Privacy Policy

1. Information We Collect

Data Categories and Privacy-First Collection

We collect different types of information to provide our financial management services, with strong privacy protections built into our data collection practices:

Personal Financial Data

Transaction records, account balances, expense categories, income sources, credit card information, bank account details, budget goals, and spending patterns. All financial data is immediately encrypted using AES-256 encryption and stored with randomized identifiers that cannot be traced back to individual users without proper decryption keys.

Account and Profile Information

Name, email address, phone number, profile preferences, security settings, biometric authentication data (stored locally only), and subscription status. Personal identifiers are hashed using SHA-256 with salt, and usage analytics are collected using privacy-preserving differential privacy techniques.

2. How We Collect Information

We collect information through the following methods:

Direct Input

Information you manually enter into our platform, including transactions, account details, categories, notes, and financial goals.

Platform Usage Data

Device identifiers, platform performance metrics, feature usage patterns, error logs, and interaction data to improve our services across all supported platforms.

Device and System Information

Operating system version, device type, platform version, browser information (for web), network connection status, and system preferences for platform functionality and data synchronization.

3. How We Use Your Information

Our Data Processing Purposes

We process your information for these essential purposes:

• Providing core financial management features: transaction tracking, expense categorization, budget monitoring, and financial insights
• Enabling multi-device synchronization across your connected devices and platforms (available for Professional subscribers)
• Processing recurring transactions, payment reminders, and automated financial calculations
• Personalizing your experience with custom categories, preferred currencies, and tailored financial analytics

4. Data Security and Protection

Our Security Framework

Fidelock implements enterprise-grade security measures across all platforms: All financial data is encrypted both at rest and in transit using AES-256 encryption. Authentication data is securely managed and protected using industry-standard practices. Data synchronization uses end-to-end encryption. We employ secure coding practices, regular security audits, and follow platform-specific security guidelines. Data is protected through secure storage mechanisms appropriate to each platform, including hardware-backed security where available.

5. Data Sharing and Third Parties

Our No-Sharing Policy

We do not sell, rent, trade, or share your personal financial data with third parties for marketing purposes. We may only disclose information: (a) with your explicit consent, (b) to comply with legal obligations or court orders, (c) to protect our rights or prevent fraud, (d) to service providers who assist with technical operations under strict confidentiality agreements, or (e) in connection with a business merger or acquisition (with prior notice and opt-out rights).

6. Your Privacy Rights and Controls

Data Subject Rights and User Controls

You have comprehensive control over your data: Access and download your financial data through our export feature. Correct or update information directly within our platform. Delete specific transactions or entire account data. Control synchronization settings and authentication preferences. Opt out of usage analytics and marketing communications. Request data portability in standard formats. We respond to rights requests within 30 days and provide self-service options where possible.

7. Cookies and Tracking Technologies

Our platform uses cookies and similar technologies only as necessary for core functionality. Our web application may use essential cookies for functionality, security, session management, and user preferences. Our mobile applications use platform-native storage mechanisms. We do not use third-party advertising networks or behavioral tracking technologies. All analytics data is anonymized and aggregated to protect your privacy.

8. Data Synchronization and Cloud Services

For Professional subscribers who enable synchronization, we provide secure data synchronization across your connected devices and platforms using industry-standard encryption and secure cloud infrastructure. Your synchronized data is protected by end-to-end encryption and remains under your control. We use secure, privacy-focused cloud services and cannot access your encrypted data without your authentication. You can disable synchronization at any time through your account settings, and local data remains unaffected.

9. Data Retention and Deletion

We retain your data only as long as necessary to provide services or as required by law. You can delete individual transactions, categories, or your entire account at any time through our platform. Deleted data is immediately removed from your local storage and synchronized deletions propagate across your connected devices according to our secure deletion protocols, typically within 30 days.

10. International Data Processing

Your data may be processed on servers in different countries where our secure cloud infrastructure operates. We ensure appropriate data protection safeguards and compliance frameworks are in place for international data transfers. For users in the EU, we comply with GDPR requirements. Canadian and other international users benefit from similar privacy protections based on applicable local laws and international data protection standards.

11. Children's Privacy

Fidelock is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete it immediately. Parents who believe their child has provided information to us should contact our support team.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated through the app or via email. Continued use of our services after changes constitutes acceptance of the updated policy. We maintain previous versions for your reference.

13. Legal Basis for Processing

How We Justify Data Processing

We process your personal data based on the following legal foundations: CONTRACTUAL NECESSITY: Processing required to provide our financial management services and honor our Terms of Service. LEGITIMATE INTERESTS: Improving our services, preventing fraud, ensuring security, and conducting analytics with appropriate safeguards. LEGAL COMPLIANCE: Meeting regulatory requirements, tax obligations, and responding to legal requests. CONSENT: Where you have explicitly agreed to specific processing activities, which you may withdraw at any time. We regularly assess our legal basis to ensure continued compliance with privacy laws.

14. Automated Decision Making and Profiling

How We Use AI and Algorithms

Fidelock uses automated processing to enhance your financial management experience: TRANSACTION CATEGORIZATION: Machine learning algorithms automatically categorize transactions based on merchant data and spending patterns. FRAUD DETECTION: Automated systems monitor for unusual activity to protect your financial data. BUDGET INSIGHTS: Algorithms analyze your spending to provide personalized financial insights and recommendations. PERFORMANCE OPTIMIZATION: Automated systems optimize app performance and resource usage across devices. You have the right to request human review of automated decisions and can opt out of certain automated processing features through your privacy settings.

