Legal
Privacy Policy
Last updated: July 14, 2026
FinTrack (“we”, “us”) is a personal finance workspace. This policy explains what data we collect, why we collect it, who processes it on our behalf, and the controls you have. The short version: we collect only what the product needs, we never sell your data, your bank credentials never touch our servers, and you can export or delete everything.
Data we collect
- Account profile — your name, email address, and sign-in identity, managed by our authentication provider (Clerk).
- Financial data you connect — account names, balances, holdings, and transactions from banks you link through Plaid. Your online-banking credentials are entered directly with Plaid and are never sent to or stored on FinTrack servers.
- Data you enter — manual accounts (we store display metadata and the last four digits of card numbers only — never full card numbers or CVVs), budgets, goals, tags, rules, and notes.
- Documents you upload — invoices and tax documents you choose to store, encrypted at rest.
- Settings and product telemetry — your preferences and an audit log of security-relevant actions on your account.
How we use it
Exclusively to run FinTrack for you: showing balances and cash flow, detecting recurring charges, generating budgets, reports, and briefings, and — if you keep AI features enabled — producing insights grounded in your own data. We do not sell or rent your data, and we do not use it for third-party advertising.
AI features are optional
AI-powered features (spending insights, the AI coach, document extraction, audio briefings) send relevant slices of your financial context to Google’s Gemini API to generate a response. Every AI feature can be switched off in Settings, and disabling them stops that processing entirely.
Service providers
These providers process data on our behalf, each only for its listed purpose:
- Clerk — authentication and session management
- Plaid — read-only bank connections
- Supabase — encrypted database and document storage
- Vercel — application hosting
- Google (Gemini API) — AI features, only while enabled
- Resend — transactional email (reminders, briefings)
Security
Sensitive values (bank access tokens, account numbers) are encrypted with AES-256-GCM before storage. All traffic is HTTPS with strict transport security. Database rows are protected with row-level security scoped to your user. Sessions sign out automatically after inactivity, and security-relevant actions are recorded in an audit log.
Retention, export, and deletion
Transaction history is kept for the retention window you choose in Settings. You can export your data at any time from Settings (“Export my data”). Deleting your account removes your data from our systems; you can also email us to request deletion.
Changes and contact
If this policy changes materially, we will update this page and the date above. Questions or requests: support@myfintrack.io. See also our Terms of Service.