← Finlynq

Privacy Policy

Last updated: 2026-06-18

Finlynq is an open-source personal-finance app (AGPL v3). You can run it on your own hardware or use our managed cloud at finlynq.com. This policy covers the managed cloud. If you self-host, you're the data controller, so this policy doesn't apply to your own deployment.

1. What we collect

On the managed cloud, Finlynq only stores the data you put into it yourself:

  • Account identity: a username (your choice), an email address (we use it only for password recovery and security alerts), and a password hash.
  • Financial data you import or enter: accounts, transactions, budgets, investments, loans, goals, attached receipts.
  • Operational logs: HTTP request logs (IP address, user agent, URL path, status code). We keep these 30 days for abuse prevention and debugging.
  • MCP / API tokens you generate: we store these as one-way hashes. We show you the raw token once when you create it, and we can't show it again.

We don't collect bank credentials. Finlynq has no Plaid, MX, Yodlee, or Finicity integration. Your bank login never touches our servers. You import data via CSV / OFX / QFX / PDF / email.

2. How your financial data is encrypted

Finlynq uses per-user envelope encryption. Here's the short version:

  • Each user gets a Data Encryption Key (DEK), generated at signup.
  • We wrap the DEK with a Key Encryption Key (KEK) derived from your password using scrypt with a server-side pepper.
  • We store sensitive fields (transaction payees, notes, tags, attached files, encrypted display names) as AES-256-GCM ciphertext with a random IV and authentication tags.
  • Your DEK lives only in memory while you're signed in (sliding 2h idle timeout). We never write it to disk in plaintext.
  • If you forget your password, your encrypted data can't be recovered. That's by design.

3. What we never share

  • We don't sell, rent, or share your data with advertisers, data brokers, or any third party.
  • We don't move money. Finlynq isn't a broker, bank, advisor, or SEC-registered RIA. We can't initiate transfers from your accounts.
  • We don't use your financial data to train AI models. The MCP server lets yougrant a third-party AI assistant access to your data. You stay in control: it's scoped per session and you can revoke it.
  • We don't use third-party analytics inside the app. The public marketing pages load Google Analytics only after you explicitly accept the cookie banner.

4. AI assistants and the MCP server

When you connect Finlynq to an AI assistant via our MCP server, the assistant authenticates through OAuth 2.1 (or with a Bearer API key if you're using a CLI client). It only receives the data returned by the specific tool it calls, scoped to your account.

  • The AI vendor (e.g., Anthropic) sees the tool responses, since they pass through the model. Check the vendor's privacy policy.
  • You can revoke an OAuth grant at any time from Settings → Connected apps.
  • Destructive operations (bulk delete, bulk update, imports) use a preview-confirm-execute pattern with a server-signed token, so an AI can't change your data without your explicit confirmation.

5. Sub-processors

The managed cloud runs on a single VPS that we operate. We don't use third-party data processors for the app database. The only outbound integrations are:

  • Yahoo Finance, CoinGecko, Stooq, for anonymous public-price queries that value your portfolio. No user data is sent.
  • Resend, for transactional email (password reset, account alerts) and the optional inbound-import address.
  • GitHub Sponsors / Ko-fi, for donation processing, only if you choose to donate. They handle their own KYC/payment data.

6. Cookies and analytics

The app itself loads no third-party analytics, no advertising scripts, and no tracking pixels. Sign-in uses a single first-party session cookie that keeps you signed in, and it expires automatically.

On the public marketing pages we load Google Analytics to see which posts bring people here. GA isn't essential, so we ask for your consent before loading it. You can change your mind at any time:

Loading…

7. Records of processing (GDPR Article 30)

If you're protected by GDPR, here's our public record of processing activities. We keep our internal records current and make them available to supervisory authorities on request.

  • Controller: Finlynq (operated from Canada). Contact: privacy@finlynq.com.
  • EU representative: Per GDPR Article 27(2), no representative is currently designated (small-scale processing, no special-category data, no targeting of EU market).
  • Purposes of processing: (1) provide the personal finance application; (2) authenticate users; (3) deliver MCP server access; (4) send transactional email; (5) prevent abuse.
  • Lawful basis: performance of a contract (Article 6(1)(b)) and legitimate interest for security logs (6(1)(f)).
  • Categories of data subjects: users who sign up for the managed cloud at finlynq.com.
  • Categories of personal data: username, email, password hash, financial data entered by user, MCP/API token hashes, HTTP request metadata. No special-category data.
  • Recipients / sub-processors: see Section 5. We do not sell or rent personal data.
  • Cross-border transfers: data is stored in Canada, which has an EU adequacy decision (Article 45). No additional safeguards required.
  • Retention: see Section 9 below.
  • Technical and organizational measures: per-user envelope encryption (AES-256-GCM, scrypt-derived KEK); HTTPS/TLS; least-privilege staff access; rate limiting and origin validation on the MCP endpoint; regular dependency updates.

8. Security incident response

Our breach response process aligns with GDPR Articles 33 and 34:

  • Detection: automated monitoring on auth endpoints, OAuth grant lifecycle, and unusual access patterns.
  • Containment: on suspicion of compromise, we rotate DEPLOY_GENERATION (force-logout every session) and revoke OAuth grants.
  • Notification to supervisory authority: within 72 hours of becoming aware (Article 33(1)).
  • Notification to affected users: when a breach is likely to result in high risk, without undue delay (Article 34).
  • Reporting a vulnerability: please email privacy@finlynq.com. We'll confirm we got it within 48 hours.

9. Retention and deletion

  • You can export your full account at any time as a JSON backup from Settings → Data → Export.
  • You can wipe your account from Settings → Data → Delete account. This removes every row in every table scoped to your user_id in a single transaction.
  • Operational logs are retained for 30 days, then rotated.
  • Database backups are retained for 7 days. After 7 days, deleted account data is unrecoverable from backups.

10. Children

Finlynq isn't directed at children under 16, and we don't knowingly collect data from children. If you spot a child's account, contact us and we'll delete it.

11. Jurisdiction and your rights

Finlynq is operated from Canada. You can exercise your access, rectification, deletion, and portability rights at any time directly from Settings → Data; you don't need to ask us. For anything else (GDPR Article 15 access requests, CCPA opt-outs, EU data-subject requests), contact us at the address below and we'll respond within 30 days.

12. Changes

We'll update this page when our practices change and bump the Last updated date at the top. We'll also announce material changes (a new sub-processor, a change to encryption guarantees) in the project changelog.

13. Contact

Privacy questions, data-subject requests, security disclosures: privacy@finlynq.com. For source-code questions, bugs, or feature requests, open an issue at github.com/finlynq/finlynq.

Want a plain-English walkthrough of how the encryption works in practice, including the honest tradeoffs (lose your password, lose your data; the operator can see anonymized amounts and dates)? Read How Finlynq encrypts your money. The full encryption design, including the key-derivation parameters and threat model, is published at pf-app/docs/architecture/encryption.md. The code that implements it is in pf-app/src/lib/crypto/. Both are AGPL v3, so read the code, audit it, fork it.