Finton

Privacy Policy

Effective date: 24 June 2026

Controller: Haveton AB, org. no. 559380-3603, Fleminggatan 7, 112 26 Stockholm, Sweden

Privacy contact: [email protected]

Finton is developed by Haveton AB. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Finton mobile app and related services (the "Account Service"). This Policy shall be read in conjunction with the Terms of Use.

1. Who we are

Haveton AB ("Finton", "we", "us") is the data controller for personal data processed in the Account Service. For questions about this Policy or to exercise your rights, contact us at [email protected].

2. What data we collect

When you link accounts and/or cards to the Account Service (the "Transaction Link"), we process bank or card provider details and connectivity metadata (such as timestamps and IP address) needed for a secure link.

Transaction Issuers provide purchase and payment information — such as amount, transaction text, merchant or labelled information, and date (jointly "Transaction Data") — via Enable Banking. We do not use Transaction Data older than two years when generating insights, summaries, scores, and similar in-app features.

We may collect and process the following categories of personal data:

  • Identity and account data: email address, first and last name, display name, user ID, notification preferences, device push token, and referral information.
  • Financial data: transactions (amount, date, currency, counterparty, category), account names, the last four digits of your IBAN for display (ibanLast4), account balance snapshots, and bank connection session metadata. We do not store your full IBAN.
  • Derived and behavioural data: inferred spending scores, automated insights and recommendations, your category choices, and in-app notifications.
  • Chat and conversation data: messages you send in the optional AI chat, assistant responses, timestamps, and related metadata (such as daily usage limits).
  • Insurance and wealth data (optional): if you complete an Insurely flow, we may store a snapshot of insurance or wealth results returned by Insurely to display them in the app.
  • App and operational data: crash reports, device information, feedback you submit, and email activity for account verification and service messages.

3. Why we use your data

We process your personal data to:

  • Provide the Account Service — insights into your economy, spending, and linked accounts based on Transaction Data.
  • Answer questions in the optional AI chat using your linked transaction and account data.
  • Generate automated insights and summaries (such as spending guidance, score summaries, and recommendations).
  • Improve app functionality, maintain security, and comply with legal requirements.
  • Send notifications and relevant offers where you have given consent.

The Account Service cannot be provided without processing Transaction Data and related account information. We do not use your data for purposes incompatible with those described here.

Legal basis: The primary legal basis is performance of our contract with you (GDPR Art. 6(1)(b)) — delivering the Account Service you request. Where we send marketing or optional notifications, we rely on your consent (Art. 6(1)(a)), which you may withdraw at any time.

4. Who we share data with

We do not sell your personal data. We share data with trusted processors only as needed to operate the Account Service, under data processing agreements and appropriate safeguards.

Processors and subprocessors we use include:

  • Google Firebase / Google Cloud — authentication, app infrastructure, secure storage, and cloud functions. Primary database region: EU (europe-north2, Finland).
  • Enable Banking Oy — open-banking connectivity for Transaction Links.
  • Gokind AB — transaction enrichment and categorization.
  • Insurely — optional insurance and wealth aggregation (user-initiated via BankID).
  • OpenAI — AI chat responses and automated insights. Data sent may include chat messages and a bounded snapshot of your transaction and account data.
  • SendGrid — transactional email (e.g. account verification).
  • Sentry — error monitoring. We aim to avoid combining email with financial details in error reports.
  • Expo / EAS — mobile app build and over-the-air updates.

Certain processors may process data outside the EU/EEA. Where required, transfers are covered by standard contractual clauses or other appropriate safeguards under GDPR Chapter V.

Aggregated statistics that do not identify individuals may be used for analytics and product improvement.

5. How we protect your data

We apply technical and organizational measures including:

  • Data minimization: we store normalized transaction fields needed for the app — not full raw bank payloads on identified transactions.
  • Account identifier minimization: we store only the last four IBAN digits for display, not your full IBAN.
  • Identity separation: financial event data (transactions, accounts) is linked to a pseudonymous identifier (subjectId) separate from your profile, reducing direct linkage in backups and exports. This is pseudonymization — the data remains personal data for us because we hold the mapping to your account.
  • Access controls: Firestore security rules restrict data access to the authenticated account owner. Server-managed fields cannot be altered by the client.
  • Encryption: data is encrypted in transit and at rest via our cloud infrastructure provider.

No method of transmission or storage is 100% secure. We use commercially acceptable means to protect your data but cannot guarantee absolute security.

6. How long we keep your data

We retain personal data only as long as necessary for the purposes above or to comply with legal obligations:

  • Transactions and account data: until you delete your account.
  • AI chat messages: 90 days from creation, then automatically deleted. You can also clear chat immediately by starting a new chat.
  • Temporary unidentified transaction payloads: up to 30 days, then automatically purged.
  • Insurely snapshots: until you delete your account.
  • Identity profile and preferences: until you delete your account.

When you delete your account, we remove your personal data from our systems. Deletion is initiated immediately; residual copies in backups may take up to 30 days to be fully purged.

7. Your rights under GDPR

You have the right to:

  • Access — know what personal data we process and request a copy.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — delete your data ("right to be forgotten").
  • Restriction — limit how we process your data in certain circumstances.
  • Portability — receive your data in a machine-readable format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent.
  • Complain — lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.

In the app: you can export your data and delete your account from Settings. Export provides your data in CSV/JSON format. Account deletion removes your profile, transactions, chat history, Insurely snapshots, and related data.

You can clear AI chat history immediately by starting a new chat. For other requests, contact [email protected].

8. AI and automated processing

Finton uses automated processing to generate insights, scores, recommendations, and AI chat responses. These are general and informational — they do not constitute personal financial advice, credit assessments, or lending decisions.

When you use the AI chat, your message and a bounded snapshot of recent transaction context (and up to 24 recent chat messages) are sent to our AI provider to generate a response. Chat history is stored in your account and subject to the 90-day retention above.

Finton does not make decisions with legal or similarly significant effects on you based solely on automated processing (GDPR Art. 22).

9. Children

The Account Service is intended for users who are at least 18 years old and reside in the EEA. We do not knowingly collect personal data from anyone under 18.

10. Security

We use encryption, secure access controls, and regular review of our systems to protect your information. Access to personal data within Haveton is limited to personnel who need it to operate the service.

11. Updates to this Policy

We may update this Privacy Policy from time to time. Significant changes will be notified in the app and/or via contact information you have provided. The "Effective date" at the top indicates when this version took effect. Continued use after changes constitutes acceptance where permitted by law.

Related documents

For Terms of Use and Cookie Policy, see our Terms of Use & Privacy Policy page.