The plain-language version
- We collect only what we need: email, your intake answers, your module inputs, your timeline notes. We do not connect to your brokerage or bank accounts.
- We do not sell your personal information. We do not use it to train third-party large-language models without your separate, opt-in consent.
- You can access, correct, export, or delete your data at any time. Write to privacy@finmagix.com from the email on your account.
- All data encrypted in transit (TLS 1.2+) and at rest. Audit logging of internal access. Documented incident-response process.
- Subprocessors: Supabase (database), Stripe (payments), Vercel (hosting), Anthropic (guide-bot AI), plus an email provider. Each operates under a contract that requires appropriate security and confidentiality.
- Incident notification: if a security incident creates meaningful risk to you, we will notify you without undue delay (in addition to regulators where required).
1. Our approach
You are trusting Finmagix with information about your money and your life. We take that seriously. This Policy explains, in plain language, what we collect, why we collect it, how we use it, who we share it with, how we protect it, and the choices you have. If anything here is unclear, write to us at privacy@finmagix.com.
2. Who this policy applies to
This Policy applies to information collected through the Finmagix website at finmagix.com (and any subdomains), our applications, and our related services. It does not apply to third-party websites or services we link to. The Service is a U.S.-only beta and is offered only to U.S. residents who are 18 years or older.
3. What we collect
We collect only what we need to provide the Service. The categories below describe what that is.
3.1 Information you give us
- Account information: email address, password (stored hashed), display name if you provide one.
- Intake information: short, conversational answers about your situation — for example, age band, income band, household structure, financial concerns, scenario-based risk-tolerance responses, and goals. We collect ranges and categories where exact figures are not needed.
- Module inputs: the information you provide when you run a module (e.g., savings rates, debt balances, contribution amounts). You decide what to enter.
- Timeline notes: optional free-text notes you add to your timeline.
- Support and bot conversations: messages you send to our support team and to the guide bot.
- Payment information: name, billing address, and the last four digits of your payment card or other minimal payment details. Full payment card data is collected and processed by Stripe, not stored by us.
- Communications: emails you send us, survey responses, and feedback.
3.2 Information we collect automatically
- Activity data: which pages you visit, which modules you run, which paths you expand within an analysis, and how you move through the Service. This is the basis of your timeline and our audit trail.
- Device and connection data: IP address, browser type, operating system, language preference, time zone, approximate location derived from IP, and similar technical metadata necessary to deliver and secure the Service.
- Cookies and similar technologies: a small number of essential cookies needed for sign-in, security, and basic preferences. See Section 11.
3.3 Information we do not collect
- We do not connect to your brokerage, retirement-plan, or insurance accounts and do not collect account-level holdings, positions, or balances from third-party financial institutions.
- We do not collect Social Security numbers or other government-issued identification numbers.
- We do not collect biometric data.
- We do not collect precise location data.
4. Why we collect it (purposes of processing)
We use your information for the following purposes:
- To provide the Service — sign you in, run modules with your inputs, produce educational analyses, surface module suggestions, and operate the guide bot.
- To keep your timeline and audit trail — an automatically maintained record of your activity, used to give you a clear history of your thinking and to support the integrity of the Service.
- To process payments and manage subscriptions — including through Stripe.
- To communicate with you — including the monthly "what we noticed" content email (which combines a brief observation about your activity with general financial-regulation updates), occasional behavior-triggered messages about your subscription, and transactional messages (account confirmation, trial-ending, billing receipts).
- To protect the Service — detecting and preventing abuse, fraud, security incidents, and violations of our Terms.
- To improve the Service — aggregate analytics, debugging, and product research, in ways consistent with this Policy.
- To comply with legal obligations and to defend our legal rights.
5. The audit trail
The Service automatically maintains an audit trail. The audit trail is an immutable record of: profile changes, module runs, the engine version used to produce each analysis, the inputs that were considered, assumptions that were applied, alternatives that were surfaced, and certain user actions within the Service. The audit trail is part of how we hold ourselves to the compliance frameworks the Service is built against, and it is what makes it possible to reproduce a past analysis if you (or, with your consent, a professional you choose to share it with) ever needs to revisit it. The audit trail is not used to market to you, and we do not sell it.
