Privacy Policy

FundFlow Group Pty Ltd ABN 36 694 667 386 Last Updated: 1 February 2026

1. Introduction

FundFlow Group Pty Ltd ("FundFlow", "we", "us", or "our") operates the FundFlow mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our App.

FundFlow is a personal finance application that helps you organize your spending through customizable category trees and multi-currency support. We connect to your bank accounts through trusted third-party aggregators to retrieve your financial data.

By using FundFlow, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our App.

2. Information We Collect

2.1 Account Information

When you create a FundFlow account, we collect:

Email address
Password (securely hashed; we never store plaintext passwords)
Base currency preference

2.2 Financial Data

When you connect your bank accounts, we receive the following data from our bank aggregator partners:

Account names, types, and masked account numbers
Account balances and balance history
Transaction details including amounts, dates, descriptions, merchant names, categories, and locations (where available)
Bank connection metadata (connection status, last sync time)

Important: Your bank login credentials are never stored on or transmitted through FundFlow's servers. All credential handling occurs directly within our bank aggregator partners' secure environments.

2.3 Usage Data

We collect information about how you use the App:

Features accessed and actions taken
App performance data
Device type and operating system
Session duration and frequency of use

2.4 Technical Data

We automatically collect:

Error reports and crash data (in production only)
App version and configuration
General device information

2.5 Information We Do NOT Collect

Device contacts, photos, or files
Precise location data
Biometric data (Face ID/Touch ID authentication is processed entirely on your device; biometric data is never transmitted to FundFlow)
Social media profiles

3. How We Collect Information

3.1 Directly From You

When you register for an account
When you update your profile or preferences
When you contact us for support

3.2 From Bank Aggregator Partners

When you connect a bank account, we receive financial data through our aggregator partners:

Basiq (Australia, New Zealand)
Plaid (United States, Canada)
Tink (United Kingdom, European Union)

These partners connect directly to your financial institutions using industry-standard security protocols. Your bank credentials are handled exclusively by these partners and are never accessible to FundFlow.

3.3 Automatically

Analytics data via PostHog
Error and crash reports via Sentry (production only)

4. Bank Connections and Third-Party Aggregators

4.1 How Bank Connections Work

FundFlow uses licensed, regulated bank aggregators to securely connect to your financial institutions. When you link a bank account:

You are redirected to the aggregator's secure interface (SDK or WebView)
You enter your bank credentials directly with the aggregator
The aggregator establishes a secure connection with your bank
We receive only your financial data—never your login credentials

4.2 Our Aggregator Partners

Basiq (Australian and New Zealand banks)

Basiq is a licensed data recipient under Australia's Consumer Data Right (CDR)
Privacy Policy: https://basiq.io/privacy-policy/

Plaid (US and Canadian banks)

Plaid is a leading financial data aggregator in North America with SOC 2 Type 2 and ISO 27001 certifications
Privacy Policy: https://plaid.com/legal/

Tink (UK and EU banks)

Tink is a Visa-owned open banking platform, authorized and regulated under PSD2
Privacy Policy: https://tink.com/privacy-policy/

4.3 Managing Bank Connections

You can disconnect any bank connection at any time through the App. When you disconnect:

We stop syncing new data from that institution
Historical data may be retained unless you request deletion
The aggregator connection is revoked

5. How We Use Your Information

We use your information to:

5.1 Provide and Improve the Service

Display your accounts and transactions
Sync your financial data
Categorize your spending
Generate insights and reports
Improve App features and user experience

5.2 Communicate With You

Send service-related notifications
Respond to support requests
Send marketing communications (only with your opt-in consent)

5.3 Ensure Security and Compliance

Detect and prevent fraud
Maintain security of our systems
Comply with legal obligations

5.4 Analytics and Research

Understand how users interact with the App
Identify areas for improvement
Conduct aggregated, anonymized analysis

6. Data Sharing and Disclosure

6.1 Service Providers

We share data with trusted service providers who help us operate the App:

Provider	Purpose	Data Shared	Location
Supabase	Database and authentication	All user and financial data	Australia (Sydney)
Basiq	Australia/NZ bank connections	User identifiers, financial data	Australia
Plaid	US/Canada bank connections	User identifiers, financial data	United States
Tink	UK/EU bank connections	User identifiers, financial data	European Union
PostHog	Product analytics	Usage data, device info	European Union
Sentry	Error monitoring	Error data, stack traces	United States

6.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to:

Comply with legal obligations
Protect our rights or property
Prevent fraud or illegal activity
Protect the safety of users or the public

6.3 Business Transfers

If FundFlow is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

6.4 What We Do NOT Do

We do NOT sell your personal information to third parties
We do NOT share your financial data for advertising purposes
We do NOT allow third parties to use your data for their own marketing

7. Data Security

We implement industry-standard security measures to protect your data:

7.1 Encryption

All data transmitted between your device and our servers uses TLS/HTTPS encryption
Bank connection tokens are encrypted using AES-256-CBC encryption at rest
Passwords are securely hashed (never stored in plaintext)

7.2 Access Controls

Row-Level Security (RLS) ensures users can only access their own data
Database access is restricted and audited
Employee access to production data is limited and logged

7.3 Secure Storage

Session tokens are stored using platform-native secure storage (iOS Keychain, Android Keystore)
Sensitive data is never stored in plaintext on your device

7.4 Infrastructure Security

Our database is hosted on Supabase with enterprise-grade security
Regular security updates and patches are applied
We conduct periodic security reviews

8. Data Retention

8.1 Active Accounts

We retain your data for as long as your account is active and as needed to provide our services.

8.2 Account Deletion

When you delete your account:

Your personal data is deleted within 30 days
Some data may persist in encrypted backups per our providers' retention policies
We may retain anonymized, aggregated data indefinitely

8.3 Inactive Accounts

We may delete accounts that have been inactive for an extended period after providing notice.

8.4 Legal Requirements

We may retain certain information longer if required by law or for legitimate business purposes (e.g., fraud prevention, dispute resolution).

9. Your Rights

Depending on your location, you may have the following rights:

9.1 Access

You can request a copy of the personal data we hold about you.

9.2 Correction

You can request correction of inaccurate or incomplete data.

9.3 Deletion

You can request deletion of your personal data by deleting your account through the App or contacting us.

9.4 Data Portability

You can request your data in a structured, commonly used format.

9.5 Withdraw Consent

You can withdraw consent for:

Marketing communications (unsubscribe link in every email)
Bank connections (disconnect through the App)
Analytics (contact us to opt out)

9.6 Lodge a Complaint

You have the right to lodge a complaint with the relevant data protection authority:

Australia: Office of the Australian Information Commissioner (OAIC) — https://www.oaic.gov.au/
New Zealand: Office of the Privacy Commissioner — https://www.privacy.org.nz/
Canada: Office of the Privacy Commissioner of Canada — https://www.priv.gc.ca/
United States: Federal Trade Commission — https://www.ftc.gov/
UK: Information Commissioner's Office (ICO) — https://ico.org.uk/
EU: Your local data protection authority

To exercise any of these rights, please contact us at admin@fundflow.dev.

10. International Data Transfers

Your data may be processed in the following locations:

Australia (Supabase database, Basiq)
United States (Plaid, Sentry)
European Union (PostHog, Tink)

Where data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including:

Standard contractual clauses approved by relevant authorities
Data processing agreements with our service providers
Compliance with applicable data protection laws

11. Children's Privacy

FundFlow is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16.

If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at admin@fundflow.dev.

12. Marketing Communications

We will only send you marketing communications if you have opted in to receive them.

You can unsubscribe at any time by:

Clicking the unsubscribe link in any marketing email
Updating your preferences in the App
Contacting us at admin@fundflow.dev

We will continue to send you essential service-related communications regardless of your marketing preferences.

13. Cookies and Tracking

13.1 Mobile App

The FundFlow mobile app does not use cookies. We use PostHog for analytics, which collects usage data as described in Section 2.3.

13.2 Website (if applicable)

If you visit our website, we may use:

Essential cookies for basic functionality
Analytics cookies (PostHog) to understand how visitors use our site

You can control cookies through your browser settings.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

We will update the "Last Updated" date at the top of this policy
We will notify you via email or in-app notification
We may ask for your consent if required by law

We encourage you to review this policy periodically.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: admin@fundflow.dev

Mailing Address: FundFlow Group Pty Ltd ABN 36 694 667 386 Australia

For privacy complaints in Australia, you may also contact the Office of the Australian Information Commissioner (OAIC):

Website: https://www.oaic.gov.au/
Phone: 1300 363 992

16. Additional Information for Specific Regions

16.1 Australian Users

We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). We are committed to handling your personal information in accordance with these standards.

While FundFlow is not directly accredited under the Consumer Data Right (CDR), our Australian bank aggregator partner (Basiq) is an accredited data recipient, ensuring your CDR data is handled appropriately.

16.2 New Zealand Users

We comply with the New Zealand Privacy Act 2020 and the Information Privacy Principles. You have the right to access your personal information, request corrections, and lodge complaints with the Office of the Privacy Commissioner.

16.3 United States Users

We comply with applicable US federal and state privacy laws. For California residents, see Section 16.7 below for CCPA-specific rights.

16.4 Canadian Users (PIPEDA)

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Canadian users have the right to:

Access their personal information held by FundFlow
Challenge the accuracy and completeness of their information
Withdraw consent for the collection, use, or disclosure of their information
Lodge complaints with the Office of the Privacy Commissioner of Canada

16.5 United Kingdom Users (UK GDPR)

If you are located in the United Kingdom, you have rights under the UK General Data Protection Regulation and the Data Protection Act 2018:

Legal Basis: We process your data based on contractual necessity (to provide the service), legitimate interests (to improve our service), and consent (for marketing).
Right to Object: You may object to processing based on legitimate interests.
Automated Decision-Making: We do not engage in automated decision-making that produces legal effects.
Complaints: You may lodge a complaint with the Information Commissioner's Office (ICO).

16.6 European Union Users (GDPR)

If you are located in the European Union, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis: We process your data based on contractual necessity (to provide the service), legitimate interests (to improve our service), and consent (for marketing).
Data Protection Officer: For GDPR-related inquiries, contact admin@fundflow.dev.
Right to Object: You may object to processing based on legitimate interests.
Automated Decision-Making: We do not engage in automated decision-making that produces legal effects.

16.7 California Users (CCPA)

California residents have the right to:

Know what personal information is collected
Know if personal information is sold or disclosed
Say no to the sale of personal information (we do not sell personal data)
Access their personal information
Equal service and price, regardless of privacy choices

This Privacy Policy is effective as of 1 February 2026.