FinChat LogoFinChatBack to home

Privacy Policy

Last updated: 30 March 2026

1. Introduction

FinChat ("we", "us", "our") is operated by Simdan Labs Ltd, a company registered in England and Wales with its principal place of business in Manchester, England, United Kingdom.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the FinChat mobile application and related services (collectively, the "Service"). We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

By using FinChat, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data Controller

Simdan Labs Ltd is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, you can contact us at:

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address
  • First and last name
  • Profile picture (if provided)

Account authentication is managed through our third-party authentication provider, Clerk. You may also sign in using Apple Sign-In, in which case we receive the information you authorise Apple to share.

3.2 Financial Data

When you connect your bank accounts through Open Banking, we collect and process the following data via our authorised Open Banking provider, TrueLayer:

  • Bank account details (account name, type, masked account number, sort code)
  • Account balances
  • Transaction history (amounts, dates, merchant names, categories)
  • Direct debits and standing orders
  • Recurring payment information

Important: We never have access to your online banking login credentials. All bank connections are established through secure Open Banking (PSD2) protocols, where you authenticate directly with your bank. Your sort codes and sensitive account identifiers are encrypted at rest using AES-256-GCM encryption.

3.3 AI Chat and Interaction Data

When you use our AI-powered chat feature, we collect:

  • Messages you send to the AI assistant
  • AI-generated responses and insights
  • Chat session metadata (timestamps, message counts)
  • Financial preferences, goals, and rules you share during conversations (stored as "memories" to personalise your experience)

3.4 Device and Technical Data

We automatically collect:

  • Device platform (iOS or Android)
  • App version
  • Push notification tokens (with your consent, for delivering notifications)
  • Error and crash reports (via Sentry, if enabled)

3.5 Subscription and Payment Data

If you subscribe to a paid plan, payment processing is handled entirely by Apple (App Store), Google (Play Store), and our subscription management provider, RevenueCat. We receive:

  • Subscription tier and status
  • Subscription expiry dates
  • Anonymous transaction identifiers

We do not collect, store, or have access to your credit card numbers, bank card details, or other payment instrument information.

4. How We Use Your Data

We use your personal data for the following purposes:

4.1 Providing the Service

  • Displaying your bank accounts, balances, and transaction history
  • Generating spending insights, trend analysis, and category breakdowns
  • Detecting and tracking recurring payments and subscriptions
  • Powering the AI chat assistant with relevant financial context
  • Tracking financial goals you set within the app
  • Sending push notifications (budgets, insights, reminders)

4.2 Personalisation

  • Remembering your preferences and financial goals to improve AI responses
  • Tailoring insights and suggestions based on your spending patterns

4.3 Service Improvement

  • Diagnosing technical issues and fixing bugs
  • Understanding how users interact with the Service
  • Improving the accuracy of AI-generated insights

4.4 Legal Compliance

  • Complying with applicable laws, regulations, and legal processes
  • Enforcing our Terms and Conditions

5. Legal Basis for Processing

Under the UK GDPR, we rely on the following legal bases to process your personal data:

  • Contract: Processing necessary to provide the Service you have signed up for (Article 6(1)(b))
  • Consent: Where you have given explicit consent, such as connecting bank accounts via Open Banking, enabling push notifications, or opting in to biometric authentication (Article 6(1)(a))
  • Legitimate interests: Improving our Service, diagnosing issues, and preventing fraud, where these interests are not overridden by your rights (Article 6(1)(f))
  • Legal obligation: Where we are required to process data to comply with the law (Article 6(1)(c))

6. How We Share Your Data

We do not sell your personal data. We share data only with the following categories of third parties, and only to the extent necessary to provide and improve the Service:

