Privacy Policy

FinCanvas is operated by [INSERT COMPANY NAME] (company number [INSERT COMPANIES HOUSE NUMBER], registered at [INSERT REGISTERED ADDRESS]). We are the data controller for personal data you give us when you sign up and use the service.

For data your team enters about your own customers (e.g. client names, addresses, line items on a quote), your organisation is the controller and we are the processor — we hold and process that data on your behalf so we can power FinCanvas for you.

We collect three categories of personal data:

• Account data — your email address, name, the workspace name you give us, and (for Google/Microsoft sign-in) a verified email address from those providers. We don't store your password — Supabase Auth handles that and stores only a hash.
• Workspace content — events, quotes, line items, client records, blueprints, and section templates you create inside FinCanvas. Some of this is personal data about your customers (their names, addresses, contact details). We process this on your behalf as your processor.
• Technical data — IP address, browser type, pages visited, error reports, and security events (sign-ins, failed sign-ins, password resets). Used for security, debugging, and to keep the service working.

We use your data to provide FinCanvas: authenticating you, showing you your workspace, generating quotes and PDFs, sending transactional emails (welcome, password reset, billing), and keeping the service secure.

We also use minimal aggregated/anonymous usage data to improve the product — for example, knowing how often a feature is used helps us decide what to invest in next. We don't sell your data and we don't run third-party advertising on the service.

Lawful bases (UK GDPR Article 6): we rely on contract (to provide the service you've subscribed to), legitimate interests (security monitoring, service improvement), and legal obligation (tax records, fraud prevention).

We use a small number of trusted infrastructure providers to deliver FinCanvas. Each one is bound by data-processing terms and only processes data in line with our instructions:

• Supabase — authentication and database hosting (EU region). Stores your account, workspace data, and session cookies.
• Cloudflare — application hosting (Workers) and edge networking. Sees IP addresses and HTTP requests.
• Stripe — billing and payments. Sees your name, email, billing address, and card details (we never see or store your card number; Stripe handles that PCI-compliantly).
• Sentry — error monitoring (EU region). Receives error stack traces, browser type, and the route the error happened on. Sentry's "Personally Identifiable Information" filter is enabled, so emails and other identifiers are scrubbed where possible.
• Resend — transactional email delivery (used for any email FinCanvas sends you that isn't from Supabase or Stripe directly). Receives the recipient address and the email contents.

We may also share data when legally required (e.g. responding to a court order or a regulator's request), or to protect the security of the service and our users.

Most of our processors are in the UK or EU. Some (Stripe, Cloudflare, Sentry) operate globally, which can mean data leaves the UK/EEA. Where that happens, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an adequacy decision — whichever the processor's data-processing terms specify.

Account data: as long as your workspace is active, plus 60 days after cancellation (read-only access), plus a further period to comply with statutory record-keeping (typically 6 years for tax / contract purposes).

Workspace content: for as long as your subscription is active. After cancellation, your workspace becomes read-only for 60 days, then is archived. You can request earlier deletion at any time — see Your rights below.

Security events (sign-ins, failed sign-ins, admin actions): retained for at least 12 months to support incident investigation.

Under the UK GDPR you have the following rights, and you can exercise any of them by emailing privacy@fincanvas.co.uk:

• Access — get a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — ask us to delete your account and its data. We'll do so unless we're required to keep it for legal/tax reasons.
• Restriction — ask us to stop processing certain data.
• Portability — get a machine-readable export of the data you've put into FinCanvas. The quote PDFs and CSV export already give you most of this; ask us if you need more.
• Objection — object to processing based on legitimate interests.

We aim to respond to data-rights requests within 30 days. If you're unhappy with how we've handled your data, you have the right to complain to the UK's Information Commissioner's Office at ico.org.uk.

We protect your data with: encryption in transit (HTTPS everywhere), encryption at rest at the database layer, strict role-based access control, audit logging of admin actions, and routine security review. No system is 100% secure — if we ever discover a breach affecting your data, we'll notify you without undue delay (and in any case within the 72-hour window required by UK GDPR Article 33).

FinCanvas uses a small number of strictly-necessary cookies to keep you signed in and remember your settings. We don't use advertising or third-party analytics cookies. Stripe sets its own cookies on the checkout page when you upgrade — those are governed by Stripe's privacy notice.

FinCanvas is a B2B tool not intended for children under 16. We don't knowingly collect data from anyone under 16; if you believe a child has signed up, email privacy@fincanvas.co.uk and we'll delete the account.

We may update this policy from time to time. Material changes will be notified by email. Continued use of FinCanvas after the notice constitutes acceptance of the updated policy.

For any privacy / data-protection question, email privacy@fincanvas.co.uk. For billing or refund queries, see our Terms of Service or email billing@fincanvas.co.uk.