← Back to FinVista
Effective date: April 17, 2026 ·
Last updated: April 17, 2026 ·
Version: 1.0
FinVista (“we”, “us”, “our”) operates a personal finance dashboard that lets you view balances,
transactions, and spending analytics by securely connecting your U.S. bank accounts through
Plaid. This Privacy Policy
explains what information we collect, how we use and protect it, and the choices you have.
By creating a FinVista account or connecting a bank through Plaid Link, you agree to the
practices described here.
TL;DR: We collect only what's needed to show you your own finances. We never sell your
data. Bank credentials are entered into Plaid — never FinVista. You can delete your account
and all associated data at any time.
1. Information We Collect
1.1 Account Information
- Identity: first name, last name, email address
- Authentication: password hash (never stored in plaintext) or federated identity from Google / Apple Sign-In (email + public profile)
- Multi-factor authentication: TOTP shared secret, backup codes (stored locally in your browser)
1.2 Financial Data (via Plaid)
When you connect a bank, Plaid returns tokens and data to FinVista. We receive and cache:
- Institution name and connected account metadata (last-4 digits, account type, currency)
- Current and available balances
- Transaction history (date, amount, merchant, category, pending status)
FinVista never sees your bank username or password. You enter those directly into
Plaid Link, which exchanges them for an access token on our behalf.
1.3 Technical Data
- Browser type, device type, operating system
- IP address (for rate-limiting and fraud detection)
- Session timestamps and in-app navigation events (for debugging)
2. How We Use Your Information
| Purpose | Data used | Legal basis |
|---|
| Display your balances, transactions, and analytics | Plaid-returned financial data | Contract (service delivery) |
| Authenticate your session | Email, password hash, MFA secret | Contract / Security |
| Detect and prevent fraud or abuse | IP, device, session timestamps | Legitimate interest |
| Send security alerts (e.g., new login, MFA reset) | Email | Legitimate interest |
| Comply with legal obligations | As required by law | Legal obligation |
We do not sell your personal information. We do not use your financial data for advertising or profiling.
3. How We Share Your Information
We share information only with the following categories of third parties:
- Plaid Inc. — to establish and maintain your bank connections. See Plaid's End User Privacy Policy.
- Google / Apple — only if you use social sign-in; limited to your email and public profile.
- Hosting & infrastructure providers — who process data on our behalf under written data-protection agreements.
- Law enforcement — only when required by valid legal process (subpoena, court order).
4. Data Retention
- Account data: retained while your account is active.
- Financial data: retained for the rolling period you view in the app (up to 24 months of history) and deleted within 30 days of bank disconnection.
- Security logs: retained for up to 12 months for fraud investigation.
- Deleted accounts: purged within 30 days of your deletion request, except where a longer period is required by law.
5. How We Protect Your Information
- In transit: all connections use TLS 1.2 or higher.
- At rest: sensitive fields are encrypted with AES-256.
- Authentication: TOTP-based multi-factor authentication (RFC 6238) available to all users; 8 single-use backup codes issued at enrollment.
- Access control: least-privilege principles; role-based access for any personnel who can view production systems.
- Plaid tokens: access tokens are stored encrypted and scoped to the bank data you explicitly link.
6. Your Rights
Depending on your jurisdiction you may have the right to:
- Access: request a copy of the personal data we hold about you.
- Correct: ask us to fix inaccurate information.
- Delete: request deletion of your account and associated data.
- Export: receive your data in a portable, machine-readable format (JSON / CSV).
- Disconnect banks: revoke Plaid connections at any time from the
Accounts page.
- Opt out of marketing: we currently send no marketing email; security alerts cannot be disabled.
To exercise any right, email privacy@finvista.app. We respond within 30 days.
6.1 California (CCPA / CPRA)
California residents have the rights above plus the right to know the categories of personal information collected, disclosed, or sold in the prior 12 months. We do not sell personal information.
6.2 European Economic Area & UK (GDPR)
If you are in the EEA or UK, you may also lodge a complaint with your local data-protection authority. Our legal bases for processing are set out in Section 2.
7. Children's Privacy
FinVista is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If we learn we have, we will delete it promptly.
8. International Transfers
FinVista is operated from the United States. If you access the service from outside the U.S., your data will be transferred to and processed in the United States. Where required, we use standard contractual clauses to safeguard cross-border transfers.
9. Cookies & Local Storage
FinVista uses browser localStorage to keep you signed in and to remember your theme preference. We do not use third-party advertising cookies or cross-site tracking.
10. Plaid-Specific Disclosures
By connecting a bank through Plaid Link:
- You authorize Plaid to collect information from your financial institution on our behalf.
- Plaid's handling of your data is governed by the Plaid End User Privacy Policy.
- You can revoke Plaid's access at any time via my.plaid.com or by disconnecting the bank inside FinVista.
11. Changes to This Policy
We will post any changes on this page and update the “Last updated” date above. Material changes will be emailed to your account address at least 30 days before taking effect.
12. Contact Us
FinVista
Privacy Team
New Jersey, United States
Email: privacy@finvista.app