Privacy Policy

1. Introduction

FindFin (“we”, “us”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use FindFin, including https://findfin.app, our websites, tools, and related services (the “Services”).

If you do not agree with this Policy, please do not use the Services. We may update this Policy from time to time; we will post changes here and update the “Last updated” date.

2. Information we collect

Depending on how you use the Services, we may collect:

• Account and contact data: such as name, email address, password hash, profile image, and provider identifiers when you register or sign in (including via social login providers you choose).
• Authentication data: session tokens, account-linking records, security logs, and, where returned by a social login provider or needed by our authentication infrastructure, authentication artifacts such as ID tokens, access tokens, refresh tokens, scope metadata, or similar credentials used to keep you signed in securely.
• Usage and technical data: such as IP address, browser type, device type, approximate location derived from IP, pages viewed, and timestamps. We may use cookies or similar technologies as described in our Cookie Policy.
• Communications: messages you send us (e.g., support requests, listing submissions) and metadata associated with those messages.
• Content you provide: text or files you submit when using features such as navigation submissions or feedback forms.

We do not intentionally collect sensitive categories of data (such as health data) through the Services unless we explicitly ask and you voluntarily provide it for a stated purpose.

3. Google Sign-In

If you choose to sign in with Google, we receive limited Google account data such as your name, email address, profile picture, unique Google account identifier, and technical authentication data returned during the sign-in flow. For Google Sign-In, we request only the basic identity scopes needed to authenticate you, currently openid, email, and profile.

We use Google user data solely to:

• Create or link your FindFin account.
• Authenticate you and maintain your session.
• Display your name and profile picture within the Services.
• Protect your account, investigate authentication issues, and meet security or legal requirements related to sign-in.

We do not use Google user data to access your Gmail, Google Drive, Google Calendar, or any other Google service data. We do not store your Google password. We do not sell Google user data or use it for targeted advertising, data brokerage, credit or lending decisions, or training generalized AI or ML models.

We may disclose Google user data only to:

• Service providers and infrastructure providers that help us run authentication, hosting, database, security, analytics, or support systems, and only for those purposes.
• Authorities or other parties when required by law, legal process, or when necessary to protect rights, safety, and security.
• A successor entity in connection with a merger, acquisition, financing, or asset sale, subject to appropriate safeguards.

You can revoke FindFin's access to your Google account at any time through your Google Account permissions page. Revoking access will not automatically delete your FindFin account or data already collected or processed; see Section 10 for account deletion.

4. How we use information

We use personal information to:

• Provide, operate, and improve the Services.
• Create and manage your account and authenticate you.
• Respond to inquiries and provide support.
• Send service-related notices (e.g., security or policy updates) where appropriate.
• Analyze usage in aggregate or de-identified form to understand product performance and plan improvements.
• Detect, prevent, and address fraud, abuse, and security issues.
• Comply with legal obligations and enforce our terms.

We do not sell your personal information in the traditional sense of exchanging data for money. We may use processors (e.g., hosting, database, analytics) who process data on our instructions.

5. Legal bases (EEA, UK, and similar regions)

Where GDPR or similar laws apply, we rely on:

• Performance of a contract — to provide the Services you request.
• Legitimate interests — to secure our Services, improve features, and communicate with you, balanced against your rights.
• Consent — where required (e.g., certain cookies or marketing, if offered).
• Legal obligation — where we must retain or disclose data by law.

6. Sharing of information

We may share personal information with:

• Service providers who assist us in operating the Services, including Vercel (hosting and analytics), Google (authentication via Google Sign-In), and database and email delivery providers, subject to confidentiality and data processing terms.
• Professional advisors (e.g., lawyers, auditors) when necessary.
• Authorities when required by law, legal process, or to protect rights, safety, and security.

If we undergo a merger, acquisition, or asset sale, your information may be transferred as part of that transaction, subject to appropriate safeguards.

7. International transfers

We may process and store information in countries other than your own. Where we transfer personal data from the EEA, UK, or Switzerland, we use appropriate safeguards (such as Standard Contractual Clauses) where required.

8. Retention

We retain personal information only as long as necessary for the purposes described in this Policy, unless a longer period is required or permitted by law (e.g., tax, accounting, security, or dispute resolution). This includes Google account identifiers, basic profile data, and authentication records associated with Google Sign-In. When data is no longer needed, we delete or anonymize it in accordance with our retention practices and reasonable backup lifecycles.

9. Security

We implement technical and organizational measures designed to protect personal information against unauthorized access, loss, or alteration. These measures include HTTPS in transit, access controls, logging, and encryption or comparable protections made available by our infrastructure providers where appropriate. No method of transmission over the Internet is 100% secure; we cannot guarantee absolute security.

10. Your rights and account deletion

Depending on your location, you may have rights to:

• Access, correct, or delete your personal information.
• Object to or restrict certain processing.
• Data portability.
• Withdraw consent where processing is consent-based.
• Lodge a complaint with a supervisory authority.

Account deletion: You may request deletion of your FindFin account and associated personal data by contacting hello@findfin.app. Upon verified request, we will delete or anonymize your account data, including Google Sign-In profile data and authentication records that are no longer required, within 30 days, except where retention is required by law or reasonably necessary for security, fraud prevention, or backup restoration. If you signed in with Google, we recommend also revoking access from your Google Account permissions page.

To exercise any of these rights, contact us at hello@findfin.app. We may need to verify your identity before responding.

11. Children

The Services are not directed at children under 16 (or the age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will take appropriate steps to delete it.

12. Contact

Privacy inquiries: hello@findfin.app.

FindFin, available at https://findfin.app, is operated from Hong Kong. For EU/UK representatives (if appointed), we will list contact details here when applicable.