Privacy Policy

1. Introduction

Finanzo LLC (“Finanzo,” “we,” “our,” or “us”) is committed to protecting your privacy and ensuring you understand how we collect, use, share, and safeguard your personal information. This Privacy Policy applies to all users of the Finanzo mobile application, web application, and related services (collectively, the “Services”).

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

This Privacy Policy applies to information we collect:

• Through our mobile applications (iOS and Android)
• Through our web application at finanzo.io
• Through email, text, and other electronic communications
• Through interactions with our customer support
• When you connect financial accounts through our Services

2. Information We Collect

We collect several types of information from and about users of our Services. The types of information we collect depend on how you interact with our Services.

2.1 Personal Information

Personal information is information that identifies, relates to, describes, or can be reasonably linked to you. We may collect:

• Contact Information: Name, email address, phone number, mailing address
• Account Credentials: Username, password (hashed and encrypted), security questions
• Identity Verification: Date of birth, last four digits of Social Security Number (SSN)
• Professional Information: Employer name, job title, employment status, income
• Mortgage Professional Information: NMLS ID, license information, brokerage affiliation (for loan officers)
• Profile Information: Profile photo, preferences, communication preferences

2.2 Financial Information

When you connect your financial accounts through Plaid or manually enter financial information, we may collect:

• Bank Account Information: Account numbers (masked), routing numbers (masked), account types, balances
• Transaction Data: Transaction history, transaction amounts, merchant names, categories
• Credit Information: Credit score (with your explicit consent), credit history factors
• Loan Information: Existing loan balances, interest rates, monthly payments, loan terms
• Property Information: Property addresses, estimated values, mortgage details
• Income Information: Salary, income sources, pay frequency
• Asset Information: Account balances, investment holdings (aggregated only)

2.3 Device and Technical Information

We automatically collect certain information when you access our Services:

• Device Information: Device type, model, operating system, unique device identifiers, mobile network information
• Browser Information: Browser type, version, language preference, time zone
• Location Information: IP address, general geographic location (city/state level), precise location (only with your explicit consent)
• App Information: App version, crash reports, performance data
• Network Information: Internet service provider, connection type (WiFi/cellular)

2.4 Usage Information

We collect information about how you interact with our Services:

• Feature Usage: Screens viewed, features used, buttons clicked, time spent on screens
• Search Queries: Property searches, service provider searches
• Communication Patterns: Messages sent/received through the platform, notification interactions
• Session Information: Login times, session duration, frequency of use

2.5 Biometric Information

With your explicit consent, we may collect:

• Face ID / Touch ID Authentication: We use your device's biometric capabilities to provide secure, convenient authentication. Your actual biometric data (fingerprint or facial geometry) is never transmitted to or stored on our servers. This data remains on your device and is managed by Apple's Secure Enclave or Android's Trusted Execution Environment.
• Behavioral Biometrics: We may analyze patterns such as typing rhythm and device movement for fraud prevention purposes. This data is processed locally and used only for security verification.

2.6 Communications

We collect information when you communicate with us or through our Services:

• Customer Support: Inquiries, feedback, complaints, support tickets
• In-App Messaging: Messages between you and loan officers or other professionals
• Email Communications: Responses to our emails, email open rates, click-through rates
• Phone Communications: Call recordings (with consent), voicemail transcriptions

3. How We Collect Information

3.1 Direct Collection

Information you provide directly to us when you:

• Create an account or register for our Services
• Complete your profile or update account settings
• Connect financial accounts through Plaid or other aggregators
• Enter property or loan information manually
• Contact our customer support
• Respond to surveys or promotional communications

3.2 Third-Party Collection

Information we receive from third parties:

• Financial Data Aggregators (Plaid): Account information, transaction history, balances
• Identity Verification Services: Identity confirmation, fraud checks
• Credit Bureaus (with consent): Credit scores, credit factors
• Real Estate Data Providers: Property values, public records
• Partner Loan Officers: Information they have about you (with your consent)

3.3 Automatic Collection

Information collected automatically through:

• Cookies and Similar Technologies: Session cookies, persistent cookies, web beacons
• Analytics Tools: Google Analytics, Firebase Analytics, Application Insights
• Error Tracking: Crash reports, error logs, performance metrics

