Privacy Policy

TheFintraco ("we", "us", "our") is committed to protecting your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains what data we collect, how we use it, and your rights as a user.

1. What Data We Collect

• Account information: Your full name and email address, collected at registration.
• Transaction metadata: Transaction date, amount, merchant name, and category — uploaded by you via CSV or manual entry.
• Receipt images: Photos or scans of receipts you upload for OCR processing.
• Usage data: Pages visited, features used, and session timestamps, for service improvement.
• Payment information: Subscription billing is handled by Stripe — we do not store credit card numbers.

2. What We Do NOT Collect

• Credit card or debit card numbers (full card numbers are never stored).
• Bank account numbers (only masked last 4 digits may be stored if you use bank sync).
• Passwords stored in plaintext — all passwords are hashed using bcrypt before storage.
• Government identifiers such as Tax File Numbers (TFN) or Medicare numbers.

3. How We Store Your Data

• Encryption at rest: All data is stored using AES-256 encryption on AWS (Amazon Web Services) in the ap-southeast-2 (Sydney) region.
• Encryption in transit: All communications between your browser and our servers use TLS 1.2 or higher.
• Access controls: Access to production data is restricted to authorised personnel only, using least-privilege principles.
• Two-Factor Authentication: We offer TOTP-based 2FA for your account to add an extra layer of security.

4. Data Retention

• Receipts and transactions are retained for as long as your account is active.
• Upon account closure, your data will be permanently deleted within 90 days.
• You may request deletion of your data at any time by contacting us (see Section 8).

5. Third Parties

We use the following third-party services to operate TheFintraco:

• Stripe: Payment processing for subscriptions. Stripe is PCI-DSS compliant. Their privacy policy applies to payment data. We never see your full card details.
• Basiq: Bank data connectivity (planned future feature). If/when implemented, Basiq operates under the Consumer Data Right (CDR) framework. We will only store masked account identifiers — not full account numbers or banking passwords.
• Google Gemini AI: Used to generate market insights (electricity, mobile, internet, credit card comparisons). No personally identifiable information (PII) is sent to Gemini. Only general market queries are made.
• AWS: Cloud infrastructure hosting, located in Sydney (ap-southeast-2).

We do not sell your personal information to any third party.

6. Your Rights

Under the Australian Privacy Act, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or out-of-date personal information.
• Request deletion of your account and associated data.
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have mishandled your data.

To exercise any of these rights, contact us at support@fintrack.com.au.

7. Not Financial Advice

TheFintraco is a financial management tool, not a licensed financial advisor. We are not an Australian Financial Services Licensee (AFSL). All insights, recommendations and estimates provided by TheFintraco are for informational purposes only and do not constitute financial advice. Always consult a qualified financial advisor or accountant before making financial decisions.

8. Contact Us

For privacy-related enquiries, requests, or complaints, please contact:
TheFintraco Support
Email: support@fintrack.com.au

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by email or by a notice on our website. Continued use of TheFintraco after changes constitutes acceptance of the updated policy.