Skip to main content

Data Protection Overview

Finanzapp is committed to protecting user privacy and personal data in accordance with GDPR and other applicable data protection regulations. This page outlines our data handling practices, encryption methods, and user rights.
All personal data, financial information, and authentication details are stored and processed on our secure remote server infrastructure at finanzapp.es, separate from the frontend codebase.

Data Collection

Information We Collect

Finanzapp collects the following types of information:
During registration:
  • Full name (app/register.php:125)
  • Email address (app/register.php:129)
  • Password (hashed, never stored in plain text)
From authentication providers:
  • Google account information (when using OAuth)
  • Email verification status
  • Profile picture (optional)
Automatically collected:
  • IP address and location
  • Browser type and version
  • Device information
  • Page views and navigation patterns
  • Session duration and timestamps
Referenced in privacy policy: app/privacy.php:124-132
User-provided data:
  • Financial transactions
  • Income and expense records
  • Budget information
  • Category preferences
  • Financial goals
Financial data is stored exclusively on secure backend servers and never exposed in the frontend codebase or client-side storage.

Data Collection Purposes

We collect and use data for the following purposes: 
app/privacy.php:138-147
  1. Service provision - Deliver core financial management features
  2. Service improvement - Enhance user experience and functionality
  3. Communication - Send important updates and notifications
  4. Security - Detect and prevent fraudulent activity
  5. Compliance - Meet legal and regulatory requirements
  6. Analytics - Understand usage patterns and improve performance
  7. Personalization - Customize user experience
  8. Support - Provide customer service and technical assistance

Encryption and Security

Data in Transit

All data transmitted between the client and server is encrypted:
Protocol: TLS 1.3 (Transport Layer Security)Implementation:
// All API endpoints use HTTPS
// js/loginValidation.js:58
xhr.open('POST', 'https://pro.finanzapp.es/app/auth/sendLogin.php', true);

// js/registerValidation.js:70
xhr.open('POST', 'https://pro.finanzapp.es/app/auth/sendRegister.php', true);
Features:
  • End-to-end encryption
  • Certificate validation
  • Perfect forward secrecy
  • Strong cipher suites
HTTP security headers protect against common attacks:
  • Content-Security-Policy - Prevents XSS attacks
  • X-Frame-Options - Prevents clickjacking
  • X-Content-Type-Options - Prevents MIME sniffing
  • Strict-Transport-Security - Enforces HTTPS
  • X-XSS-Protection - Additional XSS protection
Critical resources use SRI to prevent tampering:
<!-- app/login.php:64 -->
<script src="../js/api.js" 
    integrity="sha384-CdhidNt+STVg/jxRNtQC1nw7l1Ys8/TxZI2ZVTypU9tDQ6goYcuMYbd8VR23C6/x" 
    crossorigin="anonymous"></script>

<!-- app/login.php:168-169 -->
<script src="https://cdn.jsdelivr.net/npm/chart.js"
    integrity="sha384-T/4KgSWuZEPozpPz7rnnp/5lDSnpY1VPJCojf1S81uTHS1E38qgLfMgVsAeRCWc4"
    crossorigin="anonymous"></script>

Data at Rest

Data stored on our servers is protected with multiple security layers:
Implementation on backend servers:
  • Encryption at rest for all database storage
  • Encrypted database backups
  • Secure key management systems
  • Regular encryption key rotation
User passwords receive special protection:Never stored in plain text - All passwords are hashed using:
  • Modern hashing algorithms (bcrypt or Argon2)
  • Unique salt per password
  • High computational cost to resist brute-force
  • Regular algorithm updates as standards evolve
Client-side never sees hashes - Passwords are:
  • Validated on client for format only
  • Transmitted over HTTPS only
  • Hashed immediately upon receipt by server
  • Original password discarded after hashing
Strict access controls protect stored data:
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Multi-factor authentication for admin access
  • Audit logging of data access
  • Regular access reviews

Security Measures

As stated in our privacy policy: 
app/privacy.php:164
“We implement appropriate technical and organizational security measures to protect your personal information against unauthorized or unlawful processing and against accidental loss, destruction, or damage.”
Specific measures include:
  • Regular security audits and penetration testing
  • Intrusion detection and prevention systems
  • Web application firewall (WAF)
  • DDoS protection
  • Secure development practices
  • Security awareness training for staff

Privacy Policy

Our comprehensive privacy policy is available at: URL: /app/privacy.php

Key Privacy Principles

Transparency

We clearly communicate what data we collect, why we collect it, and how we use it.

Data Minimization

We collect only the data necessary to provide our services effectively.

Purpose Limitation

We use data only for the purposes disclosed at collection time.

Security

We implement robust security measures to protect user data from unauthorized access.

