Privacy Policy

This page is generated from PRIVACY_POLICY.md at the project root.

# Fincord Privacy Policy Last updated: March 6, 2026 Effective date: March 6, 2026 This Privacy Policy explains how Fincord ("Fincord", "we", "us", or "our") collects, uses, stores, and discloses information when you use our website and services. ## 1. Who We Are Fincord provides software that helps users sync authorized financial data to Notion destinations they configure. Contact for privacy and security matters: **security@fincord.io** ## 2. Information We Collect We collect only the information required to provide and secure the service. ### A. Account and authentication information - Account identifiers and email address - Authentication provider metadata (for example, Google account linkage data) - Session data and login security metadata (such as timestamps, IP, and user agent) ### B. Plaid connection information - Plaid Item and account identifiers - Institution metadata (for example, institution name and ID, and logo where available) - Plaid access token in encrypted form ### C. Notion connection information - Notion workspace and integration identifiers - Notion OAuth access and refresh tokens in encrypted form - Selected parent pages, data sources, and mapping configuration ### D. Sync and operational information - Destination setup and mapping configuration - Sync status, counters, cursors/checkpoints, and errors - Webhook processing records and audit logs We do not intentionally collect more data than is needed for sync operations, reliability, and security. ## 3. How We Collect Information We collect information: - Directly from you during signup and setup - From services you authorize us to connect (for example, Plaid and Notion) - From authentication providers you choose - Automatically through service logs and security telemetry ## 4. How We Use Information We use information to: - Authenticate users and secure accounts - Connect financial data sources and sync data to Notion destinations - Operate, maintain, and improve the service - Detect abuse, investigate incidents, and enforce our terms - Provide support and communicate service updates - Comply with legal obligations ## 5. Legal Bases (Where Applicable) Where required by law, we process personal information under one or more of the following legal bases: - Contractual necessity (providing the requested service) - Legitimate interests (security, reliability, fraud prevention, and product operations) - Consent (where required) - Legal obligation ## 6. How We Share Information We may share information with: - Infrastructure and operational service providers that help us run Fincord - Integration platforms you connect, such as Plaid and Notion - Authentication providers you choose, such as Google - Professional advisors (for legal, compliance, and accounting needs) - Government or law enforcement authorities when legally required - A successor entity in connection with a merger, acquisition, or asset transfer We do **not** sell personal information for money. ## 7. Third-Party Services When you use third-party integrations, those providers process data under their own terms and privacy policies: - Plaid: [https://plaid.com/legal/](https://plaid.com/legal/) - Notion: [https://www.notion.com/trust/privacy-policy](https://www.notion.com/trust/privacy-policy) - Google: [https://policies.google.com/privacy](https://policies.google.com/privacy) ## 8. Data Retention We retain information only for as long as needed for service delivery, security, troubleshooting, compliance, and legal obligations. Current operational defaults: - Webhook logs: up to 30 days - Sync logs: up to 180 days - Connection and mapping data: retained while the connection or destination is active - Encrypted Plaid/Notion tokens: retained while related connections are active, then deleted on disconnect Backups may retain deleted data for a limited backup lifecycle period. ## 9. Security We use reasonable technical and organizational safeguards, including: - Encryption in transit using TLS - Encryption at rest for sensitive credentials/tokens - Access controls and least-privilege access practices - Audit logging and monitoring for critical operations No system is perfectly secure, and we cannot guarantee absolute security. ## 10. Your Rights Depending on your location, you may have rights to: - Access personal information we hold about you - Correct inaccurate data - Request deletion of personal data - Restrict or object to certain processing - Request data portability - Withdraw consent where processing relies on consent To make a request, contact **security@fincord.io**. We may request verification before fulfilling privacy requests. ## 11. International Processing Your information may be processed in jurisdictions outside your country. Where required, we apply appropriate safeguards for cross-border data transfers. ## 12. Children's Privacy Fincord is not directed to children under 13 (or higher minimum age where required by local law). We do not knowingly collect personal information from children. ## 13. Changes to This Privacy Policy We may update this Privacy Policy from time to time. We will update the "Last updated" date and provide additional notice when required. ## 14. Contact For privacy and security requests, contact: **security@fincord.io**