15. Biometric Data and Authentication

Secure Identity Verification

Fidelock may collect biometric identifiers for enhanced security: DEVICE-LEVEL AUTHENTICATION: We support fingerprint, face recognition, and other biometric authentication methods provided by your device's operating system. LOCAL PROCESSING: Biometric data is processed locally on your device and never transmitted to our servers. SECURITY PURPOSE: Used solely for authenticating access to your financial data and cannot be used for identification by third parties. USER CONTROL: You can enable or disable biometric authentication at any time through your device settings. We do not store, process, or have access to your actual biometric information - this is handled entirely by your device's secure hardware.

16. Business Transfers and Corporate Changes

What Happens to Your Data

In the event of a merger, acquisition, or sale of assets: ADVANCE NOTICE: We will provide 30 days advance notice of any ownership changes that affect data processing. USER CHOICE: You will have the option to delete your data or opt out before any transfer. CONTINUED PROTECTION: The acquiring entity must commit to privacy protections at least as stringent as this policy. DATA MINIMIZATION: Only necessary data for service continuity will be transferred; all other data will be deleted. REGULATORY COMPLIANCE: All transfers will comply with applicable data protection laws and require appropriate legal safeguards.

17. Cross-Border Data Processing and Adequacy

International Data Protection Standards

We process data globally while maintaining high privacy standards: ADEQUACY DECISIONS: We prioritize data processing in jurisdictions with recognized adequacy decisions from major privacy regulators. STANDARD CONTRACTUAL CLAUSES: Where adequacy is not established, we implement Standard Contractual Clauses (SCCs) or similar approved transfer mechanisms. PRIVACY SHIELD PRINCIPLES: We adhere to Privacy Shield-equivalent principles even after framework changes. ENCRYPTION IN TRANSIT: All international data transfers use end-to-end encryption and secure protocols. LOCAL DATA RESIDENCY: Where legally required, we ensure data residency requirements are met through regional processing centers.

18. Incident Response and Breach Notification

How We Handle Security Events

Our comprehensive incident response framework: DETECTION SYSTEMS: Continuous monitoring systems detect potential security incidents and data breaches. RAPID RESPONSE: Security incidents receive immediate priority assessment and containment efforts. REGULATORY NOTIFICATION: We comply with all applicable legal notification requirements to relevant authorities. USER NOTIFICATION: Affected users are promptly notified with clear information about incidents and recommended protective actions. FORENSIC INVESTIGATION: Independent security experts investigate incidents to strengthen our systems and prevent recurrence. TRANSPARENCY REPORTS: We publish regular transparency reports detailing security improvements and industry best practices.

19. Privacy by Design and Data Minimization

Our Privacy-First Architecture

Privacy is built into every aspect of Fidelock: MINIMAL DATA COLLECTION: We collect only data essential for providing financial management services. PURPOSE LIMITATION: Data is used only for stated purposes and cannot be repurposed without consent. PRIVACY-PRESERVING ANALYTICS: We use differential privacy and aggregation techniques to analyze trends without compromising individual privacy. ZERO-KNOWLEDGE ARCHITECTURE: Our systems are designed so that even our engineers cannot access your decrypted financial data. REGULAR PRIVACY IMPACT ASSESSMENTS: New features undergo comprehensive privacy impact assessments before deployment. PRIVACY BY DEFAULT: The most privacy-protective settings are enabled by default for all users.

20. Third-Party Integrations and Service Providers

How We Work with Partners

When we work with service providers, your privacy remains protected: STRICT VETTING PROCESS: All service providers undergo comprehensive privacy and security assessments. DATA PROCESSING AGREEMENTS: Partners must sign detailed agreements limiting data use to specified purposes only. REGULAR AUDITS: We conduct regular audits of service providers to ensure compliance with privacy commitments. LIMITED ACCESS: Service providers receive only minimum necessary data to perform their specific functions. GEOGRAPHIC RESTRICTIONS: We specify where service providers can process data based on privacy requirements. IMMEDIATE TERMINATION: Contracts include immediate termination clauses for privacy violations.

21. Research and Development Privacy

Innovation with Privacy Protection

Our research activities prioritize user privacy: ANONYMIZED DATASETS: Research uses fully anonymized and aggregated data that cannot be traced to individuals. SYNTHETIC DATA: We generate synthetic datasets that preserve statistical properties while eliminating personal information. FEDERATED LEARNING: Where possible, we use federated learning techniques that keep your data on your device. ETHICAL REVIEW: All research activities undergo ethical review to ensure privacy protection. BENEFIT SHARING: Research insights are used to improve services for all users while maintaining privacy. OPT-OUT OPTIONS: Users can opt out of having their anonymized data used for research purposes.

22. Contact Us and Data Protection Officer

For privacy-related questions, data subject rights requests, or concerns about our privacy practices, contact us at privacy@fidelock.com or through our in-app support system. Our Data Protection Officer can be reached at dpo@fidelock.com for specific privacy compliance matters. We are committed to resolving privacy concerns promptly and transparently. This policy is effective as of January 2025.