FinTagger
Back to Home Legal

Privacy Policy

Last updated: 21 April 2026

Introduction

FinTagger ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our personal finance management application.

We are based in New Zealand, comply with the New Zealand Privacy Act 2020, and follow best practices for data protection.

Information we collect

Account information

  • Email address (via waitlist signup)
  • Name and email address (via email signup or Google Sign-In)
  • Profile picture (from your Google account)
  • Account preferences and settings

Financial data (manual entry)

  • Transactions you manually create
  • Categories and tags you define
  • Recurring payment schedules

Bank data (via Akahu)

If you choose to connect a supported bank account through Akahu, we access:

  • Bank account names and balances (read-only)
  • Transaction history including dates, amounts, and descriptions
  • Merchant information where available

Important: We never receive or store your bank login credentials. Authentication happens directly with your bank through Akahu's secure platform. We only have read-only access and cannot make payments or transfers.

How we use your information

  • To provide and maintain the FinTagger service
  • To display your financial transactions and account balances
  • To categorise and tag transactions for budgeting insights
  • To notify you when access opens if you join the waitlist
  • To send notifications about recurring payments
  • To improve our service based on usage patterns
  • To respond to your support requests

Data storage and security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit using TLS/SSL
  • Sensitive tokens are encrypted at rest using AES-256-GCM encryption
  • Sessions are authenticated with short-lived access tokens sent over HTTPS in the Authorization header — never persisted in browser storage accessible to third-party scripts
  • Sessions automatically time out after a configurable period of inactivity (15 minutes by default)

Data retention

We retain your data only as long as necessary to provide our services. Concrete windows:

  • Account and transaction data is retained while your account is active.
  • When you disconnect a bank, the access token is revoked with Akahu and the encrypted token is deleted immediately.
  • If a bank remains disconnected for 90 days and you have not reconnected, your account and all associated data are automatically erased.
  • When you request account deletion (email [email protected]), everything is erased: bank tokens are revoked with Akahu, all transactions, tags, recurring payments and preferences are deleted, and your authentication record is removed. An audit row (hashed email only, no cleartext) is retained for 7 years for regulatory reconstruction.
  • Security logs (webhook idempotency, session activity) are kept for 30 days.

Third-party services

Akahu

We use Akahu to securely connect to supported banks, with current live coverage focused on New Zealand institutions. Akahu is a registered open finance provider that handles the secure connection to your bank.

View Akahu's Privacy Policy

Google Sign-In

We use Google Sign-In for authentication. We only receive your basic profile information (name, email, profile picture) and do not have access to any other Google services or data.

Analytics

We may use analytics services to understand how users interact with our application. This data is anonymised and used solely to improve the user experience.

Your rights

Under the New Zealand Privacy Act 2020, you have the right to:

  • Access your personal information (email [email protected] — we respond within 20 working days).
  • Request correction of inaccurate information (in-app for tags and notes; for bank-sourced data we forward requests to your bank via Akahu).
  • Disconnect your bank account at any time from Settings → Bank Connection.
  • Request deletion of your account and all associated data by emailing [email protected]. We complete deletion within 20 working days; it is irreversible.
  • Complain to the Office of the Privacy Commissioner if you believe we have mishandled your information.

Data sharing

We do not sell, trade, or rent your personal information to third parties. We may share data only in the following circumstances:

  • With service providers who assist in operating our service (under strict confidentiality)
  • If required by law or legal process
  • To protect our rights or the safety of users

Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

Contact us

If you have questions about this Privacy Policy or our data practices, please contact us at [email protected].

Bank Connection Info · Back to Home