← Finora

Privacy Policy

Last updated: 23 May 2026

This Privacy Policy explains how Finora ("Finora", "we", "us") collects, uses, and safeguards personal data when you use the Finora platform at finora.services (the "Service"). Finora is established in the European Union and acts as a data controller for account data and as a data processor for the billing data we ingest on your behalf from connected AI providers.

If you do not agree with this Policy, please do not use the Service.

1. What we collect

We collect only the data we need to operate the Service and meet our legal obligations.

Account information

  • Email address (required for sign-in and notifications)
  • Hashed password (for email/password accounts)
  • Identity-provider subject and display name (for SSO accounts via Microsoft Entra ID or Google)
  • Profile preferences (language, timezone, notification settings)

Connected provider credentials

When you connect an AI provider (OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, Google Cloud, Cursor, xAI), you supply an API key with read-only billing scope. We store these credentials encrypted in Azure Key Vault; only a vault reference is kept in our application database, and the credentials are never returned to your browser.

Usage data we ingest on your behalf

On a schedule you control, Finora reads cost, usage, and line-item metadata from your connected provider accounts. This data is stored in our database in the European Union and is treated as Customer Data.

Billing data

Subscription tier, status, renewal dates, and a reference to your Stripe customer record. We do not store card details. Payment information is collected and processed by Stripe under their own privacy policy.

Product and error telemetry

  • Anonymised product analytics via PostHog (EU region), with PII stripped from events
  • Application errors and traces via Sentry (EU region), with credentials and request bodies redacted
  • Standard server logs (IP address, user agent, request path, timestamp) for security and abuse prevention

Support communications

If you contact us by email or via the Crisp chat widget, we keep the conversation history so we can help you and improve the Service.

2. How we use your data

  • To provide the Service (authenticate you, ingest billing data, render dashboards, send alerts).
  • To bill you and manage your subscription.
  • To send service-related emails (verification, password reset, alerts, security notices).
  • To detect, prevent, and respond to abuse, fraud, or security incidents.
  • To comply with legal obligations (tax, accounting, lawful requests).
  • To improve the Service via aggregated, de-identified analytics.

3. Lawful bases (GDPR)

  • Contract — to provide the Service you have signed up for (GDPR Art. 6(1)(b)).
  • Legitimate interests — for security, fraud prevention, and product analytics that do not override your rights (GDPR Art. 6(1)(f)).
  • Legal obligation — for tax, accounting, and lawful requests (GDPR Art. 6(1)(c)).
  • Consent — where required, for marketing emails or non-essential cookies (GDPR Art. 6(1)(a)). Consent can be withdrawn at any time.

4. Where we store your data

All Customer Data is stored in the European Union — Microsoft Azure, West Europe region (Amsterdam). Backups are kept in the same region with geo-redundancy to a paired EU region (North Europe). Customer Data does not leave the EU except via the subprocessors listed below, all of which operate under EU Standard Contractual Clauses.

5. Subprocessors

We use the following subprocessors to deliver the Service. Each is bound by a Data Processing Addendum (DPA).

SubprocessorPurposeData region
Microsoft AzureHosting, database, secrets, messagingEU — West Europe
StripePayment processingGlobal (PCI scope, EU SCCs)
Microsoft (ACS)Transactional emailEurope
PostHogProduct analyticsEU — Frankfurt
SentryError trackingEU — Frankfurt
CrispCustomer support chatEU — France

Material changes to this list are announced at least 30 days in advance.

6. Retention

  • Account data — retained while your account is active. On deletion, account data is removed immediately and irreversibly in a single database transaction; an audit-log entry is preserved for legal and accounting purposes.
  • Ingested billing data — retained for the history window of your subscription tier, then pruned by an automated job.
  • Server logs — retained for up to 30 days for security and abuse detection.
  • Billing records — retained for the period required by applicable tax and accounting law (typically 7 years in the EU).
  • Backups — recycled in line with Azure managed-service policy. Deletion requests propagate to backups in the normal backup cycle.

7. Your rights (GDPR)

If you are in the EU or UK, you have the following rights over your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data. Most fields are editable in-app.
  • Erasure — delete your account at any time from Settings → Profile. The deletion is immediate and irreversible.
  • Portability — export your data as CSV from Settings.
  • Restriction and objection — ask us to limit or stop certain processing.
  • Withdraw consent — where processing is based on consent.
  • Lodge a complaint — with your local supervisory authority. We will cooperate fully.

To exercise these rights, email admin@finora.services. We aim to respond within 30 days.

8. Cookies and similar technologies

We use a small number of cookies:

  • Session cookies (essential) — to keep you signed in; expire after 7 days or on sign-out.
  • Analytics cookies (PostHog, EU) — to measure product usage in aggregate; disabled if you opt out.
  • Support cookies (Crisp) — only set if you open the chat widget.

We do not use advertising cookies or third-party tracking pixels.

9. Security

We protect your data with TLS in transit, encryption at rest, least-privilege access controls, and an immutable audit log of sensitive actions. A summary of our security posture is available on request. Report suspected vulnerabilities to admin@finora.services — we acknowledge within 24 hours.

10. Children

Finora is not directed at children under 16, and we do not knowingly collect their data. If you believe a child has provided us with personal data, contact us and we will delete it.

11. International transfers

Where any of our subprocessors process data outside the EU/EEA, the transfer is covered by EU Standard Contractual Clauses and, where applicable, supplementary measures consistent with the guidance of the European Data Protection Board.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email or in-app at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent change.

13. Contact

Questions, requests, and complaints:

admin@finora.services