographic erasure where appropriate.

• Active Account Data: Retained for the duration of your account relationship with us and for a reasonable period thereafter.
• Financial Records: Retained for a minimum of seven (7) years to comply with tax, accounting, and financial regulatory requirements.
• Transaction Logs and Audit Trails: Retained for a minimum of five (5) years in compliance with applicable financial regulations.
• Marketing Data: Retained until you opt out or withdraw consent.
• Technical Logs: Retained for up to twelve (12) months for security and troubleshooting purposes.

7.1 Technical Safeguards

• AES-256 encryption for data at rest and TLS 1.3 encryption for data in transit.
• JSON Web Token (JWT) authentication with short-lived tokens and secure refresh mechanisms.
• Multi-tenant data isolation ensuring strict separation of customer data across our platform.
• Role-based access controls (RBAC) with the principle of least privilege.
• Regular vulnerability assessments, penetration testing, and security audits.
• Web Application Firewall (WAF) and DDoS protection.

7.2 Infrastructure Security

• Cloud infrastructure hosted on Amazon Web Services (AWS) with SOC 2 and ISO 27001 certified data centers.
• Secrets management through AWS Secrets Manager with automated key rotation.
• Comprehensive logging, monitoring, and alerting through centralized security information and event management (SIEM) systems.
• Automated backup and disaster recovery procedures.

7.3 Organizational Measures

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We encourage you to use strong passwords, enable multi-factor authentication, and promptly report any suspected unauthorized access to your account.

• Employee background checks and mandatory security awareness training.
• Strict access controls and need-to-know data access policies.
• Incident response plan with defined escalation procedures and breach notification protocols.
• Regular third-party security assessments and compliance audits.

8.1 Rights Under GDPR (EEA/UK Residents)

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.
• Right to Restrict Processing: Request that we limit the processing of your personal data in certain circumstances.
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object: Object to the processing of your personal data for certain purposes, including direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Right to Lodge a Complaint: File a complaint with a supervisory authority in your jurisdiction.

8.2 Rights Under CCPA/CPRA (California Residents)

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out: Opt out of the sale or sharing of your personal information. Note: We do not sell personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: Direct us to limit the use and disclosure of sensitive personal information.

8.3 Rights Under India's DPDPA

• Right to Access: Request a summary of the personal data processed and processing activities.
• Right to Correction and Erasure: Request correction of inaccurate data and erasure of data no longer necessary.
• Right to Grievance Redressal: Submit grievances regarding the processing of personal data.
• Right to Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity.

8.4 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@fincrewai.com. We will respond to verified requests within the timeframes required by applicable law (generally 30 days under GDPR, 45 days under CCPA). We may need to verify your identity before processing your request to protect your account security.

Cookie Categories

You can manage your cookie preferences through your browser settings or through our cookie consent management tool. Please note that disabling certain cookies may affect the functionality of our Services.

• Strictly Necessary Cookies: Essential for the operation of our Services, including authentication and security.
• Performance and Analytics Cookies: Help us understand how users interact with our platform and identify areas for improvement.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your preferences.
• Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness (only with your consent).

Transfer Safeguards

By using our Services, you acknowledge that your data may be processed in jurisdictions with different data protection laws than your home jurisdiction.

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA.
• Data processing agreements with recipients that include adequate data protection obligations.
• Compliance with applicable cross-border data transfer frameworks and adequacy decisions.

Our AI Principles

• Transparency: We provide clear explanations of how our AI agents process your data and generate insights.
• Human Oversight: Critical financial decisions and flagged fraud alerts are subject to human review. Our AI agents assist and augment, rather than replace, human judgment.
• Data Minimization: Our AI models are trained on anonymized and aggregated datasets. Individual customer data is not used for model training without explicit consent.
• Bias Mitigation: We regularly audit our AI models for fairness and accuracy, and implement measures to mitigate algorithmic bias.
• Right to Explanation: Under GDPR, you have the right not to be subject to a decision based solely on automated processing that significantly affects you, and to obtain an explanation of the logic involved.

FinCrew AI

• Email: privacy@fincrewai.com
• Website: https://www.fincrewai.com
• Mailing Address: To be updated with registered business address

Data Protection Officer (DPO)

Email: dpo@fincrewai.com

For EU/EEA residents, you also have the right to lodge a complaint with your local data protection supervisory authority.