Privacy Policy

Last updated: 22 April 2026  ·  Effective: 22 April 2026

FinPeek Technologies Private Limited ("FinPeek", "we", "us", "our") operates the FinPeek platform at finpeek.money and its associated mobile and web applications (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and other applicable Indian laws.

1. Who we are

FinPeek Technologies Private Limited (CIN: U62099WB2026PTC288241) is a company incorporated in India. For any privacy-related questions, you can reach us at support@finpeek.money. A Grievance Officer will be appointed and their details published here as the platform scales, in line with DPDP Act requirements.

2. What data we collect

2.1 Information you provide directly

• Account information: name, email address, mobile number, password (stored as a hash, never in plain text).
• Profile information: age, city, occupation, income range, and financial goals you choose to share with us to personalise the experience.
• Payment information: for Pro subscriptions, billing details are collected and processed by our payment partner. We receive only the transaction outcome and a tokenised reference, not your full card or UPI credentials.
• Support communications: any messages you send us.

2.2 Information received through Google Sign-In

If you sign up using Google, we receive your name, email address, and profile picture from Google. We request only the minimum scopes required to create your FinPeek account. We do not read your Gmail, Calendar, Drive, or Contacts. If we ever add optional features that use additional Google scopes, they will be opt-in and disclosed before you grant access.

2.3 Financial data via the Account Aggregator (AA) framework

FinPeek connects to your financial accounts only through RBI-licensed Account Aggregators. This is a consent-based framework where:

• Every data request is specific — purpose, data types, frequency, and duration are shown to you before you approve.
• You authenticate the consent on the Account Aggregator's interface, not ours.
• You can revoke consent at any time from the Account Aggregator app or from within FinPeek, and no further data will flow to us after revocation.
• We receive encrypted financial data (bank statements, mutual fund holdings, deposits, insurance, and similar information you explicitly consent to share) and store it only for the duration you have consented to.

Where you upload financial statements directly (for example, a CAMS Consolidated Account Statement), we parse the file to extract your holdings and delete the raw file after processing unless you choose to retain it.

2.4 Information collected automatically

• Device and usage data: IP address, device type, operating system, browser, pages visited, and features used. This helps us keep the Service secure and improve it.
• Analytics: we use Google Analytics 4 to understand aggregate usage patterns. You can opt out via standard browser controls or the Google Analytics Opt-out Browser Add-on.
• Cookies: we use essential cookies for authentication and optional cookies for analytics. You can manage these through your browser or our cookie banner.

3. Why we use your data (purposes of processing)

• To create and operate your FinPeek account.
• To aggregate your financial data into a consolidated snapshot and generate personalised insights and nudges.
• To calculate tax reports, portfolio performance, credit score summaries, and similar analytics that are the core function of the Service.
• To process subscription payments and manage billing.
• To communicate service updates, respond to support requests, and share product information you have opted in to receive.
• To detect fraud, prevent abuse, and comply with legal obligations.
• To improve the Service through aggregated, non-identifying analytics.

4. What we do NOT do with your data

• We do not sell your personal or financial data to anyone.
• We do not earn commissions from mutual funds, insurance, or loan providers. Our business model is a pure subscription, so our incentives are aligned with yours.
• We do not share your individual financial data with advertisers, lead generators, or third-party marketers.
• We do not use your financial data to train third-party AI models. Any AI-driven features we build operate on your data only for your benefit and are disclosed separately.

5. Who we share data with

We share data only with the following categories of recipients, and only to the extent necessary:

• Account Aggregators regulated by the RBI, to receive data you have consented to share.
• Cloud and infrastructure providers (for example, our database and hosting partners) that store data on our behalf under contractual data protection obligations. Data is hosted in India wherever feasible.
• Payment processors to handle subscription billing.
• Analytics and error-monitoring providers, configured to minimise personal data where possible.
• Professional advisors (legal, audit, tax) under confidentiality obligations.
• Regulators, courts, and law enforcement where legally required, and only to the extent required.
• A successor entity in the event of a merger, acquisition, or reorganisation, with notice to you and continued protection of your data under this policy.

6. Data retention

We retain personal data only as long as needed for the purpose it was collected for, or as required by law. Specifically:

• Account data: for the duration of your account, plus a short period after deletion to handle disputes and regulatory requirements.
• Financial data received via Account Aggregators: for the duration you have consented to, after which it is deleted or anonymised.
• Payment records: for the period required under tax and accounting laws (typically up to 8 years).
• Support communications: up to 3 years.

7. How we protect your data

• All data in transit is encrypted using TLS 1.2 or higher.
• Financial data at rest is encrypted using industry-standard encryption.
• Access to production systems is restricted, logged, and requires multi-factor authentication.
• Passwords are stored as salted hashes, never in plain text.
• We conduct regular security reviews and will publish incident-response practices as the company grows.

No system is perfectly secure. If we become aware of a personal data breach that is likely to cause you harm, we will notify you and the Data Protection Board of India as required by the DPDP Act.

8. Your rights under the DPDP Act

As a Data Principal, you have the right to:

• Access: request a summary of the personal data we hold about you.
• Correction and erasure: request correction of inaccurate data or deletion of data we no longer need.
• Withdraw consent: at any time, for any processing based on consent. Withdrawal does not affect processing done before withdrawal.
• Grievance redressal: raise a complaint with our Grievance Officer, and escalate to the Data Protection Board of India if unresolved.
• Nominate another individual to exercise these rights in the event of your death or incapacity.

To exercise any of these rights, email support@finpeek.money. We will respond within the timelines required by law.

9. Children

FinPeek is intended for users aged 18 and above. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact us and we will delete it.

10. Cross-border transfers

We primarily store data in India. Where specific service providers operate outside India, transfers are made only to jurisdictions permitted under Indian law and under appropriate contractual safeguards.

11. Changes to this policy

We may update this policy as the Service and applicable laws evolve. Material changes will be notified by email or through the Service at least 7 days before they take effect. The "Last updated" date at the top reflects the current version.

12. Contact

Questions, requests, or complaints: support@finpeek.money

FinPeek Technologies Private Limited (CIN: U62099WB2026PTC288241), India.