Finsyght Privacy Policy

1. Who We Are

Finsyght ("we," "our," or "us") is a software-as-a-service platform that connects your advertising accounts (Google Ads, Google Analytics, Facebook Ads, Instagram Business) and presents unified campaign performance analytics through an AI-powered dashboard. Our registered contact for privacy matters is privacy@finsyght.app.

2. Information We Collect

2a. Account Information

• • Name and email address (provided at registration)
• • Company name (optional, provided at registration)
• • Password hash (we store a bcrypt hash, never a plaintext password)

2b. Google API Data

When you connect a Google account, we request access to the following scopes and collect only the data listed below:

We do not access: your Google audience data, remarketing lists, individual users' browsing data, Google account credentials, Gmail, Google Drive, or any Google service other than the scopes listed above.

We perform read-only operations only. Finsyght never creates, modifies, pauses, or deletes your campaigns, ad groups, keywords, budgets, or any other Google Ads resources.

2c. Meta (Facebook/Instagram) API Data

When you connect a Meta account, we request:

• • ads_read — Ad spend, impressions, reach, clicks, and campaign performance metrics
• • read_insights — Aggregated campaign and ad set insights
• • instagram_basic — Instagram Business profile information
• • instagram_manage_insights — Post reach, impressions, and engagement metrics

We access aggregated performance metrics only — never individual user profiles, private messages, or audience demographic data beyond what is aggregated in ad insights.

2d. OAuth Tokens

When you authorize Finsyght via OAuth, we receive and store:

• • Access tokens — short-lived tokens used to fetch data. Stored encrypted (AES-256) in our database.
• • Refresh tokens — long-lived tokens used to obtain new access tokens without requiring you to re-authorize. Stored encrypted (AES-256). Used solely to automatically re-fetch your dashboard data in the background.

You can revoke Finsyght's access at any time from your Google Account Permissions page or from Facebook Business Integrations settings, or by disconnecting the platform from your Finsyght Settings page.

2e. Usage Data

• • Dashboard interactions (which widgets you view, reports you generate)
• • Browser type, operating system, and IP address (for security logging)
• • Session timestamps

3. How We Use Your Information

• • To provide the Finsyght service: displaying your connected platform data in dashboards, generating AI insights and reports.
• • To maintain the service: token refresh, error monitoring, security auditing.
• • To communicate with you: service updates, billing notices, and support responses.
• • To improve Finsyght: aggregate, anonymized usage patterns to improve features. We do not use your Google or Meta API data to train AI models or for any purpose other than displaying it in your dashboard.

We do NOT use your data to: serve you advertisements, build advertising profiles, sell to data brokers, or transfer to any third party for their independent use.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and UK, our legal bases for processing are:

• • Contract performance (Article 6(1)(b)): processing necessary to deliver the Finsyght service you subscribed to.
• • Consent (Article 6(1)(a)): when you authorize Google or Meta OAuth access, you provide explicit consent for us to access and display that data.
• • Legitimate interests (Article 6(1)(f)): security monitoring, fraud prevention, and service improvement — balanced against your rights.
• • Legal obligation (Article 6(1)(c)): where required by applicable law.

5. Data Retention

• • Ad performance metrics (synced from Google/Meta): retained for 24 months from the sync date, then deleted.
• • Account information: retained for the duration of your subscription plus 30 days after account closure.
• • OAuth tokens: deleted within 48 hours of disconnecting a platform or deleting your account.
• • Security/access logs: retained for 90 days.
• • Billing records: retained for 7 years as required by applicable tax and accounting laws.

You can request deletion of all your data at any time. See Section 8 (Your Rights) or visit our Data Deletion page.

6. Data Security

• • All data in transit is protected by TLS 1.2 or higher.
• • OAuth access tokens and refresh tokens are encrypted at rest using AES-256 encryption.
• • Passwords are hashed using bcrypt (cost factor 12+) — we never store plaintext passwords.
• • Database access is restricted by role-based permissions; no credential is stored in application code.
• • We perform regular security reviews of our infrastructure and dependencies.

To report a security vulnerability, email security@finsyght.app. See our Security page for our responsible disclosure policy.

7. Data Sharing and Sub-Processors

We do not sell your data. We share it only with the following sub-processors as necessary to operate Finsyght:

We require all sub-processors to maintain data protection standards consistent with this policy and applicable law.

8. Your Rights

Depending on your location, you have the following rights regarding your personal data:

All users

• • Access: request a copy of the personal data we hold about you.
• • Correction: request correction of inaccurate data.
• • Deletion: request deletion of your account and all associated data. We complete deletion requests within 30 days. Visit our Data Deletion page.
• • Disconnect platforms: revoke Google or Meta access from Settings at any time without deleting your account.
• • Opt out of marketing: unsubscribe from any email via the unsubscribe link or email privacy@finsyght.app.

EEA / UK users (GDPR)

• • Portability: receive your data in a structured, machine-readable format.
• • Restriction: request we restrict processing while a dispute is resolved.
• • Object: object to processing based on legitimate interests.
• • Withdraw consent: where processing is based on consent, withdraw it at any time.
• • Lodge a complaint: with your national data protection authority.

California residents (CCPA / CPRA)

• • Right to know: categories and specific pieces of personal information we collect.
• • Right to delete: deletion of personal information (subject to legal exceptions).
• • Right to opt out of sale: we do not sell personal information. There is nothing to opt out of.
• • Right to non-discrimination: we will not treat you differently for exercising your rights.
• • Shine the Light: we do not share personal information with third parties for their direct marketing purposes.

To exercise any right, email privacy@finsyght.app with the subject line "Privacy Request." We respond within 30 days (CCPA: 45 days).

9. International Data Transfers

Finsyght is operated from the United States. If you are located in the EEA, UK, or other regions with data protection laws that restrict international transfers, your data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for such transfers, or other lawful transfer mechanisms where SCCs do not apply. By using Finsyght, you understand that your data may be transferred to the US.

10. Cookies and Tracking

We use cookies and similar technologies. Key cookies:

See our full Cookie Policy for details on managing cookies.

11. Children's Privacy (COPPA)

Finsyght is a business analytics tool intended solely for adults operating businesses. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If we become aware that a child has provided personal information, we will delete it promptly. If you believe a child has provided us data, contact privacy@finsyght.app.

12. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach, to the extent required by applicable law. We will also notify relevant supervisory authorities as required by GDPR Article 33.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy here with a new "Last Updated" date. Continued use of Finsyght after changes take effect constitutes acceptance of the revised policy.