Privacy Policy Contents

Our privacy policy includes 10 comprehensive sections:
  1. Introduction - Overview and scope (app/privacy.php:116-118)
  2. Information Collection - What data we collect (app/privacy.php:121-133)
  3. Data Usage - How we use collected data (app/privacy.php:136-148)
  4. Data Sharing - When and how data may be shared (app/privacy.php:151-153)
  5. Cookies - Cookie usage and management (app/privacy.php:156-160)
  6. Security - Protection measures (app/privacy.php:163-165)
  7. User Rights - Your rights under GDPR (app/privacy.php:168-176)
  8. Data Retention - How long we keep data (app/privacy.php:179-181)
  9. Policy Changes - Updates to this policy (app/privacy.php:184-186)
  10. Contact - How to reach us (app/privacy.php:189-195)

Table of Contents Navigation

The privacy policy includes an interactive table of contents for easy navigation: 
// app/privacy.php:96-110
<div class="legal-toc">
    <h2>Table of Contents</h2>
    <ul>
        <li><a href="#introduction">Introduction</a></li>
        <li><a href="#information">Information We Collect</a></li>
        <li><a href="#usage">How We Use Your Information</a></li>
        <!-- ... more sections ... -->
    </ul>
</div>

User Rights (GDPR)

Under GDPR and applicable data protection laws, users have the following rights:

Right to Access

What it means: You can request access to your personal data we hold. How to exercise: Contact us at [email protected] with your request. We will provide:
  • Copy of your personal data
  • Information about how it’s used
  • Details about data sharing
  • Response within 30 days

Right to Rectification

What it means: You can request correction of inaccurate or incomplete data. How to exercise:
  • Update information in your account settings
  • Contact us for data you cannot update directly
Examples:
  • Correct misspelled name
  • Update email address
  • Fix incorrect financial data

Right to Erasure (“Right to be Forgotten”)

What it means: You can request deletion of your personal data. How to exercise: Contact us at [email protected] requesting account deletion. Limitations:
  • Data required for legal compliance may be retained
  • Financial records may be retained per regulations
  • Anonymized data may be retained for analytics
Account deletion is permanent and cannot be undone. All your data, including financial records, will be deleted.

Right to Data Portability

What it means: You can receive your data in a structured, machine-readable format. How to exercise: Request data export from your account settings or contact us. Format:
  • JSON or CSV format
  • Includes all personal and financial data
  • Can be imported to other services

Right to Object

What it means: You can object to certain data processing activities. Examples:
  • Marketing communications
  • Profiling for personalization
  • Analytics (except essential cookies)
How to exercise:
  • Adjust cookie preferences
  • Unsubscribe from emails
  • Contact us with specific objections
What it means: You can withdraw consent for data processing at any time. Examples:
  • Notification preferences (app/register.php:149-153)
  • Analytics cookies
  • Marketing communications
Effect:
  • Future processing stops immediately
  • Past processing remains lawful
  • May affect service availability

Data Retention

We retain personal data only as long as necessary: 
app/privacy.php:180
Retention periods:
Duration: While account is activeIncludes:
  • Profile information
  • Financial records
  • Usage history
  • Preferences and settings
Purpose: Service provision
Duration: 2 years after last loginAction after period:
  • Account deletion notification sent
  • 30-day grace period for reactivation
  • Automatic deletion if no response
Exception: Legal requirement to retain longer
Duration: 7 years (or as required by law)Reason: Financial regulations and tax complianceScope:
  • Payment records
  • Subscription history
  • Refund information
Duration: Until consent withdrawnCan be deleted:
  • Immediately upon unsubscribe
  • Through account settings
  • By contacting support
Duration: 90 daysIncludes:
  • Login attempts
  • Security events
  • Access logs
  • Error logs
Purpose: Security monitoring and incident response

Data Sharing

We minimize data sharing and only share when necessary: 
app/privacy.php:152
“We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except as described in this policy.”

When We Share Data

Who: Trusted third-party service providersExamples:
  • Cloud hosting providers
  • Payment processors (for premium features)
  • Email service providers
  • Analytics services (Google Analytics)
Safeguards:
  • Data processing agreements
  • GDPR compliance requirements
  • Minimum necessary data only
  • Regular security audits
In the event of:
  • Merger or acquisition
  • Asset sale
  • Bankruptcy
Your rights:
  • Notification of transfer
  • Right to delete data
  • Continued privacy protection

Third-Party Services

We integrate with the following third-party services: Google Services:
  • Google OAuth - Authentication (app/login.php:103)
  • Google Analytics - Usage analytics (app/cookies.php:154-156)
  • reCAPTCHA - Bot protection (app/login.php:134)
CDN Providers:
  • Font delivery (Google Fonts)
  • Icon libraries (Font Awesome)
  • JavaScript libraries (Chart.js, Notyf)
All third-party integrations:
  • Use HTTPS connections
  • Include integrity checks where possible
  • Are disclosed in privacy policy
  • Can be disabled via cookie settings
Users have full control over cookie usage: Displayed on first visit: 
<!-- app/privacy.php:206-216 -->
<div class="cookie-consent" id="cookieConsent">
    <div class="cookie-content">
        <h3>Cookie Usage</h3>
        <p>We use cookies to improve your experience. 
           <a href="./cookies.php">Learn more</a>.</p>
        <div class="cookie-buttons">
            <button id="cookieAccept">Accept</button>
            <button id="cookieReject">Reject</button>
            <button id="cookieSettings">Settings</button>
        </div>
    </div>
</div>
Required for basic site functionality:
  • Session management
  • CSRF protection
  • Language preferences
Cannot be disabled - Essential for service
Enhance user experience:
  • Theme preferences
  • Layout settings
  • User interface customizations
Can be disabled - Site remains functional
Help us understand usage:
  • Page views
  • Navigation patterns
  • Error tracking
  • Performance metrics
Can be disabled - No impact on functionality

