Legal

Privacy Policy

This policy explains how Finflo collects, uses, stores, and protects your personal information when you use our document processing service.

Last updated: February 2026

Introduction

Finflo ("we", "our", or "us") operates the Finflo document processing platform available at app.finflo.au (the "Service"). This Privacy Policy describes how we collect, use, and share information about you when you use our Service.

By using Finflo, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Information You Provide

  • Account Information: Name, email address, and password when you create an account.
  • Documents: PDF files you upload for processing. These may contain personal or sensitive information.
  • Templates: The extraction templates and schemas you create to define what data to extract.
  • Support Communications: Any information you provide when contacting us for support.

Information Collected Automatically

When you use our Service, we automatically collect certain information:

  • Usage Data: Information about how you interact with our Service, including pages visited, features used, and actions taken.
  • Device Information: Browser type, operating system, and device type.
  • Log Data: IP address, access times, and referring URLs.
  • Cookies: We use essential cookies for authentication and session management. See the Cookies section below for more details.

About Your Documents

The documents you upload may contain personal information about third parties (such as customer data, employee records, or financial information). You are responsible for ensuring you have the right to upload such documents and that doing so complies with applicable privacy laws.

How We Use Your Information

We use the information we collect to:

Provide and Improve Our Service

  • Process your documents and extract structured data
  • Manage your account and provide customer support
  • Maintain and improve the performance, security, and functionality of our Service
  • Analyse usage patterns to improve user experience
  • Debug and fix technical issues

Communicate With You

  • Send transactional emails (account verification, password resets, extraction notifications)
  • Respond to your enquiries and support requests
  • Send important service announcements and updates
  • With your consent, send product updates and marketing communications

Ensure Security and Compliance

  • Detect, prevent, and address fraud, abuse, or security issues
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Maintain audit logs of automated data deletion for compliance

What We Don't Do

  • We do not sell your personal information to third parties
  • We do not use your documents to train AI models
  • We do not share your documents or extracted data with other users
  • We do not use your data for targeted advertising

Data Sharing & Third Parties

We share your information only in the following circumstances:

Service Providers

We use trusted third-party service providers to operate our Service. These providers only have access to the information necessary to perform their specific functions and are contractually obligated to protect your data.

ProviderPurposeData Shared
NorthflankApplication hosting, database & cache (Australia)All application data
Google CloudFile storage (Australia) & AI processingUploaded documents, extracted data
CloudflareDNS, DDoS protection & Web Application FirewallNetwork traffic metadata, IP addresses
SentryError monitoring & performance trackingError logs, performance data (no document content)

Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency), including to:

  • Comply with a legal obligation
  • Protect and defend our rights or property
  • Prevent or investigate possible wrongdoing
  • Protect the personal safety of users or the public

With Your Consent

If your information needs to be shared for any other reasons, we will reach out for your explicit consent before complying with the request.

Data Storage & Security

We take the security of your data seriously and implement appropriate technical and organisational measures to protect it.

Where Your Data Is Stored

  • Application, Database & Cache: Hosted on Northflank's infrastructure in the Australian region for data residency compliance
  • File Storage: Google Cloud Storage with servers in Australia
  • Network Edge: Cloudflare for DNS, DDoS protection, and Web Application Firewall (WAF)

Security Measures

  • All data encrypted in transit using TLS 1.2/1.3
  • All data encrypted at rest using AES-256
  • Secure password hashing (Argon2)
  • Cloudflare WAF for protection against OWASP Top 10 threats
  • Cloudflare DDoS mitigation at the network edge
  • Continuous security scanning via Aikido Security (SAST, SCA, secrets detection)
  • Dynamic application security testing via OWASP ZAP
  • Real-time error tracking and monitoring via Sentry
  • Access controls and authentication requirements

For more details about our security practices, please see our Security page.

