Privacy Policy

Who we are

Finally Financial Services Inc. (“Finally”, “we”, “us”) provides personal financial health reports to users in Canada and the United States. Because Finally handles financial information, we follow the financial-privacy and security laws that apply to us. In the United States, where it applies to us, that includes the Gramm-Leach-Bliley Act (GLBA) and its Safeguards Rule; in Canada, it includes the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws such as Quebec's Law 25. Either way, we hold ourselves to these standards because your financial information deserves that level of care.

Our Privacy Officer is responsible for how we handle your information and for our compliance with this policy. That is currently Santiago Larrarte, Finally's founder. You can reach the Privacy Officer about this policy, your data, or any privacy concern at privacy@myfinally.com. For anything else, email support@myfinally.com.

What we collect

We collect three kinds of information:

• Waitlist and account information. Your email address and, if you choose to share them, your first name, last name, and country. We also note how you signed up so we know what's working.
• Financial data you upload. When you use Finally, you upload transaction files exported from your bank. These contain transaction dates, descriptions, and amounts. We never ask for your banking username or password, and we never have access to your bank account. We treat this as your most sensitive information: it is encrypted in transit and at rest, access is tightly restricted to what's needed to generate your report, and you can delete it permanently at any time. See How we protect it for the detail.
• Usage information. With your consent, basic analytics about how the product is used, such as pages visited, features clicked, and anonymized session activity, so we can improve it. See Cookies and analytics below for what's optional and how to control it.

How we use it

• To generate your financial health report and personalized recommendations.
• To send you the emails you asked for, like waitlist confirmations and product updates. You can unsubscribe anytime.
• To understand how people use Finally so we can make it better.
• To keep the service secure and prevent abuse.

Cookies and analytics

We use cookies and similar technologies for two purposes, and we ask before turning on anything that isn't essential.

• Essential cookies. These keep the site working and remember your cookie choice. They're always on because the service can't run without them, and they don't require your consent. A secure session cookie also lets your uploaded data become your report without forcing you to create an account. That's an essential cookie too.
• Optional analytics cookies. These help us understand how Finally is used so we can improve it. They stay off until you choose Accept all in our cookie banner. If you choose Essential only, we don't set them.

For analytics we use Vercel Web Analytics, which is privacy-friendly and does not use cookies, and, with your consent, PostHog and Google Analytics 4 (a Google service). With your consent, PostHog also records anonymized session activity such as pages viewed, clicks, and scrolling, which helps us see what's confusing. Text you type into forms is masked by default, and we never use this to identify you personally. Google Analytics and PostHog stay off until you choose Accept all in our cookie banner.

You can change your mind at any time: clear the Finally cookie in your browser to bring the banner back, or use your browser settings to block or delete cookies. Blocking essential cookies may stop parts of the site from working.

What we never do

• We never sell your data. Not to advertisers, not to data brokers, not to anyone.
• We never share your financial data with third parties for their own marketing.
• We never call you to sell you financial products.
• We never store your bank credentials, because we never collect them.

How we protect it

Your data is encrypted both in transit and at rest. In transit, it travels over encrypted connections (TLS). At rest, it is stored encrypted with reputable cloud infrastructure providers in North America, using industry-standard encryption (AES-256). Uploaded transaction files are handled the same way.

Access is limited to what is strictly required to operate the service, and we never use your financial data for advertising or sell it to anyone. You can ask us to delete your data at any time, and when you do, it is removed permanently. No security measure is perfect, but we work to protect your information using safeguards appropriate to how sensitive it is.

We maintain a written information security program with administrative, technical, and physical safeguards designed to protect your information, and we have designated an individual responsible for that program. That individual is currently our Privacy Officer, Santiago Larrarte. We review our safeguards as Finally grows.

If there's a data breach

If a security breach affects your personal information and creates a real risk of significant harm to you, we will notify you and the appropriate regulators as required by law, and tell you what happened, what we are doing about it, and what steps you can take to protect yourself. In Canada this includes reporting to the Office of the Privacy Commissioner of Canada (and, for Quebec residents, the Commission d'accès à l'information); in the United States we follow the breach-notification rules that apply to us. We keep records of security breaches as the law requires.

Service providers

We use a small number of trusted service providers to run Finally: cloud hosting and database, email delivery, product analytics, and an artificial-intelligence provider that helps generate your report. To create your financial health report, the transaction data you upload is processed by our AI provider (Anthropic) acting only on our instructions. Every provider is bound by a written agreement to process your data only to provide their service to us, to keep it confidential and secure, and never to use it for their own purposes.

Where your data is processed

Finally is operated from North America, and some of our service providers store or process data in the United States. This means your information may be transferred to, stored in, or accessed from a country other than the one you live in, including the United States, where it is subject to the laws of that jurisdiction and may be accessible to courts, law enforcement, and government authorities there.

Before relying on a provider outside your province or country, we assess whether your information will receive a level of protection comparable to what it has under Canadian law, and we put contractual safeguards in place. If you are a resident of Quebec, we note specifically that your personal information may be communicated and stored outside Quebec, including in the United States, as described above. If you have questions about these transfers or want to know which jurisdictions are involved, contact our Privacy Officer at privacy@myfinally.com.

When the law requires it

We may disclose information in response to a search warrant, court order, or other legally valid request from Canadian or US authorities, to investigate or prevent fraud, or where otherwise required or permitted by law.

If our business changes hands

If Finally is ever involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. It would remain subject to the commitments in this policy, and we would let you know before any different policy applied to you.

Your rights

You can ask us at any time to access, correct, or delete the personal information we hold about you, and to withdraw a consent you previously gave. Deletion is immediate and permanent. Just email privacy@myfinally.comand we'll take care of it. We respond to these requests within 30 days; if we ever need longer, we'll tell you why.

If you are in Canada, you have rights under PIPEDA and applicable provincial laws, including Quebec's Law 25. If you are in the United States, where the federal Gramm-Leach-Bliley Act (GLBA) applies, the financial information you share with Finally is protected under it, and you may also have rights under your state's privacy laws, such as the California Consumer Privacy Act (CCPA), for example the right to know what we collect, to delete it, and to opt out of its sale (which we never do). We honor these rights for all our users, regardless of where you live.

How to raise a concern or complaint

If you have a question or a complaint about how we handle your information, contact our Privacy Officer first at privacy@myfinally.com. We'll acknowledge your concern, look into it, and respond in writing, normally within 30 days. If we can't resolve it to your satisfaction, you have the right to escalate.

• In Canada, you can contact the Office of the Privacy Commissioner of Canada. If you live in Quebec, you can also contact the Commission d'accès à l'information.
• In the United States, you can contact your state attorney general or the relevant state privacy regulator, such as the California Privacy Protection Agency.

How long we keep it

We keep different information for different lengths of time:

• Waitlist and account information — until you ask us to remove you or close your account.
• Financial data you upload and the report we generate from it — while your account is active, so you can return to your report. You can delete it at any time. When you delete it, or close your account, it is removed from our live systems immediately and purged from our encrypted backups within 30 days.
• Minimal records we're legally required to keep — for example, records of a security breach, which we retain for the period the law requires before deleting them.

Children

Finally is not directed to anyone under 18, and we do not knowingly collect information from minors.

Changes to this policy

If we change this policy in a meaningful way, we'll update the date at the top and let you know by email if the change affects how we handle your data.

Contact

Privacy questions, requests, or concerns: privacy@myfinally.com. Anything else: support@myfinally.com.

You can also reach us by mail at:
Finally Financial Services Inc.
Finally Support
2967 Dundas St. W. #1743
Toronto, ON M6P 1Z2
Canada