Privacy Policy

Last updated: June 1, 2026 · FinBuro Tech

This Privacy Policy explains how FinBuro Tech ("we", "us", "our") collects, uses, stores and protects your personal data when you use our financial management platform at finburo.com ("Service").

We are committed to protecting your data. We collect only what is necessary to provide the Service, never sell your data to third parties, and comply with the General Data Protection Regulation (GDPR).

1. Who We Are

FinBuro Tech is operated by an individual entrepreneur registered in Georgia under Tax Code Article 89 (Small Business status, NACE 82990). Our server infrastructure is hosted in the European Union (Hetzner, Germany/Finland).

Contact: privacy@finburo.com

2. What Data We Collect

Account data: name, email address, password (stored as PBKDF2 hash — never in plain text), company name, selected plan.

Financial data you enter: transactions, accounts, articles, employees, payroll, budgets and other data you input into the Service. This data belongs to you.

Usage data: login timestamps, IP address (for security), browser type. We do not track behaviour beyond what is necessary for security and service functionality.

Bank API credentials (optional): if you connect a bank account via API, your API keys are stored encrypted using AES-128 (Fernet) encryption with a key held on our servers. See Section 7 for details.

Cookies: session cookie (required for login), preference cookie (optional). See our Cookie Policy for details.

3. How We Use Your Data

To provide, maintain and improve the Service
To authenticate you and keep your account secure
To send transactional emails (password reset, invitation, plan expiry)
To comply with legal obligations

We do not use your data for advertising, profiling or sale to third parties.

4. Legal Basis for Processing (GDPR)

Contract performance — processing necessary to provide the Service you signed up for
Legitimate interests — security monitoring, fraud prevention, service improvement
Legal obligation — where required by applicable law
Consent — for optional cookies and marketing communications

5. Data Storage and Security

Your data is stored in PostgreSQL on servers located in the European Union. We implement the following security measures:

PBKDF2 password hashing (260,000 iterations)
HTTPS/TLS encryption for all data in transit
AES-128 (Fernet) encryption for bank API credentials
Role-based access control (8 permission levels)
Rate limiting and brute-force protection
Audit log for all sensitive operations
Session invalidation on role change or logout

6. Data Retention

We retain your data for as long as your account is active. After account deletion:

Personal data is deleted within 30 days
Audit logs are retained for 2 years (legal obligation)
Backups are purged within 90 days

7. Bank API Credentials

If you choose to connect a bank account via API (Revolut, Stripe, Wise, TBC or other), you are solely responsible for the API keys you provide. We store them encrypted, but you acknowledge that connecting third-party services carries inherent risk. We recommend using read-only API keys where your bank allows it. You can delete your bank connections at any time from Settings.

8. Your Rights (GDPR)

You have the following rights regarding your personal data:

Access — request a copy of all data we hold about you (GET /gdpr/export)
Erasure — request deletion of your account and all associated data (DELETE /gdpr/erase)
Portability — export your data in machine-readable format
Rectification — correct inaccurate personal data
Restriction — limit processing in certain circumstances
Objection — object to processing based on legitimate interests

To exercise your rights, contact us at privacy@finburo.com. We will respond within 30 days.

9. Third-Party Services

Stripe — payment processing. Stripe's privacy policy applies to payment data.
Hetzner — server hosting (EU). Data processing agreement in place.
Frankfurter / ECB — exchange rate data (no personal data shared).
Bank APIs — only if you explicitly connect them.

We do not use Google Analytics, Facebook Pixel or any advertising trackers.

10. International Transfers

Your data is stored and processed within the European Union. We do not transfer personal data outside the EU/EEA without appropriate safeguards.

11. Children

The Service is not directed at children under 16. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this policy from time to time. We will notify you by email and update the "Last updated" date above. Continued use of the Service after changes constitutes acceptance.

13. Contact

For privacy-related questions or to exercise your rights:

📧 privacy@finburo.com
📍 FinBuro Tech, Georgia