Privacy Policy

Information We Collect

We collect only what is needed to provide the service:

• Email address — used for account authentication and essential service communications.
• Business name and details — information you enter that appears on the invoices you create.
• Client information — names, email addresses, and addresses you add for your own clients. This is your data; we store it so you can reuse it across invoices.
• Invoice data — line items, amounts, dates, and notes on the invoices you create. These are your business records, stored for your benefit.
• Voice recordings (processed, not stored) — when you use the voice-to-invoice feature, audio is sent to OpenAI Whisper for transcription. Finorly does not store the audio file. It is discarded immediately after transcription.
• AI text prompts (processed, not stored beyond the request) — when you type a command to create an invoice with AI, that text is sent to the OpenAI API. Finorly does not persist your raw prompt text after the request completes.
• A user identifier — passed to Apple (for iOS in-app purchases) and Stripe (for subscription billing on non-iOS platforms) solely to process payments.

We do not build advertising profiles, track your behaviour across other sites, or sell any of your data.

How We Use Your Information

• Provide, maintain, and improve Finorly services.
• Generate invoice drafts from your voice and text commands using AI.
• Process subscription payments through Apple or Stripe.
• Send essential service communications such as account or billing notices.
• Respond to support requests and product questions.
• Protect against fraud, abuse, and unauthorized access.
• Meet legal, tax, and compliance obligations.

AI Features and Voice Processing

Finorly uses AI to help you create invoices faster. Here is exactly how it works and what happens to your data:

• Voice-to-invoice: When you record a voice command, the audio is sent directly to OpenAI's Whisper API (US-based) for transcription. Finorly receives the text transcript and discards the audio immediately — we never write the audio file to our database. OpenAI's API terms prohibit using API inputs to train their models, so your voice recordings are not used for AI training.
• Text-to-invoice: When you type a command such as "invoice John for 5 hours of design work at $80/hr", that text is sent to the OpenAI GPT API. OpenAI returns structured invoice data, which Finorly uses to pre-fill your invoice. Finorly does not store your raw prompt text after the request completes. Again, OpenAI's API terms prohibit using API inputs for model training.
• AI-generated invoice drafts: The AI creates a draft invoice for you to review and edit before you send it to your client. The content of that invoice is stored in your account as your own business record — it is not used by Finorly for any other purpose.

Subprocessors and Data Transfers

We use the following third-party services to operate Finorly. We name each one so you know exactly where your data goes.

• Supabase — database and authentication hosting. Servers located in West EU (Ireland). A Data Processing Agreement is in place with Supabase. Your account, invoice, client, and service data is stored here.
• OpenAI — AI text processing (GPT API) and voice transcription (Whisper API). US-based. Data is sent under OpenAI's API data processing terms. OpenAI's API policy prohibits using API inputs to train models. Audio is not retained by OpenAI after transcription. Transfers from the EU to the US are covered by Standard Contractual Clauses.
• Apple — in-app purchase processing on iOS. Only a user identifier is passed. Apple's own privacy policy governs payment data collected by Apple.
• Stripe — subscription billing on non-iOS platforms. Stripe processes payment card data under their own PCI-compliant systems. EU–US data transfers are safeguarded by Standard Contractual Clauses.
• Google — Sign in with Google authentication option. If you choose to sign in with Google, your authentication is governed by Google's privacy policy. Finorly only receives the email address and user identifier returned by Google.

We do not use any advertising networks, analytics trackers, or other data brokers.

Data Retention

We keep different types of data for different lengths of time:

• Account data (email, business details): Retained until you delete your account. In-app account deletion is available in Settings.
• Invoice, client, and service data: Retained in your account until you delete it or delete your account.
• Voice audio: Not retained at all. Discarded immediately after transcription.
• AI text prompts: Not stored beyond the duration of the API request.
• After account deletion: All personal data is deleted within 30 days, except where we are required by law to retain certain records (for example, financial records for tax compliance).

Data Security

• Encryption in transit (TLS) for all data transmission.
• Access controls and authentication on sensitive systems.
• Security review and operational monitoring practices.
• Backups and recovery procedures designed for resilience.

For EU / EEA Residents (GDPR)

Finorly is the data controller for personal data processed through the app. We comply with the General Data Protection Regulation (GDPR). Here are the legal bases we rely on for each processing activity:

• Contract performance — processing your account information, invoice data, client data, and payment identifiers is necessary to provide the Finorly service you have signed up for.
• Legitimate interest — we process data for security monitoring, fraud prevention, and service reliability. Our interest in keeping the platform secure does not override your rights.
• Legal obligation — we may retain certain records to comply with applicable laws and regulations.
• Consent — for any non-essential cookies or optional analytics, where we ask for your consent and you can withdraw it at any time via cookie preferences.

Your primary database is hosted in West EU (Ireland) via Supabase. AI processing by OpenAI occurs in the US and is covered by Standard Contractual Clauses.

Your Rights

• Right of access — you can request a copy of the personal data we hold about you.
• Right to rectification — you can correct inaccurate or incomplete data at any time within the app.
• Right to erasure — you can delete your account and data in-app, or request deletion by email.
• Right to restriction and objection — in applicable cases, you can restrict or object to processing.
• Right to data portability — for data you have provided to us, you can request it in a portable format.
• Right to withdraw consent — for any consent-based processing, you can withdraw consent at any time.
• Right to lodge a complaint with a supervisory authority in your country.

To exercise these rights, contact privacy@finorly.com. We aim to respond within 30 days.

California Residents (CCPA)

We do not sell your personal information. We do not share it for cross-context behavioural advertising.

California residents have rights under the California Consumer Privacy Act (CCPA), including:

• The right to know what personal information we collect, use, and disclose about you.
• The right to request deletion of your personal information.
• The right to correct inaccurate personal information.
• The right not to be discriminated against for exercising your privacy rights.

To exercise any of these rights, email privacy@finorly.com.

Children's Privacy

Finorly is a business tool for freelancers and small businesses. It is not directed at children under the age of 13 (or 16 in the EU/EEA). We do not knowingly collect personal information from minors. If you believe we have inadvertently collected data from a child, please contact privacy@finorly.com and we will delete it promptly.

Cookies

We use essential cookies for platform operation and ask for consent before setting non-essential analytics or marketing cookies. You can manage preferences at any time with Manage Cookie Preferences or review the Cookie Policy.

Changes to This Policy

If we make material changes to this policy, we will notify you by email or through the app before the changes take effect. The "Last updated" date at the top of this page always reflects when the policy was last revised.

Contact

Questions or concerns about this policy can be sent to privacy@finorly.com. We are happy to explain anything in plain language.