Privacy Policy

Effective date: June 1, 2026

FinStack ("we", "us", "our") operates the FinStack developer platform at finstack.sh. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

1. Information We Collect

Account Information

When you create a FinStack account, we collect your email address, organization name, and a hashed password or passkey credential. We never store plaintext passwords — credentials are hashed with argon2id.

API Usage Data

We collect structured logs of API calls made using your API keys, including: request timestamps, endpoint paths, HTTP response codes, request volume, and error rates. We do not log request or response bodies unless you have explicitly enabled debug logging for a key.

Payment and Financial Data

FinStack is a payment infrastructure platform. When you use our Payment primitive, cardholder data is processed by PCI-compliant upstream processors (Stripe, Adyen). FinStack stores only tokenized references — we never store raw card numbers, CVVs, or full PANs.

Technical Data

We collect IP addresses, user-agent strings, and browser metadata when you access the dashboard. This data is used for fraud prevention and session security.

2. How We Use Your Information

• Service delivery — authenticate requests, route API calls, enforce rate limits, and provide the platform
• Fraud prevention — detect anomalous API usage patterns and unauthorized access
• Billing — calculate API call volume, invoice subscriptions, and process payments
• Product improvement — aggregate, anonymized usage statistics to improve performance and reliability
• Legal compliance — retain records as required by financial regulations and applicable law

3. Data Sharing

We do not sell your data. We share data only with:

• Payment processors (Stripe, Adyen) — for processing card transactions on behalf of your customers
• Infrastructure providers (Fly.io, Neon, Cloudflare) — for hosting, database, and edge delivery
• Legal authorities — when required by law, court order, or regulatory obligation

4. Data Retention

Account data is retained while your account is active and for 90 days after deletion. API logs are retained for 90 days in hot storage and up to 7 years in cold archive for financial compliance purposes. Payment records may be retained longer as required by applicable financial regulations.

5. Your Rights

Depending on your jurisdiction, you may have rights to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data (subject to legal retention obligations)
• Object to or restrict certain processing
• Data portability — export your account and API usage data

To exercise these rights, email privacy@finstack.sh.

6. Security

We implement industry-standard security controls: TLS 1.3 in transit, AES-256 at rest for credentials, argon2id for API key hashing, row-level security enforcing tenant isolation at the database layer, and SOC 2-aligned operational controls.

7. Cookies

The FinStack dashboard uses a single, HTTP-only session cookie to maintain your authenticated session. We do not use third-party tracking cookies or advertising cookies.

8. International Transfers

FinStack operates infrastructure in the United States (Fly.io us-east, Neon us-east-1). If you access the platform from outside the US, your data is transferred to and processed in the United States.

9. Changes to This Policy

We will notify you of material changes via email and update the effective date above. Continued use after the effective date constitutes acceptance.

10. Contact