Privacy Policy

Fynlo ("we", "us", "our") is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights in relation to it.

This policy applies to all users of app.fynlo.pro and the Fynlo API. By using Fynlo, you consent to the practices described here.

We comply with the Singapore Personal Data Protection Act 2012 (PDPA).

Account Information

• Name (workspace name provided at registration)
• Email address (used for authentication, notifications, and support)
• Password (stored as a bcrypt hash — we never store your plaintext password)

Payment Information

• Paid subscriptions and Historical Data Pull charges are processed by Stripe.
• We do not store your full card number, CVV, or expiry date. Stripe handles all payment data in accordance with PCI-DSS standards.
• We store only a Stripe Customer ID and subscription status for billing purposes.

Stripe Data (via OAuth)

• When you connect your Stripe account, we receive an OAuth access token granting read-only access to your Stripe events.
• We access your Stripe data solely to create corresponding entries in QuickBooks. We do not read or store card details, bank account numbers, or PII of your customers beyond what is necessary for the journal entry.
• Stripe access tokens are encrypted at rest using AES-256 encryption.

QuickBooks Online Data (via OAuth)

• When you connect QuickBooks Online, we receive an OAuth access token granting write access to create journal entries, sales receipts, credit memos, deposits, and customers in your QBO company.
• We do not read your existing QBO data beyond what is necessary to create new entries (e.g., looking up account IDs).
• QBO access tokens are encrypted at rest.

Usage Data

• Log data: IP address, request timestamps, HTTP method, response status, response time.
• Transaction sync logs: which Stripe events were received, their processing status, and any error messages.
• We do not use analytics SDKs or behavioural tracking tools.

• Providing the Service: processing Stripe events and creating QuickBooks entries.
• Account management: authentication, account recovery, and security alerts.
• Billing: processing subscription payments and Historical Data Pull charges via Stripe.
• Transactional emails: welcome emails, sync failure alerts, billing confirmations, and reconnection notices.
• Customer support: responding to enquiries sent to support@fynlo.pro.
• Security: detecting and preventing fraud, abuse, and unauthorised access.
• Legal compliance: complying with applicable laws and regulations.

We do not use your data for advertising, sell it to third parties, or use it to train AI models.

• Infrastructure: Fynlo is hosted on Railway (US East region, AWS us-east-1 under the hood).
• Database: PostgreSQL with encrypted storage. All sensitive credentials (OAuth tokens) are encrypted at the application layer with AES-256 before being written to the database.
• In transit: All communication between your browser and Fynlo uses TLS 1.2+.
• OAuth tokens: Stored encrypted and never logged or exposed in responses.
• Backups: Daily automated backups retained for 7 days.

No security system is impenetrable. If you believe your account has been compromised, contact support@fynlo.pro immediately.

Fynlo uses the following third-party processors to operate the service:

Each provider operates under their own privacy policy and data processing agreements. We do not share data with any other third parties.

• Active accounts: data is retained for as long as your account is active.
• Deleted / terminated accounts: data is deleted within 30 days of account closure.
• Transaction sync logs: retained for 90 days for debugging purposes, then purged.
• Billing records: retained for 7 years to comply with financial regulations.
• OAuth tokens: deleted immediately when you disconnect a Stripe or QuickBooks account.

Under the Singapore Personal Data Protection Act 2012, you have the following rights:

• Right to access: request a copy of the personal data we hold about you.
• Right to correct: request correction of inaccurate or incomplete personal data.
• Right to withdraw consent: withdraw consent for optional data processing at any time.
• Right to data portability: request your transaction sync history in a machine-readable format.
• Right to deletion: request deletion of your personal data (subject to our legal retention obligations).

To exercise any of these rights, contact support@fynlo.pro. We will respond within 30 days. We may need to verify your identity before processing the request.

Fynlo uses only essential cookies necessary for authentication and session management. See our Cookie Policy for full details. We do not use any advertising or tracking cookies.

Fynlo is intended for users aged 18 and above. We do not knowingly collect personal data from children under the age of 13. If you believe a child has provided us with personal data, please contact support@fynlo.pro and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of Fynlo after the effective date constitutes acceptance of the updated policy.

For privacy-related enquiries, data access requests, or complaints, contact our Data Protection Officer at:

support@fynlo.pro

We aim to respond to all privacy enquiries within 30 days.