6. How we share information
We share information only as described below.
6.1 Service providers (subprocessors)
We use a small set of third-party service providers to operate the Service. Each one processes information only as needed to perform its function, under a contract that obligates it to maintain appropriate security and confidentiality.
| Provider | Purpose | Information shared |
|---|---|---|
| Supabase | Database and authentication | Account information, intake responses, module inputs and outputs, timeline entries, audit-trail records. |
| Vercel | Hosting and content delivery | Connection metadata; transient information necessary to serve pages and APIs. |
| Stripe | Payment processing | Name, billing address, payment card or other payment details, subscription state. Stripe stores and processes full card data; we do not. |
| Anthropic | AI services that power the guide bot and certain support features | The contents of conversations with the guide bot and related context. Conversations are sent under Anthropic’s applicable terms; we do not use them to train third-party models without your separate consent. |
| Email provider | Transactional and content email delivery | Email address, name where provided, and the contents of emails we send you. |
We will keep an up-to-date list of subprocessors in this Policy. If we add a subprocessor that materially affects the processing of your information, we will update this Policy and, where appropriate, notify you in advance.
6.2 Other situations in which we may share information
- With your consent or at your direction — for example, if you choose to export your timeline or share an analysis with someone else.
- To comply with law — including in response to lawful requests by public authorities, court orders, or subpoenas, where required. We will challenge requests we believe are overbroad or unlawful.
- To protect rights and safety — to enforce our Terms, investigate fraud, or protect the rights, property, or safety of Finmagix, our users, or others.
- In a business transaction — if we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will require any acquirer to honor this Policy or provide notice to you of any material changes.
6.3 What we do not do
- We do not sell your personal information.
- We do not share your personal information with advertisers or data brokers.
- We do not use your personal information to train third-party large-language models without your separate, opt-in consent.
- We do not share your information with the issuer of any financial product, fund, security, or insurance policy in exchange for compensation. We do not receive such compensation.
7. How we protect your information (security)
Security is something we design for, not something we bolt on. Our practices include, at a minimum:
- Encryption in transit: all connections to the Service use TLS 1.2 or higher.
- Encryption at rest: data stored in our primary database is encrypted using industry-standard schemes.
- Role-based access control: internal access to user records is restricted to personnel who need it for a specific operational reason, on a least-privilege basis.
- Audit logging of internal access: when our personnel access user records, that access is logged.
- Authentication: passwords are stored hashed; we support modern authentication flows and follow our service providers’ security guidance.
- Network and application security: standard protections against common web-application vulnerabilities, dependency management, and periodic review.
- Subprocessor due diligence: we work with established, security-mature service providers (see Section 6.1) and rely on their respective compliance posture for the infrastructure layer.
- Data minimization: we collect ranges and categories rather than exact figures wherever exact figures are not needed.
- Documented incident-response process: we have an internal process for identifying, containing, investigating, and responding to security incidents, and for notifying you and applicable authorities when required by law (see Section 14).
- Security review: we conduct periodic security review and remediation of findings on a tracked timeline. We intend to engage third-party security review at an appropriate stage of growth.
No security program is perfect. Even when we follow our practices, a breach could occur. If we determine that your personal information was affected by a security incident in a manner that creates a meaningful risk to you, we will notify you and act as Section 14 describes.
8. How long we keep your information (retention)
We keep your information for as long as your account is active and for a limited period afterward, in order to (a) provide the Service, (b) meet the recordkeeping standards described in our compliance framework, (c) resolve disputes, (d) defend legal claims, and (e) comply with law.
Indicative retention periods:
- Account and intake information: retained while your account is active; deleted within sixty (60) days of account closure unless retention is required by law or to resolve a dispute.
