Legal / Finorly
Privacy Policy
Last updated: June 10, 2026
Finorly is an invoice creation app for freelancers and small businesses. This policy explains plainly what data we collect, why we collect it, who we share it with, and what rights you have.
Information We Collect
We gather the following data to operate our service:
- Email address — for account authentication and essential communications.
- Business name and details — the information that appears on invoices you create, including your business logo image if you add one (from your camera or photo library).
- Client information — names, email addresses, and addresses you save so you can reuse them on invoices.
- Invoice data — line items, amounts, dates, currencies, and notes.
- Voice recordings — processed but not retained; audio is sent to OpenAI Whisper for transcription, then discarded.
- AI text prompts — sent to the OpenAI API but not persisted after the request completes.
- Purchase history and subscription status — processed through Apple and RevenueCat (for in-app purchases) or Stripe (for web billing) so we can unlock the features you've paid for.
- Crash and diagnostic data — anonymous crash reports, device model, and OS version, collected through Sentry so we can find and fix bugs. Our crash reporting is configured to exclude personal information.
We do not build advertising profiles, track your behaviour across other sites, or sell any of your data.
How We Use Your Information
- Provide, maintain, and improve Finorly services.
- Generate invoice drafts from voice and text commands using AI.
- Process subscription payments through Apple or Stripe.
- Send essential service communications.
- Respond to support requests.
- Diagnose crashes and fix bugs.
- Protect against fraud, abuse, and unauthorized access.
- Meet legal, tax, and compliance obligations.
AI Features and Voice Processing
Voice-to-invoice functionality sends audio directly to OpenAI's Whisper API (US-based) for transcription. We receive the transcribed text; the audio is immediately discarded.
Text-to-invoice commands are sent to the OpenAI GPT API, which returns structured invoice data. Finorly does not store your raw prompt text after the request completes.
AI-generated drafts are stored in your account as business records but are not used for any other purpose. Your voice recordings and prompts are not used to train AI models.
Subscriptions and Purchases
In-app subscriptions on iOS are processed by Apple. We use RevenueCat, a subscription management service, to validate purchases and keep track of your subscription status across devices. RevenueCat receives a pseudonymous user identifier and your purchase history — never your payment card details, which stay with Apple.
Web subscriptions are billed through Stripe, which handles your payment details in PCI-compliant systems. Finorly never sees or stores your card number.
Subprocessors and Data Transfers
Third-party services that handle data on our behalf:
- Supabase — database and authentication, hosted in West EU (Ireland), under a Data Processing Agreement.
- OpenAI — AI text processing and voice transcription under API data processing terms; transfers covered by Standard Contractual Clauses.
- Apple — in-app purchase processing and Sign in with Apple; we receive only a user identifier (and email, if you choose to share it when signing in).
- RevenueCat — subscription validation and entitlement management (US-based); receives a pseudonymous user identifier, purchase history, and basic device information; transfers covered by Standard Contractual Clauses.
- Stripe — subscription billing with PCI-compliant systems and Standard Contractual Clauses for EU–US transfers.
- Google — Sign in with Google authentication; we receive only your email and a user identifier.
- Sentry — crash and error reporting (US-based); receives crash traces, device model, and OS version; configured not to send personal information; transfers covered by Standard Contractual Clauses.
We do not use any advertising networks, analytics trackers, or other data brokers.
Currency conversion. If you use multi-currency invoices, the app fetches public exchange rates from an exchange-rate service. Only a standard network request is made — none of your invoice or personal data is sent.
Printing. If you print invoices, the app discovers printers on your local network. This happens entirely on your device and local network; no printing data is sent to us or any third party.
Data Retention
- Account data is retained until you delete your account. In-app deletion is available in Settings; a short grace period applies during which you can cancel the deletion, after which removal is permanent.
- Invoice, client, and service data are retained until you delete them or your account.
- Voice audio is not retained; it is discarded immediately after transcription.
- AI text prompts are not stored beyond the duration of the API request.
- After account deletion completes, personal data is deleted within 30 days, except where retention is legally required (for example, tax records of payments).
Data Security
- Encryption in transit (TLS) for all data transmission.
- Access controls and authentication on sensitive systems.
- Security review and operational monitoring practices.
- Backups and recovery procedures for resilience.
No method of transmission or storage is 100% secure, but we take reasonable technical and organizational measures to protect your data.
For EU / EEA Residents (GDPR)
Finorly acts as data controller and complies with GDPR. Legal bases for processing include:
- Contract performance — account, invoice, client, and payment data.
- Legitimate interest — security monitoring, fraud prevention, and crash diagnostics.
- Legal obligation — record retention.
- Consent — non-essential cookies and optional analytics.
The primary database is hosted in West EU (Ireland) via Supabase. OpenAI, RevenueCat, and Sentry process data in the US under Standard Contractual Clauses.
Your Rights
- Right of access to personal data held about you.
- Right to rectification of inaccurate or incomplete data.
- Right to erasure through in-app deletion or email request.
- Right to restriction and objection in applicable cases.
- Right to data portability in portable format.
- Right to withdraw consent for consent-based processing.
- Right to lodge complaints with supervisory authorities.
To exercise these rights, contact privacy@finorly.com. We aim to respond within 30 days.
California Residents (CCPA)
We do not sell your personal information. We do not share it for cross-context behavioural advertising.
California residents have the right to:
- Know what personal information is collected, used, and disclosed.
- Request deletion of personal information.
- Correct inaccurate personal information.
- Not be discriminated against for exercising privacy rights.
Email privacy@finorly.com to exercise these rights.
Children's Privacy
Finorly is not directed at children under 13 (or 16 in the EU/EEA). We do not knowingly collect data from minors. Contact privacy@finorly.com if you believe we have inadvertently collected such data.
Cookies
Essential cookies operate without consent. Non-essential analytics and marketing cookies require consent. You can manage preferences via or review the Cookie Policy. The mobile app itself does not use cookies.
Changes to This Policy
Material changes are communicated by email or in-app before taking effect. The "Last updated" date reflects the most recent revision.
Contact
Questions about this policy can be directed to privacy@finorly.com. We're happy to explain anything in plain language.