Privacy Policy

YourFinanceFlow ("we", "our", "us") is a personal finance management service accessible at app.yourfinanceflow.app. We provide tools to connect your bank accounts via Open Banking, track transactions, and visualise your financial data. For questions about this policy, contact us at: privacy@yourfinanceflow.app

We collect the following categories of personal data: Account data: Your name, email address, and hashed password (if you register with email/password). If you sign in with Google, we receive your name, email, and profile picture from Google OAuth. Bank connection data: When you connect a bank account via Open Banking (Enable Banking), we receive your bank account names, account numbers (masked), current balances, and transaction history. We do not receive or store your online banking credentials — you authenticate directly with your bank. Transaction data: Transaction amounts, dates, merchant names, descriptions, and categories. This data is stored locally on our servers in your account and is not shared with third parties. Usage data: Session tokens and authentication records stored in our database to keep you logged in. We do not use analytics tracking by default.

We use your data solely to provide the YourFinanceFlow service: — To display your bank balances and transaction history in the dashboard — To categorise transactions automatically using AI (Anthropic Claude) — transaction descriptions are sent to Anthropic's API for categorisation. No personally identifiable information beyond the transaction description is sent. — To authenticate you and maintain your session — To allow you to export your financial data as CSV We do not use your data for advertising, profiling, or any purpose beyond operating the service.

We use the following third-party services to operate YourFinanceFlow: Enable Banking Oy (Finland) — Open Banking provider. Facilitates connections to your bank via regulated PSD2 APIs. Your bank authorisation happens directly on Enable Banking's platform. Enable Banking is a registered Account Information Service Provider (AISP) supervised by the Finnish Financial Supervisory Authority. Privacy policy: enablebanking.com/privacy. Google LLC — OAuth authentication provider. If you choose to sign in with Google, Google shares your name, email, and profile picture with us under Google's OAuth consent process. Privacy policy: policies.google.com/privacy. Anthropic PBC — AI provider used for transaction categorisation. Transaction description text (not your name, email, or account details) is sent to Anthropic's API to determine spending categories. Anthropic does not use API data to train models. Privacy policy: anthropic.com/privacy. None of these providers have access to your full financial dataset. Each receives only the minimum data required for their specific function.

Your account data (name, email, hashed password, session tokens) is stored in a PostgreSQL database hosted on a private VPS server in the EU. Your transaction and bank account data is stored in encrypted files on the same server. Passwords are hashed using bcrypt (cost factor 12) and are never stored in plain text. All communication between your browser and our server is encrypted via HTTPS (TLS). We enforce HTTP security headers including Strict-Transport-Security, X-Content-Type-Options, and X-Frame-Options. We take reasonable technical measures to protect your data, but no system is 100% secure. In the event of a data breach that affects your rights, we will notify you within 72 hours as required by GDPR.

We retain your data for as long as your account is active. If you use the "Clear Financial Data" feature in your profile, all your transactions and connected bank accounts are permanently deleted immediately. If you use the "Delete Account" feature, all your data — including your user account, transactions, connected accounts, and session records — is permanently and irreversibly deleted from our systems. You can exercise these rights at any time from your user profile page.

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR): Right of access — You can request a copy of all personal data we hold about you. Right to rectification — You can request correction of inaccurate data. Right to erasure — You can delete your account and all associated data at any time via your profile page. No request to us is necessary. Right to portability — You can export your transaction data as CSV at any time. Right to object — You can object to any processing of your data. Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time. To exercise any of these rights (other than deletion and export, which are self-service), contact us at privacy@yourfinanceflow.app. We will respond within 30 days.

We use a single session cookie (authjs.session-token or __Secure-authjs.session-token on HTTPS) to keep you authenticated. This cookie is: — HttpOnly (not accessible to JavaScript) — Secure (only sent over HTTPS in production) — SameSite=Lax (protects against CSRF) — Valid for 30 days We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

YourFinanceFlow is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

For any questions, concerns, or requests regarding this Privacy Policy or your personal data: Email: privacy@yourfinanceflow.app Website: app.yourfinanceflow.app