Privacy
Privacy Policy
Effective Date: March 22, 2026
Last Updated: July 6, 2026
FinLoom ("we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform at finloom.io (the "Service").
1. Information We Collect
1.1 Information You Provide
- Account Information: Your name, email address, and password when you create an account.
- Business Profile: Business name and address (required to set up your account), plus phone number, tax ID, logo, and invoice settings you provide.
- Financial Data: Revenue, expenses, invoices, proposals, time entries, inventory items, financial models, budgets, and any other data you enter into the Service.
- Client Data: Names, email addresses, and contact information of your clients that you enter into the Service.
- Documents You Upload for Analysis: Files you upload to AI analysis features, such as the financial statements of a business you are evaluating. These may contain information about third parties; you are responsible for having the right to provide them (see Section 4.5).
1.2 Information Collected Automatically
- Usage Data: Pages visited, features used, actions taken, timestamps, and session duration.
- Device Information: Browser type, operating system, device type, and screen resolution.
- Log Data: IP address, referring URL, and access timestamps for security and debugging purposes.
1.3 Information We Do NOT Collect
- We do not collect payment card numbers, bank account numbers, or Social Security numbers through the Service. Payment processing is handled by our third-party payment processor.
- We do not sell your personal information or financial data to third parties.
- We do not use your financial data for advertising purposes.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve the Service.
- Process your account registration and authentication.
- Generate financial reports, projections, and exports that you request.
- Send transactional emails (account verification, password resets, billing receipts).
- Respond to your support requests.
- Detect and prevent fraud, abuse, and security incidents.
- Comply with legal obligations.
- Generate scheduled AI analyses and briefings you have enabled, on the schedule you enabled them, as described in Section 4.5.
We do NOT use your information to:
- Sell or rent your data to third parties.
- Display advertisements.
- Train machine learning models on your financial data. Neither we nor our AI provider uses your financial data to train AI models. Some AI-powered features, such as scheduled financial briefings, keep a limited working memory of summarized figures derived from your data so that each run can be compared with prior runs; this working memory is used only to generate your outputs and is never used for model training.
- Contact you for marketing purposes without your consent.
3. How We Store Your Data
3.1 Infrastructure
Your data is stored using Supabase, a hosted database platform built on PostgreSQL. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Our infrastructure is hosted in the United States.
3.2 Row-Level Security
We implement row-level security (RLS) policies on all database tables. Each user can only access their own data. Team members can access shared organizational data based on their assigned role and product permissions.
3.3 Retention
We retain your data for as long as your account is active. After account deletion, we may retain your data for operational, legal, or compliance purposes. You may request permanent deletion of your data by contacting us at privacy@finloom.io. We will process deletion requests within 30 days.
Data processed by our AI provider for AI-powered features is handled as follows: per-request processing is transient to the request; scheduled AI features retain the limited working memory described in Section 4.5 for as long as the feature is active on your account; and analysis sessions and their output files are processed and retained on the provider's managed infrastructure in accordance with its data-retention practices for its commercial platform. When you disable a scheduled AI feature, request deletion, or close your account, we will delete the associated working memory and stored credential within 30 days.
4. Data Sharing
We share your information only in the following circumstances:
4.1 Service Providers (Sub-Processors)
We use the following third-party service providers ("sub-processors") to operate the Service. Each is contractually obligated to protect your data and may only use it to perform services on our behalf:
- Supabase: Database hosting, authentication, and serverless functions (United States). Handles your account data and financial data, encrypted in transit and at rest.
- Anthropic: AI model provider and managed AI infrastructure for AI-powered features, including features that run on a schedule (such as financial briefings). Processes the portions of your data relevant to a requested or scheduled analysis in order to produce the output. Anthropic does not use your data to train its models. See anthropic.com/policies for details.
- Stripe: Payment processing and subscription billing. Payment card details are collected and stored by Stripe, not by us.
- Resend: Transactional and automated email delivery, including scheduled AI briefings and reports. Handles your email address and the contents of the emails we send you.
