Privacy Policy

1. Introduction

Fibal ("we," "our," or "us") operates the Fibal website and mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the Service, you agree to the collection and use of information in accordance with this policy and our Terms of Service. If you do not agree with the terms of this policy, please do not access the Service.

2. Information We Collect

Personal Information

When you create an account, we collect information you provide directly:

• Name (first and last)
• Email address
• Password (stored as a bcrypt hash — we never store plaintext passwords)

Financial Information

To provide the Service, we store financial data you enter manually:

• Account names, types, and balances
• Transaction descriptions, amounts, dates, and categories
• Budget configurations and automation rules

We do not connect to your bank or financial institution. All financial data is entered by you and stored solely within your account.

Automatically Collected Information

When you access the Service, we may automatically collect:

• IP address (used for rate limiting and security)
• Browser type and version
• Pages visited and time spent on pages
• Device type and operating system

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Authenticate your identity and manage your account
• Process your financial data to generate reports, budgets, and insights
• Send transactional emails (verification, password reset, one-time passwords)
• Monitor and prevent fraudulent or unauthorized activity
• Improve and optimize the Service
• Comply with legal obligations

4. AI Assistant (Fi) and AI Sub-Processors

The Service includes an optional AI assistant branded "Fi." Fi is powered by third-party AI providers, and it is only enabled after you review an in-app disclosure and provide your consent. You can review what is shared, or withdraw your consent, at any time in Settings.

What is shared with AI providers

When you use Fi, only the limited information needed to answer your request is transmitted to the AI provider, namely:

• Aggregated figures — summaries and totals — for general chat and financial questions. Individual transaction details are not included.
• For CSV statement reconciliation, only the amounts and dates of transactions are sent. Merchant descriptions and the uploaded file itself are processed on your device and are never sent to or stored by the AI provider.

Who the AI providers are

We use one or more of the following providers to process AI requests. Each acts as a sub-processor under their applicable data processing and API terms:

• OpenAI — see openai.com/policies/privacy-policy
• Anthropic — see anthropic.com/legal/privacy

These providers do not train their models on data we submit through their commercial APIs. Data sent for AI processing is used only to generate a response to your request.

Fi uses generative AI and may produce inaccurate or incomplete information. Its responses are informational only and are not financial, investment, tax, or legal advice. Always verify important figures before relying on them.

5. Cookies and Tracking

Essential Cookies

We use a session cookie to authenticate you after login. This cookie is HTTP-only, secure, and required for the Service to function. It expires after 30 days of inactivity.

Analytics Cookies

With your consent, we use Google Analytics to understand how users interact with the Service. These cookies are only set after you accept our cookie consent banner. You can decline analytics cookies at any time, and we will remove any existing analytics cookies from your browser.

No Third-Party Advertising

We do not use advertising cookies or share your data with advertising networks.

6. Data Storage and Security

Your data is stored in a PostgreSQL database. We implement industry-standard security measures to protect your information:

• Passwords are hashed using bcrypt
• Session tokens are hashed using HMAC-SHA256
• All connections are encrypted via HTTPS/TLS
• Account lockout after repeated failed login attempts
• Rate limiting on authentication and API endpoints

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share information only in the following circumstances:

• Service providers: We use third-party services (email delivery, hosting, analytics, and AI processing) that process data on our behalf under strict confidentiality agreements. AI processing is described in Section 4.
• Legal requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
• Safety: We may disclose information to protect the rights, property, or safety of Fibal, our users, or others.

8. Data Retention

We retain your personal and financial data for as long as your account is active. If you delete your account, we will delete your data within 30 days, except where retention is required by law.

Session data is automatically purged after expiration (30 days). One-time passwords expire after 10 minutes.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing of your personal data for certain purposes.

To exercise any of these rights, contact us at the email address below.

10. Children's Privacy

The Service is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

support@fibal.io