6.1 Service Providers

  • TrueLayer: Open Banking data aggregation (retrieves your bank data with your consent)
  • Anthropic: AI language model provider (processes chat messages and financial context to generate insights and responses)
  • Clerk: Authentication and identity management
  • RevenueCat: Subscription and in-app purchase management
  • Neon: Cloud database hosting (stores encrypted data)
  • Upstash: Redis caching and background job processing
  • Firebase / Apple Push Notification Service: Push notification delivery
  • Sentry: Error monitoring and crash reporting (if enabled)

6.2 AI Processing Disclosure

When you use the AI chat feature, relevant financial data (such as transaction summaries, spending patterns, and account balances) is sent to our AI provider (Anthropic) to generate personalised responses and insights. This data is transmitted securely and is processed in accordance with Anthropic's data processing terms. We do not use your data to train third-party AI models.

6.3 Legal Requirements

We may disclose your data if required by law, regulation, legal process, or government request, or to protect the rights, property, or safety of Simdan Labs Ltd, our users, or the public.

7. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

  • Encryption at rest: Sensitive financial data (bank access tokens, sort codes, transaction descriptions) is encrypted using AES-256-GCM before storage
  • Encryption in transit: All data transmitted between the app, our servers, and third-party services uses TLS encryption
  • Local device encryption: On-device data is stored using encrypted SQLite (SQLCipher) and platform secure storage
  • Biometric protection: Optional Face ID / fingerprint authentication to access the app
  • Access controls: Strict access controls and authentication for all backend systems
  • No credential storage: We never store your banking login credentials

8. Data Retention

We retain your personal data for as long as:

  • Your account is active and you continue to use the Service
  • It is necessary to provide you with the Service and fulfil our contractual obligations
  • We are required to retain it by law or regulation

Bank connection data is retained until you disconnect the bank account or your Open Banking consent expires (typically 90 days, after which re-authorisation is required). Chat history and AI memories are retained until you delete them or close your account.

When you delete your account, all personal data associated with your account is permanently deleted, including bank connections, accounts, transactions, insights, chat history, goals, and preferences. This deletion is irreversible.

9. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data (available directly in the app under Settings)
  • Right to data portability: Export your data in a structured, machine-readable format (available in the app in JSON, CSV, or PDF format depending on your subscription tier)
  • Right to restrict processing: Request that we limit how we use your data
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent (e.g., disconnecting bank accounts, disabling notifications)

To exercise any of these rights, contact us at hello@usefinchat.app. You can also exercise your right to erasure and data portability directly within the app under Settings. We will respond to your request within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Open Banking and Consent

When you connect a bank account, you are redirected to your bank's secure website or app to authorise data sharing. This process is governed by the Payment Services Regulations 2017 (PSD2) and uses Strong Customer Authentication (SCA).

Key points about Open Banking data access:

  • You choose which accounts to share and can revoke access at any time
  • Consent typically expires after 90 days, after which you will be asked to re-authorise
  • We access your data in read-only mode — we cannot make payments or move money from your accounts
  • You can disconnect any bank account at any time from the Settings screen

11. Biometric Data

If you enable app lock, FinChat uses your device's biometric capabilities (Face ID or fingerprint) to authenticate you. Biometric data is processed entirely on your device by the operating system. We never receive, transmit, or store your biometric data.

12. Push Notifications

With your consent, we send push notifications about spending insights, budget alerts, and other relevant updates. We store your device token to deliver these notifications. You can disable notifications at any time through your device settings or the app. When you log out, your device token is removed from our systems.

13. Children's Privacy

FinChat is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

14. International Data Transfers

Some of our service providers operate outside of the United Kingdom. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the ICO
  • Transfers to countries with adequate data protection laws as recognised by the UK government
  • Binding corporate rules or other approved transfer mechanisms

15. Cookies

The FinChat mobile app does not use cookies. Our website (usefinchat.app) may use essential cookies for site functionality. We do not use advertising or tracking cookies.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you through the app or by email before the changes take effect. Your continued use of the Service after the updated policy takes effect constitutes acceptance of the changes.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: