Privacy Policy
Last Updated: July 8, 2025
1. Categories & Sources of Personal Data
1.a. Categories of Personal Data Collected
- Identifiers & Account Info:
- Full name
- Email address
- Account creation date
- Last login timestamp
- Financial Data:
- Transaction details (type, date, description)
- Transaction amounts
- Invoice data (invoice number, line-items, totals)
- Currency preference
- Device & Usage Data:
- Device identification (mobile, tablet, desktop)
- Cookies and session tokens
- AI Interaction Data:
- Inputs and prompts sent to the OpenRouter AI
- AI responses used to generate insights
1.b. How We Collect This Data
- Directly from You:
- Sign-Up & Profile Forms — when you register, update your profile, or change settings, we collect your name, email, password (hashed), and currency preference.
- Receipt & Invoice Uploads — when you upload receipts or create invoices, we collect the file and extracted data.
- Automatically via Technology:
- Cookies & LocalStorage — we use cookies to maintain your session (
sessioncookie), remember UI preferences (preferences,ui_state), and track analytics (analyticscookie). - Device Detection — we infer device type (phone, tablet, desktop) from browser user-agent strings.
- Cookies & LocalStorage — we use cookies to maintain your session (
- From Third-Party Services:
- OpenRouter (Qwen API) — when you use AI features, we send your transaction/invoice data to OpenRouter. You control which data is sent at time of use.
- Payment Processor (Paddle) — we share your email and subscription details with Paddle for billing and plan management.
2. Purposes & Legal Basis of Processing
Below we explain why we collect each category of your personal data ("Purpose") and under which lawful basis we process it ("Legal Basis").
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Name, Email, Account Creation Date, Last Login | • Create and manage your user account• Authenticate logins and secure your session• Provide customer support and service notices | Performance of a contract |
| Currency Preference | • Display all amounts, invoices, and AI insights in your chosen currency | Legitimate interests |
| Transaction & Invoice Data | • Deliver Fisca's core finance-tracking service: logging, reporting, and analytics | Performance of a contract |
| Device Identification | • Optimize the user interface for your device type• Enhance security (detect anomalies) | Legitimate interests |
| Cookies & LocalStorage Data | • Maintain your session (session cookie)• Remember UI settings (preferences, ui_state)• Collect anonymized analytics (analytics cookie) | Necessary for legitimate interests (service functionality, analytics) |
| AI Data sent to OpenRouter | • Generate AI-powered insights, forecasts, and budget suggestions based on your data | Your consent (provided when you invoke AI features) |
| Payment Processor Data (Paddle) | • Manage your subscription, billing, and plan upgrades | Performance of a contract |
- Performance of a contract: We process your data to fulfill our service agreement with you (e.g., account creation, finance tracking, subscription management).
- Legitimate interests: We process data to operate and improve Fisca (e.g., UI optimization, currency conversions, anonymized analytics) in a way you would reasonably expect.
- Consent: For AI features, you explicitly consent before we send your data to the third-party AI service (OpenRouter). You can withdraw this consent at any time via your cookie settings or by discontinuing AI features.
3. Data Sharing & Third Parties
We never sell your data. We only share it with trusted service providers who help us run and improve Fisca.
| Recipient | Data Shared | Purpose |
|---|---|---|
| Supabase | • Name, email, password hash, tier, transaction & invoice records | • Authentication, data storage & real-time sync |
| OpenRouter (Qwen API) | • Transaction & invoice data or aggregates you submit to AI | • Generating AI insights, forecasts, and budget plans |
| Paddle | • Email, subscription plan, billing info | • Processing payments, managing subscriptions |
| Analytics Provider (e.g., Google Analytics, PostHog) | • Anonymized usage events (page views, feature usage) | • Improving the product, monitoring performance |
| Email Service (e.g., SendGrid) | • Email address | • Delivering account notifications, receipts, support replies |
| Browser Vendors | • Cookie/session data | • Essential for session security and UI preferences |
How we limit sharing:
- We only send the minimum data each provider needs.
- All third parties are contractually bound to use your data only for the purposes above.
4. Data Retention & Deletion
How long we keep your data:
| Data Category | Retention Period |
|---|---|
| Account Information | While your account remains active. If you delete your account, all related data is permanently erased immediately. |
| Transactions & Invoices | Erased immediately upon account deletion. You may also delete them manually at any time. |
| AI Interaction Logs | Not retained by Fisca. Note: OpenRouter (Qwen) may store AI queries according to their own policies. |
| Payment Records | Erased immediately upon account deletion (unless local regulations require retention—if applicable, we will notify you). |
| Support Messages | Erased immediately upon account deletion. |
| Cookies & Local Storage | Remain in your browser until you clear them or they expire (typically 1 year). |
Your deletion rights:
- You can delete your account anytime in your profile settings or by emailing support@fisca.app.
- Once you delete your account, all related records are removed immediately from our systems.
- AI queries may still be stored by OpenRouter; we encourage you to review their privacy policy for details.
5. Your Rights & How to Exercise Them
Depending on where you live, you may have rights over your personal data. Fisca respects and supports these rights, which include:
• Access
You can request a copy of the personal data we hold about you.
• Correction
You can correct inaccurate or incomplete data in your profile at any time.
• Deletion
You can delete your account and all associated data instantly in your account settings or by contacting us.
• Objection
You can object to our processing of your data when we rely on a legitimate interest (such as service improvements).
• Restriction
You can ask us to temporarily stop processing your data while we review a request or concern.
• Data Portability
You can request your data in a machine-readable format for use elsewhere.
How to exercise your rights:
Just email us at support@fisca.app with your request. For your security, we may need to verify your identity before we process it.
6. How We Protect Your Data
We take the security of your information seriously. Fisca uses a combination of technical and organizational measures to protect your data, including:
• Encryption
- Passwords are stored hashed using secure industry standards (e.g., bcrypt).
- Data in transit and at rest is encrypted using the encryption methods provided by our cloud infrastructure partner (Supabase).
• Access Controls
- Only authorized personnel have access to systems containing your data.
- Role-based access permissions help limit exposure.
• Data Isolation
- Each account's data is logically separated within our databases.
• Incident Response
- We maintain processes to detect, respond to, and resolve security incidents.
• Retention & Deletion
- If you delete your account, all your personal data is permanently removed from Fisca's systems without recovery options.
- AI interactions processed by OpenRouter (Qwen) may be retained by them under their own policies.
While we strive to protect your data, no system can be guaranteed 100% secure. If you have reason to believe your account or interaction with Fisca is no longer secure, please contact us immediately at support@fisca.app.
7. International Data Transfers
Fisca is operated from Kuwait, but some of our service providers and infrastructure partners may be located in other countries. This means that your data may be transferred to—and processed in—countries outside your own, which may have different data protection laws.
Where we transfer your personal data internationally, we take reasonable steps to ensure an adequate level of protection, including:
- Using Supabase, a reputable cloud provider with robust security and compliance practices.
- Transmitting data securely over encrypted channels (HTTPS).
- Ensuring that third-party services we integrate (e.g., OpenRouter for AI insights) follow lawful data handling procedures and provide sufficient safeguards.
By using Fisca, you consent to the transfer of your information to countries outside your jurisdiction, including countries that may not provide the same level of data protection as your home country.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
a. Access
You have the right to request access to the personal data we hold about you.
b. Rectification
If you believe any of your information is inaccurate or incomplete, you have the right to request correction.
c. Deletion
You may request deletion of your account and associated data at any time. Fisca will permanently erase all user-related data from our systems immediately upon account deletion.
d. Data Portability
You may request a copy of your personal data in a structured, commonly used, and machine-readable format.
e. Objection or Restriction
In some cases, you may object to or request the restriction of processing your data, particularly in relation to analytics or marketing activities.
To exercise any of these rights, contact us at support@fisca.app. We will respond to all requests in accordance with applicable laws and within a reasonable timeframe.
9. Data Retention
Fisca retains your personal data only for as long as necessary to provide the services and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:
- Account Information: Retained while your account is active. Upon account deletion, all associated personal data is permanently erased from our systems.
- Transaction and Invoice Records: Retained until you delete your account or request deletion of specific records.
- AI Interaction Data: Not stored by Fisca. Please refer to OpenRouter's and Qwen's privacy policies for details about their retention practices.
- Cookies and Local Storage: Persist until you clear them manually, or automatically expire based on their configured lifespan (generally up to 1 year).
- Support Communications: Retained for a reasonable period to resolve disputes, enforce agreements, or as required by applicable law.
If you have questions about specific retention periods, please contact support@fisca.app.
10. International Data Transfers
Fisca operates primarily in Kuwait. However, some of the services and processors we rely on (such as Supabase, OpenRouter, and Qwen) may store or process your data on servers located in other countries. This means your personal data may be transferred to—and maintained on—computers located outside your country or jurisdiction, where privacy laws may differ.
Whenever we transfer personal data internationally, we take steps designed to protect your information in accordance with this Privacy Policy, such as:
- Using data processing agreements with appropriate safeguards;
- Requiring vendors to implement robust security measures and comply with applicable data protection laws;
- Transferring data only to countries that provide adequate levels of data protection, or using approved legal mechanisms (e.g., Standard Contractual Clauses).
By using Fisca, you consent to your information being transferred to and processed in locations outside your country of residence.
If you have questions about specific transfer safeguards, please contact support@fisca.app.
11. Your Rights
Depending on your location and applicable data protection laws, you may have certain rights regarding your personal data. These can include:
- Access: You can request a copy of the personal data we hold about you.
- Correction: You can ask us to correct inaccurate or incomplete information.
- Deletion: You can request deletion of your account and related data at any time. Once deletion is confirmed, data is permanently removed from our systems.
- Objection and Restriction: You can object to or request that we restrict certain processing activities (such as direct marketing).
- Portability: You may request a copy of your data in a machine-readable format.
- Withdrawal of Consent: Where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, please contact support@fisca.app. We may need to verify your identity before processing your request.
Please note that some rights may be limited, for example, if fulfilling your request would adversely affect other individuals or if we are legally required to retain certain information.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.
When we make material changes, we will notify you by:
- Posting a notice within the Fisca application, and/or
- Sending an email to your registered address (if applicable).
The date of the most recent update will always appear at the top of this Policy.
We encourage you to review this Policy periodically. Continued use of Fisca after any changes become effective will constitute your acceptance of those changes.