Privacy policy
Version 2.0 · Last updated 7 June 2026
Who we are
Finium is a product of Mayfair Labs Ltd, a company registered in England and Wales (company number 17225417), with its registered office at 105 High Street, Brentwood, Essex, CM14 4RR. Mayfair Labs Ltdis the data controller for personal information processed through the Finium platform, and is registered with the UK Information Commissioner's Office (ICO) under registration number [ICO registration number pending] (registered [registration date pending]).
What this policy covers
This policy covers the Finium platform as a whole — the marketing website at finium.io, the web application at app.finium.io, and the Finium iOS and Android apps (together, "the Service"). Where a specific surface behaves differently (for example, cookies on the marketing website vs. consent in the mobile apps), we say so.
The marketing website (finium.io)
Our servers and service providers may process technical information such as IP address, browser type, device identifiers, and pages viewed. We may also store small text files (cookies) or use similar technologies to remember preferences and measure performance.
Product analytics on this website is opt-in. If you accept analytics in the cookie banner we load Google Tag Manager to understand how visitors use the site. If you reject analytics or choose "Essential only", no analytics tags are loaded and no identifiers are sent. Choices align with Google Consent Mode v2.
The Finium app (web and mobile)
When you sign in to Finium, we process the account, financial and uploaded information you provide so we can deliver the Service. Sensitive financial data is encrypted in transit and at rest, kept logically separated between users, and accessed internally on a least-privilege basis. We do not sell your data and we do not use it to train foundation models.
UK current accounts connect through an FCA-regulated Open Banking provider. The connection is read-only — Finium cannot move money. Your online banking credentials stay with the regulated provider and are not stored by Finium. You can revoke a bank connection at any time from inside the app.
Product analytics inside the app is opt-in and off by default. You can toggle it in Settings → Privacy. The detailed in-app privacy notice — including consent records, sub-processors, cookies set by the app, and your data-subject rights — is available inside the Service and applies in addition to this page.
Our lawful bases for processing
Under the UK GDPR and the EU GDPR we must have a lawful basis for every use of your personal data. Depending on what we are doing, we rely on one of the following:
- Performance of a contract (Art. 6(1)(b)): to create and run your account, deliver the core Service, analyse the statements you upload, and provide the financial insights you sign up for.
- Consent (Art. 6(1)(a)): to connect to your bank through Open Banking, to load optional product-analytics and advertising-related cookies, and to send you marketing communications. You can withdraw consent at any time; doing so does not affect processing carried out before you withdrew it.
- Legitimate interests (Art. 6(1)(f)): to keep the Service and your account secure, detect and prevent fraud, and improve and develop the Service. We weigh these interests against your rights, and you can object at any time (see Your choices and rights).
- Legal obligation (Art. 6(1)(c)): to meet tax, accounting, anti-fraud and other regulatory record-keeping requirements, including records arising from payments handled by our merchant of record, Stripe.
How long we keep your data
We keep personal data only for as long as we need it for the purposes above, or for as long as the law requires. The table below summarises our main retention periods.
| Data | How long we keep it |
|---|---|
| Account and profile data | For the life of your account, then deleted within 30 days of closure — except where we must keep financial records for up to 6 years under UK financial record-keeping rules. |
| Bank statements and transaction data | For the life of your account. On closure, deleted within 30 days unless needed for legal, tax or dispute-resolution reasons (maximum 6 years). |
| AI processing and audit logs | Retained for up to 12 months to support security, fraud prevention, service improvement, troubleshooting, regulatory compliance, and investigation of customer-reported issues. |
| Consent and terms-acceptance records | 6 years, as evidence that consent was given. |
| Marketing records | Until you withdraw consent, plus up to 6 months to honour your opt-out. |
| Support messages | Up to 3 years after your last contact with us. |
| Subscription, payment and refund records | Up to 6 years, to comply with UK tax and accounting obligations. |
| Application and security logs | Up to 90 days on a rolling basis. |
| Encrypted backups | Retained on a rolling basis for up to 35 days, then overwritten automatically. |
Where data is subject to a legal hold (for example, ongoing litigation or a regulatory investigation), we pause deletion until the hold is lifted.
International data transfers
We store the bulk of your data in the UK and EU region (AWS London, eu-west-2). Some of the providers that help us run the Service operate globally, so some data may be processed outside the UK or EEA. Our main sub-processors are:
- Amazon Web Services — hosting, storage, databases, email and AI model hosting (UK/EU region where possible).
- TrueLayer — FCA-regulated Open Banking provider (UK).
- Auth0 (Okta, Inc.) — identity and authentication (US, with EU region options).
- Google — corporate email and website analytics tooling (EU/US).
- Stripe — payments and billing, as our merchant of record.
Where data leaves the UK or EEA, we rely on an appropriate safeguard recognised under the UK GDPR and EU GDPR, namely:
- an adequacy decision by the UK Government or the European Commission;
- the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
- EU Standard Contractual Clauses (SCCs), with additional safeguards where needed; or
- a provider's Binding Corporate Rules, where applicable.
We keep an up-to-date list of our sub-processors and the transfer safeguards in place, and can provide it on request at contact@finium.io.
Cookies and similar technologies
On the marketing website we use cookies and similar technologies in the following categories:
- Strictly necessary: required for the site to work, including remembering your cookie choices. These are always on and do not need consent. Retained for up to 12 months.
- Product analytics: optional. If you accept, we load Google Tag Manager / Google Analytics to understand how visitors use the site. Retained for up to 24 months.
- Marketing / advertising: optional. Used to measure and improve campaigns, in line with Google Consent Mode v2. Retained for up to 12 months.
Analytics and marketing cookies stay off until you opt in. You can change or withdraw your choices at any time using the cookie banner on the website, in Settings → Privacy inside the app, or through your browser settings — withdrawing consent is as easy as giving it.
For the full list of the cookies we set and how long they last, see our Cookie Policy.
Payments
Finium subscriptions are sold and billed via our merchant of record, Stripe, on app.finium.io. Stripe processes the payment information you enter at checkout and is the data controller for that information; their privacy notice applies to the payment transaction. We receive a record of the subscription, status and amount — but not your full card details.
Your choices and rights
You can use the cookie banner on the marketing website to accept all, reject all, or adjust product analytics and advertising-related categories independently. Inside the app, you can manage analytics and advertising-related consent at any time from Settings → Privacy. You can also control cookies through your browser settings.
Depending on where you live, you have statutory rights over your personal data. Under the UK GDPR and EU GDPR these include the right to: be informed about how we use your data; access a copy of it; have inaccurate data corrected; have your data erased; restrict or object to certain processing; and receive your data in a portable, machine-readable format. Where we rely on consent, you can withdraw it at any time. To exercise any of these rights, email contact@finium.io — we may ask you to verify your identity and will respond within the time allowed by law (usually one month).
We do not make decisions about you that produce legal or similarly significant effects through solely automated means. Our AI features (such as transaction categorisation and insights) are assistive — you can always review, change or dismiss them.
If you are unhappy with how we handle your data, please contact us first so we can put it right. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk, or to your local supervisory authority in the EU.
Contact
Privacy questions: contact@finium.io.