Our Commitment to Security

We take the protection of your data seriously and follow industry-standard practices to safeguard it. All core infrastructure is hosted in Australia for data sovereignty compliance. While no online service can guarantee absolute security, we are committed to transparency and will promptly notify affected users if a security incident were ever to occur.

Data Retention

We follow a data minimisation approach, retaining your information only for as long as necessary to provide our Service. Document data is subject to automated deletion to reduce the window of exposure for sensitive information.

Data TypeRetention Period
Uploaded PDF documentsAutomatically deleted every 7 days
Extraction output filesAutomatically deleted every 7 days
Extraction JSON dataAutomatically deleted every 7 days
Account informationUntil you delete your account
TemplatesUntil you delete them or your account
Deletion audit logsRetained for compliance purposes
Server logs30 days
Database backups7 days (rolling)

Automated PII Deletion

A scheduled background process runs every 7 days to permanently delete uploaded PDF files, extraction output files from cloud storage, and extraction JSON data from our database. An audit log of all deletion events is maintained for compliance and accountability. This approach follows the data minimisation principle recommended by the Australian Privacy Act and GDPR.

When you delete data or your account, we will remove your information from our active systems. Some information may persist in backups for a limited period before being permanently deleted.

Your Rights

Depending on your location, you may have certain rights regarding your personal information. We are committed to honouring these rights for all users.

Right to Access

You can request a copy of the personal information we hold about you.

Right to Correction

You can request that we correct any inaccurate or incomplete personal information.

Right to Deletion

Document data is automatically deleted every 7 days. You can also manually delete templates and extraction data at any time. To delete your entire account and all associated data, contact us at finflo-support@finflo.au.

Right to Data Portability

You can export your extraction results to Excel format directly from the application. For a complete export of all your data, contact us.

Right to Object / Opt-Out

You can opt out of marketing communications at any time by clicking the unsubscribe link in any email or by contacting us.

Right to Complain

If you believe we have not handled your information correctly, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or your local data protection authority.

Exercising Your Rights

To exercise any of these rights, please contact us at privacy@finflo.au. We will respond to your request within 30 days. We may need to verify your identity before processing certain requests.

Cookies & Tracking

We use cookies and similar technologies to operate our Service. Here's what you need to know:

Essential Cookies

We use essential cookies that are strictly necessary for the Service to function. These cannot be disabled and include:

  • Session cookies: To keep you logged in and maintain your session
  • CSRF tokens: To protect against cross-site request forgery attacks

Analytics

We may use analytics tools to understand how users interact with our Service. This helps us improve the user experience. Any analytics data is aggregated and does not identify individual users.

What We Don't Use

  • Third-party advertising cookies
  • Social media tracking pixels
  • Cross-site tracking technologies

International Data Transfers

Finflo is based in Australia. All core infrastructure — including application servers, databases, caches, and file storage — is hosted in Australian data centres to ensure data residency compliance.

Some ancillary services (such as Cloudflare for network edge protection and Sentry for error monitoring) may process limited metadata outside of Australia. No document content or extracted data is stored outside Australian infrastructure.

If you are accessing our Service from outside Australia, please be aware that your information may be transferred to, stored, and processed in Australia, which may have different data protection laws than your country of residence.

Safeguards

When we transfer data internationally, we rely on:

  • Service provider contracts with appropriate data protection clauses
  • Infrastructure providers with strong security certifications (SOC 2, ISO 27001)
  • Encryption of data in transit and at rest
  • Australian-hosted infrastructure for all document data and extracted information

Children's Privacy

Finflo is not intended for use by children under the age of 18. We do not knowingly collect personal information from children under 18.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible. If you believe we may have information from or about a child under 18, please contact us at privacy@finflo.au.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes:

  • We will update the "Last updated" date at the top of this policy
  • For significant changes, we will notify you by email or through a notice on our Service
  • We encourage you to review this policy periodically

Your continued use of the Service after any changes indicates your acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy, your data, or your rights, please contact us:

Privacy Inquiries

privacy@finflo.au

Security Issues

security@finflo.au