Finn Logo
Docs

Data Processing Agreement

Effective Date: January 15, 2025
Last Updated: January 15, 2025

1. Introduction

This Data Processing Agreement ("DPA") supplements and forms part of the Terms of Service and Privacy Policy between you ("Data Subject" or "User") and Finnance AI ("Company," "we," "us," or "our") regarding the processing of personal data in connection with the Finn AI financial communication service.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, including financial data, transaction information, and communication data.

"Processing" means any operation performed on personal data, including collection, recording, storage, adaptation, analysis, and transmission.

"Data Controller" means Finnance AI, which determines the purposes and means of processing personal data.

"Data Processor" means any third-party service provider that processes personal data on behalf of Finnance AI.

"Data Subject" means the individual whose personal data is being processed (the user of Finn).

3. Categories of Personal Data Processed

3.1 Financial Data

  • Bank account information and transaction history
  • Spending patterns and financial behavior
  • Account balances and investment data
  • Credit information and financial goals
  • Payment and billing information

3.2 Identity and Contact Data

  • Name, email address, and phone number
  • Date of birth and identification documents
  • Address and location information
  • Authentication credentials

3.3 Communication Data

  • Text message conversations with Finn AI
  • User preferences and feedback
  • Customer support interactions
  • Marketing communication preferences

3.4 Technical Data

  • Device information and IP addresses
  • Usage analytics and performance data
  • Cookies and tracking information
  • Security logs and access records

4. Purposes of Processing

We process your personal data for the following purposes:

4.1 Service Provision

  • Providing AI-powered financial insights and recommendations
  • Enabling secure bank account connections
  • Generating spending analysis and financial reports
  • Delivering personalized financial guidance

4.2 AI and Machine Learning

  • Training and improving our AI models
  • Developing personalized financial recommendations
  • Enhancing natural language processing capabilities
  • Creating aggregated insights for service improvement

4.3 Security and Compliance

  • Identity verification and fraud prevention
  • Compliance with legal and regulatory requirements
  • Security monitoring and incident response
  • Audit and assessment activities

4.4 Communication

  • Sending important account notifications
  • Providing customer support
  • Sharing service updates and new features
  • Marketing communications (with consent)

We process your personal data based on the following legal grounds:

5.1 Contract Performance

  • Processing necessary to provide the Finn service
  • Fulfilling our obligations under the Terms of Service
  • Managing your account and service delivery

5.2 Legitimate Interests

  • Improving our services and developing new features
  • Fraud prevention and security measures
  • Business analytics and service optimization
  • Marketing and promotional activities (where appropriate)

5.3 Consent

  • Marketing communications and promotional offers
  • Non-essential data processing activities
  • AI model training with your explicit consent
  • Optional features and enhanced services

5.4 Legal Compliance

  • Compliance with financial services regulations
  • Anti-money laundering and fraud prevention
  • Tax reporting and regulatory requirements
  • Court orders and legal process compliance

6. Data Retention

6.1 Retention Periods

We retain your personal data for the following periods:

Financial Data: 7 years from account closure or last transaction (as required by financial regulations)

Account Data: 3 years from account closure or last activity

Communication Data: 2 years from last interaction

Technical Data: 1 year from collection

Marketing Data: Until you withdraw consent or opt-out

6.2 Retention Criteria

We determine retention periods based on:

  • Legal and regulatory requirements
  • Business operational needs
  • User account status and activity
  • Data type and sensitivity level
  • Legitimate business interests

7. Data Security Measures

7.1 Technical Safeguards

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • End-to-end encryption for sensitive communications
  • Secure key management and rotation
  • Regular security assessments and penetration testing

7.2 Administrative Safeguards

  • Role-based access controls and least privilege principles
  • Regular security training for employees
  • Background checks for personnel with data access
  • Incident response procedures and breach notification
  • Regular audits and compliance assessments

7.3 Physical Safeguards

  • Secure data centers with physical access controls
  • Environmental monitoring and disaster recovery
  • Secure disposal of physical media
  • Restricted access to facilities and equipment

8. Data Subject Rights

8.1 Right to Access

You have the right to request:

  • Confirmation that we process your personal data
  • Access to your personal data
  • Information about processing purposes and methods
  • Details about data retention and sharing

8.2 Right to Rectification

You have the right to:

  • Correct inaccurate personal data
  • Complete incomplete personal data
  • Update outdated information
  • Verify data accuracy with source systems

8.3 Right to Erasure

You have the right to request deletion of personal data when:

  • Data is no longer necessary for original purposes
  • You withdraw consent and no other legal basis exists
  • Data has been processed unlawfully
  • Erasure is required for legal compliance

8.4 Right to Restrict Processing

You have the right to restrict processing when:

  • You contest the accuracy of personal data
  • Processing is unlawful but you prefer restriction to erasure
  • We no longer need the data but you need it for legal claims
  • You object to processing pending verification of legitimate interests

8.5 Right to Data Portability

You have the right to:

  • Receive your personal data in a structured, commonly used format
  • Transmit data directly to another controller where technically feasible
  • Have data transferred without hindrance from us
  • Receive data in a machine-readable format

8.6 Right to Object

You have the right to object to processing when:

  • Processing is based on legitimate interests
  • Processing is for direct marketing purposes
  • Processing is for research or statistical purposes
  • Processing involves automated decision-making

9. Data Transfers

9.1 International Transfers

When we transfer your personal data internationally, we ensure:

  • Adequate protection through Standard Contractual Clauses
  • Adequacy decisions from relevant authorities
  • Binding Corporate Rules where applicable
  • Appropriate safeguards for your rights and freedoms

9.2 Third-Party Transfers

We may share your data with:

  • Financial data providers (Plaid, Yodlee, etc.)
  • Cloud hosting and infrastructure providers
  • Customer support and communication platforms
  • Analytics and monitoring services

All third-party transfers are governed by appropriate data protection agreements.

10. Data Breach Notification

10.1 Breach Detection and Response

We have procedures in place to:

  • Detect and assess data breaches promptly
  • Contain and mitigate breach impacts
  • Investigate breach causes and scope
  • Implement corrective measures

10.2 Notification Requirements

We will notify you of data breaches when:

  • There is a high risk to your rights and freedoms
  • Personal data has been compromised
  • Breach involves sensitive financial information
  • Required by applicable law or regulation

10.3 Notification Timeline

  • We will notify you within 72 hours of becoming aware of a breach
  • We will provide clear information about the breach and its impact
  • We will advise on steps you can take to protect yourself
  • We will provide regular updates on our response efforts

11. Compliance and Monitoring

11.1 Regulatory Compliance

We maintain compliance with:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Other applicable data protection laws

11.2 Regular Assessments

We conduct:

  • Privacy impact assessments for new processing activities
  • Data protection audits and reviews
  • Compliance monitoring and reporting
  • Regular training for staff on data protection

11.3 Documentation

We maintain documentation of:

  • Processing activities and purposes
  • Data protection measures and safeguards
  • Breach incidents and responses
  • Compliance assessments and findings

12. Contact Information

For questions about this Data Processing Agreement or to exercise your data rights:

Data Protection Officer:
Email: dpo@textfinn.com

Privacy Officer:
Email: privacy@textfinn.com

Data Rights Requests:
Email: data-rights@textfinn.com

General Inquiries:
Email: help@textfinn.com

This Data Processing Agreement is effective as of January 15, 2025, and was last updated on January 15, 2025.

Was this page helpful?