4. How We Use Your Information

4.1 Providing and Improving Services

• Display your financial information in a unified dashboard
• Calculate and display refinance opportunities and savings
• Facilitate communication between you and loan officers
• Process transactions and maintain your account
• Provide customer support and respond to inquiries
• Analyze usage patterns to improve our Services
• Develop new features and functionality

4.2 Personalization

• Customize content and recommendations based on your preferences
• Suggest relevant loan products and refinance opportunities
• Tailor notifications based on your interests and activity
• Remember your preferences and settings

4.3 Communication

• Send account-related notifications (security alerts, updates)
• Deliver transactional messages (confirmations, receipts)
• Send marketing communications (with your consent)
• Facilitate communication with loan officers and professionals
• Respond to your comments, questions, and requests

4.4 Security and Fraud Prevention

• Verify your identity and authenticate access
• Detect and prevent fraud, unauthorized access, and other malicious activity
• Monitor for security threats and vulnerabilities
• Enforce our Terms of Service and other policies
• Protect the rights, property, and safety of our users and others

4.5 Legal Compliance

• Comply with applicable laws, regulations, and legal processes
• Respond to lawful requests from government authorities
• Enforce our agreements and protect our legal rights
• Meet regulatory requirements under GLBA, FCRA, and state privacy laws

5. Information Sharing and Disclosure

However, we may share your information in the following circumstances:

5.1 With Your Consent

We share information when you explicitly authorize us to do so:

• Loan Officer Sharing: When you pair with a loan officer, you authorize us to share specific financial information with them. You control exactly what data categories are shared through our Data Consent Management settings.
• Partner Professionals: Real estate agents, financial advisors, or other professionals you choose to connect with
• Family/Household Sharing: When you invite family members to shared financial spaces

5.2 Service Providers

We share information with third-party service providers who perform services on our behalf:

• Plaid: Financial account aggregation and verification
• Azure Communication Services: Email delivery and SMS (transactional only)
• Twilio: SMS messaging and phone verification
• Firebase: Push notifications and analytics
• Stripe: Payment processing (for premium features)
• Cloud Infrastructure: Microsoft Azure for hosting and data storage

All service providers are contractually obligated to protect your information and use it only for the purposes we specify.

5.3 Legal Requirements

We may disclose information when required by law or in response to:

• Valid subpoenas, court orders, or legal process
• Requests from law enforcement or government agencies
• To protect the safety of any person
• To investigate potential violations of our policies
• To protect our rights or property

We will notify you of such requests when legally permitted.

5.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

5.5 Aggregated and De-identified Information

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you.

6. Third-Party Services

Our Services integrate with various third-party services. Each has its own privacy practices:

6.1 Plaid

We use Plaid Inc. to connect your bank accounts. When you link accounts:

• Your bank credentials are entered directly into Plaid's secure interface
• We never receive, see, or store your bank login credentials
• Plaid is certified under SOC 2 Type II and uses bank-level encryption
• You can disconnect Plaid at any time through Settings → Linked Accounts

Plaid's Privacy Policy: https://plaid.com/legal

6.2 Microsoft Azure

Our Services are hosted on Microsoft Azure cloud infrastructure:

• Data is encrypted at rest and in transit
• Azure maintains SOC 1, SOC 2, ISO 27001, and other certifications
• Data is primarily stored in US data centers

Azure Privacy Statement: https://privacy.microsoft.com

6.3 Twilio

We use Twilio for SMS messaging and phone verification.

Twilio Privacy Policy: https://www.twilio.com/legal/privacy

6.4 Firebase (Google)

We use Firebase for push notifications and analytics.

Firebase Privacy Information: https://firebase.google.com/support/privacy

6.5 Stripe

For premium features and subscriptions, we use Stripe for payment processing.

Stripe Privacy Policy: https://stripe.com/privacy

7. Data Security

We implement comprehensive security measures to protect your information:

7.1 Encryption

• Data in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
• Data at Rest: All stored data is encrypted using AES-256 encryption
• Sensitive Data: Financial information and PII use additional field-level encryption
• Key Management: Encryption keys are managed through Azure Key Vault with hardware security modules (HSM)

7.2 Access Controls

• Role-Based Access: Our staff access data on a need-to-know basis
• Multi-Factor Authentication: Required for all administrative access
• Audit Logging: All data access is logged and monitored
• Regular Reviews: Access permissions are reviewed quarterly

7.3 Authentication Security

• Password Hashing: Passwords are hashed using Argon2id (OWASP recommended)
• Multi-Factor Authentication: Available via authenticator apps, SMS, or email
• Biometric Authentication: Face ID/Touch ID for convenient, secure access
• Session Management: Automatic timeout and secure session handling
• Trusted Devices: Option to remember trusted devices for 30 days

7.4 Incident Response

• We maintain a comprehensive incident response plan
• Security incidents are investigated immediately
• Affected users are notified within 72 hours of a confirmed breach
• We work with law enforcement when appropriate

Despite our efforts, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to implementing industry best practices.