- Module analyses and audit-trail records: retained for at least seven (7) years from the date of creation, to support the recordkeeping and review obligations described in our compliance framework. Specific retention periods will be finalized with counsel before public launch.
- Payment records: retained per Stripe’s practices and as required by applicable tax and financial-records laws.
- Support and bot conversations: retained for up to twenty-four (24) months for quality, abuse-prevention, and compliance-review purposes.
- Backups: deleted on the normal backup-rotation schedule (typically thirty to ninety days after the corresponding primary record is deleted).
9. Your rights and choices
Depending on where you live, you may have rights under state privacy law (for example, the California Consumer Privacy Act / California Privacy Rights Act, or analogous laws in other states). We honor the following rights for all users in our U.S. beta, regardless of state of residence:
- Access — request a copy of the personal information we hold about you.
- Correction — ask us to correct information you believe is inaccurate.
- Deletion — ask us to delete your account and the personal information associated with it, subject to retention obligations described in Section 8.
- Export — request a portable copy of your timeline and module outputs in a common format.
- Communication preferences — opt out of non-transactional emails at any time. Every non-transactional email contains a one-click unsubscribe link.
- Withdraw consent — where we relied on your consent to process information (for example, opt-in to use a feature that requires it), you may withdraw consent at any time. Withdrawal does not affect processing performed before the withdrawal.
To exercise any of these rights, write to privacy@finmagix.com from the email associated with your account. We will respond within forty-five (45) days, or sooner where required by law. We do not discriminate against users for exercising their privacy rights.
10. Communications and email
We send a small number of emails. We do not blend service content with upgrade prompts. Categories:
- Transactional emails (account confirmation, password reset, trial-ending notice, billing receipts, security alerts). These are operational and not unsubscribable.
- Service content: the monthly "what we noticed" email, which combines a brief observation about your activity with a general digest of changes in financial regulations and limits. Unsubscribable in one click.
- Behavior-triggered messages: occasional emails sent when your activity suggests a particular module or feature might be of interest. These are sent at most once per intent signal and are unsubscribable in one click.
We do not send marketing emails to anyone who has not subscribed to the Service. We do not buy email lists. We do not share your email address with marketers.
11. Cookies and similar technologies
The Service uses a small set of essential cookies for sign-in, security, and basic preferences. We do not use third-party advertising cookies, tracking pixels for behavioral advertising, or cross-site trackers. We may use a privacy-friendly analytics tool to understand aggregate usage; if we do, we will name it in this Policy and configure it consistently with our minimization commitments.
12. Children’s privacy
The Service is not directed to children under 18, and we do not knowingly collect information from anyone under 18. If we learn we have collected personal information from a person under 18, we will delete it. If you believe a person under 18 has provided us with information, contact privacy@finmagix.com.
13. International users
The Service is currently offered only to U.S. residents. If you access the Service from outside the United States, please do not submit personal information through the Service. By using the Service, you understand and acknowledge that your information will be stored and processed in the United States and may be subject to U.S. law.
14. Incident response and breach notification
We maintain an internal incident-response process that covers identification, containment, investigation, remediation, and notification. If we determine that a security incident has resulted, or is reasonably likely to have resulted, in unauthorized access to or disclosure of your personal information in a manner that creates a meaningful risk of harm to you, we will:
- Notify you without undue delay, by email and through the Service, with the information you need to understand what happened, what information was affected, and what steps you can take.
- Notify the appropriate regulators and law-enforcement authorities where required by law.
- Continue to investigate and remediate, and update affected users as we learn more.
15. Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will notify you by email or through the Service before the changes take effect. The "Last Updated" date at the top of the Policy reflects the latest revision. Older versions are available on request.
16. Contact
For privacy questions, requests to exercise your rights, or to report a suspected security issue, contact us at privacy@finmagix.com (privacy) or security@finmagix.com (security). Our mailing address is [Finmagix, Inc., address to be confirmed].
If you have a complaint about how we have handled your personal information, please contact us first; we want to address concerns directly. You also have the right to lodge a complaint with the appropriate state regulator where applicable.