Privacy Policy

1. Introduction

Welcome to FINNCAL ("we," "our," or "us"). We are committed to protecting your personal data and your right to privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our financial planning platform at finncal.com.

This policy is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India.

2. Who We Are

FINNCAL is a financial planning platform designed for Indian users to help calculate retirement "Freedom Numbers" and plan for financial independence.

3. What Personal Data We Collect

We collect the following categories of personal data:

3.1 Account Information

• Email address (required for authentication)
• Name (optional)
• Password (stored in encrypted form, if applicable)

3.2 Financial Planning Data

This is data you voluntarily enter to use our planning tools:

• Current age and retirement age goals
• Annual income details
• Monthly expense details
• Current savings and investments
• Investment allocation preferences
• City/location preferences for retirement
• Risk tolerance preferences
• Portfolio holdings (stocks, mutual funds, etc.)

3.3 Gmail Integration Data (Optional Feature)

If you choose to use the Gmail Auto-Connect feature (optional — Portfolio Tracker only), we request access to your Gmail account settings via the Google OAuth 2.0 flow. Specifically:

• What we access: Your Gmail settings only (filters and forwarding addresses). We do NOT read, access, store, or process the content of your emails, your inbox, sent items, attachments, or any email metadata.
• What we create: Gmail filters that match emails from specific Indian brokers and financial institutions (e.g., Zerodha, Groww, HDFC Securities, CAMS, KFintech) and forward only those matching emails to our secure processing address (portfolio@in.finncal.com).
• OAuth tokens: We store your Gmail OAuth access token and refresh token in our encrypted database (AES-256). These tokens are used solely to manage your Gmail filters. They are never shared with third parties and are permanently deleted when you disconnect Gmail from FINNCAL.
• Disconnecting: You can disconnect Gmail at any time from Portfolio → Import Setup → Gmail Filters → Disconnect. This immediately revokes our OAuth tokens, removes the forwarding address, and no further access is made to your Gmail account.

This feature is governed by Google's Privacy Policy and our use of Gmail data complies with the Google API Services User Data Policy, including the Limited Use requirements.

3.4 Technical/Usage Data

• Device information (browser type, operating system)
• IP address
• Pages visited and features used
• Time spent on platform
• Cookies and similar technologies

4. How We Collect Your Data

We collect personal data in the following ways:

1. Directly from you: When you create an account, enter financial data, or contact us
2. Automatically: Through cookies and analytics when you use our platform
3. From authentication providers: If you sign in using Google or other OAuth providers

5. Purpose of Data Collection

We use your personal data for the following purposes:

6. Consent

6.1 Obtaining Consent

We obtain your explicit consent before collecting your personal data. When you sign up for FINNCAL, you are asked to agree to this Privacy Policy and consent to data processing.

6.2 Withdrawing Consent

You have the right to withdraw your consent at any time. You can do this by:

• Going to Settings > Consent Management in your account
• Emailing us at freedom@finncal.com

Note: Withdrawing consent may limit your ability to use certain features of FINNCAL.

7. Your Rights as a Data Principal

Under the DPDP Act 2023, you have the following rights:

7.1 Right to Access

You can request a summary of your personal data and information about how it is being processed.

7.2 Right to Correction

You can request correction of inaccurate or incomplete personal data.

7.3 Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data. We will delete your data within 30 days unless retention is required by law.

How to exercise: Use the "Delete My Data" option in your account menu or email freedom@finncal.com

7.4 Right to Withdraw Consent

You can withdraw consent at any time (see Section 6.2).

7.5 Right to Grievance Redressal

You have the right to file a grievance about how your data is handled (see Section 12).

7.6 Right to Nominate

You can nominate another individual to exercise your rights on your behalf in case of your death or incapacity.

Response Time: We will respond to your requests within 90 days as required by the DPDP Act.

8. Data Security

We implement reasonable security safeguards to protect your personal data:

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Only authorized personnel can access your data
• Secure Infrastructure: We use Supabase, which provides enterprise-grade security (SOC 2 Type II certified)
• Regular Audits: We regularly review our security measures
• Password Protection: Your password is stored using secure hashing

9. Data Storage and Transfer

9.1 Where Data is Stored

Your data is stored on cloud servers operated by Supabase (our database provider). Supabase uses Amazon Web Services (AWS) infrastructure.

9.2 Data Processors

We use the following third-party data processors:

We have Data Processing Agreements with our processors to ensure your data is protected.

9.3 International Transfers

Your data may be transferred to servers located outside India. We ensure appropriate safeguards are in place for such transfers as per the DPDP Act.

10. Data Retention

We retain your personal data for the following periods:

After your account is deleted, we will erase your personal data within 30 days, unless retention is required for legal purposes.

11. Children's Data

FINNCAL is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

12. Grievance Redressal

If you have any concerns about how your data is handled:

Step 1: Contact Us

Step 2: Data Protection Board

If your grievance is not resolved satisfactorily, you may approach the Data Protection Board of India:

Website: https://dpdpa.gov.in (when operational)

13. Cookies and Tracking

We use cookies and similar technologies for:

• Essential cookies: Required for the platform to function (authentication, preferences)
• Analytics cookies: To understand how users interact with our platform

You can control cookies through your browser settings. Disabling essential cookies may affect platform functionality.

14. Gmail Integration — Google API Limited Use Disclosure

FINNCAL's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

14.1 What We Request

The Gmail Auto-Connect feature requests the following Google OAuth scope:

• https://www.googleapis.com/auth/gmail.settings.basic — Permission to create Gmail filters and manage forwarding addresses in your Gmail settings.

14.2 What We Do With This Access

• Create filters: We create Gmail filters that match emails from Indian brokers and financial institutions you hold investments with (e.g., Zerodha, Groww, HDFC Securities, Upstox, ICICI Direct, Angel One, CAMS, KFintech, NSDL, CDSL). These filters forward matching emails to portfolio@in.finncal.com.
• Add forwarding address: We add portfolio@in.finncal.com as a verified forwarding address, which Gmail requires before forwarding filters work.

14.3 What We Do NOT Do

• We do not read, scan, index, or store the content of any emails
• We do not access your inbox, sent items, drafts, or any email messages
• We do not use Gmail data to serve advertisements
• We do not share Gmail tokens or data with any third parties
• We do not use Gmail access for any purpose other than creating the filters described above

14.4 Token Storage and Security

OAuth access and refresh tokens are stored encrypted (AES-256) in our Supabase database. They are accessible only by our server-side functions, never exposed to the browser or any third party. Tokens are permanently and irreversibly deleted when you disconnect Gmail.

14.5 Revoking Access

You can revoke FINNCAL's Gmail access at any time in two ways:

1. In FINNCAL: Portfolio → Import Setup → Gmail Filters → Disconnect Gmail
2. In Google: Visit myaccount.google.com/permissions and remove FINNCAL from connected apps

Upon revocation, we delete all stored OAuth tokens within 24 hours. The Gmail filters we created will remain in your Gmail settings (as they are your data) but FINNCAL will no longer have any access to your Gmail account.

15. Third-Party Links

Our platform may contain links to third-party websites. We are not responsible for the privacy practices of these websites. Please review their privacy policies.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will:

• Update the "Last Updated" date at the top
• Notify you via email for significant changes
• Request fresh consent if required by law

Continued use of FINNCAL after changes constitutes acceptance of the updated policy.

17. Contact Us

For any questions about this Privacy Policy or your personal data:

18. Language

This Privacy Policy is available in English. As per DPDP Act requirements, we will make it available in Hindi and other scheduled languages upon request.