8. Data Retention

8.1 Retention Periods

• Account Information: Retained while your account is active and for 7 years after deletion (for legal/tax compliance)
• Financial Data: Transaction data retained for 7 years (GLBA requirement)
• Communication Records: Retained for 3 years
• Log Data: Retained for 2 years
• Plaid Connections: Access tokens expire after 90 days of inactivity
• Marketing Preferences: Retained until you change them

8.2 Data Deletion

You can request deletion of your account and personal data at any time:

• Mobile App: Settings → Privacy & Security → Delete My Account
• Web App: Profile → Account Settings → Delete Account
• Email: privacy@finanzo.io

Upon deletion request:

• Account access is immediately disabled
• Most personal data is deleted within 30 days
• Some data may be retained for legal compliance (up to 7 years)
• Anonymized/aggregated data may be retained indefinitely

9. Your Privacy Rights

9.1 Rights for All Users

Regardless of your location, you have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information
• Portability: Request your data in a portable format
• Opt-Out: Opt out of marketing communications at any time
• Withdraw Consent: Withdraw consent for data processing where consent is the legal basis

To exercise these rights, contact us at privacy@finanzo.io or use the in-app settings.

9.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request information about the categories and specific pieces of personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do NOT sell or share your personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information: Request limitations on how we use sensitive information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

California Categories of Information Collected:

• Identifiers (name, email, phone, IP address)
• Financial Information (account numbers, balances, transactions)
• Internet Activity (browsing history, app usage)
• Geolocation Data (IP-based location)
• Professional Information (employment, income)
• Inferences (refinance eligibility, financial health scores)

To submit a verifiable consumer request, email privacy@finanzo.io. We will verify your identity before processing requests.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. We require written authorization and identity verification.

Response Time: We will respond to verifiable requests within 45 days, with a possible 45-day extension for complex requests.

9.3 Virginia Privacy Rights (VCDPA)

Virginia residents have rights to access, correct, delete, and obtain a copy of personal data. You also have the right to opt out of targeted advertising, sale of personal data, and profiling.

9.4 Colorado Privacy Rights (CPA)

Colorado residents have similar rights to Virginia residents, including the right to access, correct, delete, and port personal data, as well as opt-out rights.

9.5 European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Access, Rectification, Erasure (“right to be forgotten”)
• Right to Restrict Processing and Data Portability
• Right to Object to processing based on legitimate interests
• Rights Related to Automated Decision-Making

Legal Bases for Processing: Contract, Consent, Legitimate Interests, Legal Obligation

To exercise your rights, email dpo@finanzo.io. You also have the right to lodge a complaint with your local data protection authority.

9.6 Nevada Privacy Rights

Nevada residents may opt out of the sale of covered information. We do not sell your personal information as defined under Nevada law, but you may submit an opt-out request to privacy@finanzo.io.

10. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete such information as soon as possible.

If you believe we have inadvertently collected information from a child under 18, please contact us immediately at privacy@finanzo.io.

11. International Data Transfers

Finanzo is based in the United States, and our Services are hosted on servers located in the United States.

If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For users in the EEA, UK, or Switzerland, we use appropriate safeguards for international transfers, including:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules (where applicable)
• Adequacy decisions by relevant authorities

By using our Services, you consent to the transfer of your information to the United States and other countries that may have different data protection laws than your country of residence.

12. Do Not Track Signals

Some web browsers transmit “Do Not Track” (DNT) signals. Our website currently does not respond to DNT signals. However, you can configure your browser settings and use our in-app privacy settings to control tracking.

We do not track users across third-party websites for advertising purposes.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

• Update the “Last Updated” date at the top of this policy
• Notify you via email (if you have an account)
• Display a prominent notice in our mobile app and website
• Provide at least 30 days notice before material changes take effect

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after the effective date of changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

We will respond to all legitimate inquiries within 30 days.