Managing Cookies

Options for users:
  1. Cookie settings panel - Accessible from any page
  2. Browser settings - Control cookies directly in browser
  3. Privacy policy page - Links to cookie management (app/privacy.php:158-159)
  4. Cookie policy page - Detailed information (app/cookies.php)
Browser instructions available for:
  • Google Chrome (app/cookies.php:171)
  • Mozilla Firefox (app/cookies.php:172)
  • Safari (app/cookies.php:173)
  • Microsoft Edge (app/cookies.php:174)

Terms of Service

Our terms of service define the legal agreement between users and Finanzapp: URL: /app/terms.php

Key Terms Sections

  1. Introduction - Agreement overview (app/terms.php:124-127)
  2. Definitions - Key terms explained (app/terms.php:130-139)
  3. Account Registration - User responsibilities (app/terms.php:142-146)
  4. Services - What we provide (app/terms.php:149-153)
  5. Payments - Billing and subscriptions (app/terms.php:156-159)
  6. Intellectual Property - Rights and licenses (app/terms.php:162-165)
  7. Privacy - Data protection reference (app/terms.php:168-172)
  8. Limitations - Liability and warranties (app/terms.php:175-178)
  9. Termination - Account closure (app/terms.php:181-184)
  10. Modifications - Terms updates (app/terms.php:187-190)
  11. Governing Law - Legal jurisdiction (app/terms.php:193-196)
  12. Contact - Legal inquiries (app/terms.php:199-205)

User Responsibilities

By using Finanzapp, users agree to:
  • Provide accurate information during registration
  • Maintain account security and confidentiality
  • Comply with applicable laws and regulations
  • Not misuse or attempt to breach security
  • Not share accounts or credentials
  • Accept terms of service and privacy policy (app/register.php:141-146)
Terms of service acceptance is required for registration. Users must check the terms checkbox before creating an account.

Contact Information

For privacy, security, and data protection inquiries:

Privacy and Data Protection

Email: [email protected] For:
  • Privacy policy questions
  • Data access requests
  • Data deletion requests
  • Data portability requests
  • Privacy complaints

Security Issues

Email: [email protected] For:
  • Security vulnerabilities
  • Suspicious activity
  • Account compromise
  • Security concerns

General Contact

Email: [email protected] (cookies) or [email protected] (legal) Address: Av. del Oeste, s/n, 28922 Alcorcón, Madrid Response time:
  • Urgent security matters: Within 24 hours
  • Data rights requests: Within 30 days (GDPR requirement)
  • General inquiries: Within 5 business days

Compliance and Certifications

Regulatory Compliance

GDPR

General Data Protection RegulationFull compliance with EU data protection law:
  • Privacy by design and default
  • Data protection impact assessments
  • Data processing records
  • User rights implementation

HTTPS Everywhere

Encrypted CommunicationsAll connections use TLS encryption:
  • Secure certificate (TLS 1.3)
  • HSTS enforcement
  • No mixed content
  • Secure cookie flags

Cookie Compliance

ePrivacy DirectiveCompliant cookie implementation:
  • Prior consent for non-essential cookies
  • Clear cookie information
  • Easy opt-out mechanisms
  • Granular cookie controls

Security Standards

Our security practices align with:
  • OWASP Top 10 protection
  • CIS Security Benchmarks
  • NIST Cybersecurity Framework
  • ISO 27001 principles

Data Protection Updates

We regularly update our data protection practices: 
app/privacy.php:185
“We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the ‘Last Updated’ date.”
How we notify users:
  • Updated date on privacy policy page
  • Email notification for material changes
  • In-app notification on next login
  • Continued use implies acceptance
Review regularly: We recommend reviewing our privacy policy periodically to stay informed about how we protect your data. Last updated: Check app/privacy.php for current date

Best Practices for Users

Protect Your Account

Strong Passwords

  • Use unique passwords for each service
  • Minimum 8 characters with uppercase and numbers
  • Consider using a password manager
  • Never share your password

Enable Security Features

  • Use Google OAuth for enhanced security
  • Monitor login activity
  • Report suspicious activity immediately
  • Keep recovery information updated

Protect Your Data

Be Careful What You Share

  • Review privacy settings regularly
  • Understand what data you’re providing
  • Be cautious with third-party integrations
  • Know your data rights

Stay Informed

  • Read privacy policy updates
  • Review security notifications
  • Understand cookie usage
  • Exercise your data rights when needed

Security Overview

Learn about overall security architecture and principles

Authentication

Understand reCAPTCHA, OAuth, and authentication flows

Build docs developers (and LLMs) love

Get started for freeTalk to us