- Intuit (QuickBooks): Optional accounting integration, connected only at your direction. Reads the accounting data you authorize us to access from your QuickBooks account.
- Vercel: Web application hosting and delivery. Processes usage and log data incident to serving the application.
- Cloudflare: DNS and content delivery network. Processes network traffic metadata incident to serving the site.
We will update this list when we add or replace a sub-processor that processes your data.
4.2 Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you via email or prominent notice on our website before your data is subject to a different privacy policy.
4.4 With Your Consent
We may share your information with third parties when you explicitly direct us to do so (for example, exporting data to your accountant).
4.5 AI Finance Team and Scheduled AI Features
Some FinLoom plans include AI analysis features that run automatically on a recurring schedule (for example, a weekly financial briefing) or on demand (for example, a scenario model or a business valuation estimate). If your plan includes these features:
- What is accessed. These features read the financial data in your FinLoom account (profit and loss data, budgets, forecasts, key performance indicators, margin and revenue analyses, and related model data) through a secure connector. Access is read-only; these features cannot modify, add to, or delete your data in FinLoom.
- Where it is processed. The analysis runs on our AI provider's managed infrastructure in secure, isolated sessions. The data read, the analysis produced, and each session's working files are processed and retained there in accordance with the provider's data-retention practices for its commercial platform. This data is not used to train AI models.
- Working memory. Scheduled features keep a limited working memory between runs so this week's analysis can be compared with prior weeks. It contains summarized figures and notes derived from your data (for example, last period's key figures and open watch items), is stored encrypted with our AI provider, is used only to generate your outputs, and is not used to train models. You may request deletion of this working memory at any time by contacting privacy@finloom.io, and we will delete it within 30 days.
- Stored access credential. To run on a schedule without you being signed in, an encrypted, read-only access credential for your FinLoom account is stored in our AI provider's credential vault and refreshed automatically. You may revoke it at any time by disabling the feature or contacting privacy@finloom.io, and we will delete it within 30 days.
- Delivery by email. Scheduled briefings and reports are delivered to the email address on your account through our transactional email provider and contain financial figures from your account. Keep your account email current and secured.
- Documents you upload for analysis. Some features analyze documents you upload, such as the financial statements of a business you are evaluating for purchase. These are processed only to produce the analysis you request. You are responsible for having the right to upload and process such documents, including under any confidentiality agreement, and for the accuracy of any third-party information they contain.
5. Team and Multi-User Access
If you are part of an organization on FinLoom:
- Organization owners can invite team members and assign roles (owner, editor, viewer).
- Team members may access organizational data based on their assigned role and product permissions.
- Viewers can see but not modify data. Editors can modify data within assigned products. Owners have full access.
- Organization owners are responsible for managing team member access and ensuring appropriate permissions.
6. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your account and associated data.
- Export: Export your data at any time using the built-in export features.
- Objection: Object to certain processing of your data.
- Restriction: Request that we limit how we use your data.
To exercise any of these rights, contact us at privacy@finloom.io. We will respond within 30 days.
7. Cookies and Local Storage
The Service uses minimal browser storage:
- Session Storage: Stores your current navigation state (active page, active product). Cleared when you close the browser tab.
- Local Storage: Stores your tool preferences (which financial templates are enabled). No personal data is stored in local storage.
- Authentication Cookies: Managed by Supabase for session management.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
8. Children's Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.
9. International Users
The Service is operated in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
10. Security
We implement commercially reasonable security measures, including:
- Encryption in transit and at rest.
- Row-level security on all database tables.
- Secure authentication via Supabase Auth.
- Regular security reviews of our codebase and infrastructure.
Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your data.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 15 days before taking effect. The "Last Updated" date at the top of this policy indicates the most recent revision.
12. Contact Us
For questions, concerns, or requests regarding this Privacy Policy:
Email: privacy@finloom.io
Address: FinLoom, Philadelphia, PA