Who we are
MyFinMaps is a personal portfolio and net-worth tracker. We are the data controller — and, under India's Digital Personal Data Protection Act, 2023 (DPDP Act), the "data fiduciary" — for the personal data described below.
The service is available worldwide. Depending on where you live, different laws give you rights: the EU and UK GDPR (Europe and the UK), the DPDP Act (India), and US state privacy laws such as the California Consumer Privacy Act / CPRA. This notice applies to everyone; the rights that are specific to your region are set out under "Your rights" below.
For privacy questions, write to support@myfinmaps.com. We will respond within one month (or any shorter period your local law requires), as contemplated by Article 12 of the GDPR.
Our representative and data-protection contact
If you are in the EU/EEA, our representative under Article 27 of the EU GDPR is [EU representative name & contact — to be appointed]. As we are established in the United Kingdom, no separate UK representative is required, and the UK Information Commissioner's Office is our lead supervisory authority.
We are not required to appoint a Data Protection Officer under Article 37 of the GDPR — we do not carry out large-scale systematic monitoring or process special-category data at scale — but you can raise any data-protection matter with us at support@myfinmaps.com.
What we collect
We collect only what we need to run the service you signed up for:
• Account details — your email address and (optionally) a mobile number. These identify your account and let us contact you about your data.
• Authentication data — a one-way hash of your password (we never store or see the original), short-lived password-reset and email-verification tokens, and a minimum-age affirmation captured at registration.
• Portfolio and cash-flow data — the holdings, balances, and monthly inflow/outflow entries you record. This is the core content of the service.
• Security and usage signals — your IP address, browser user-agent, the time of each session, and an event log of major actions (sign-in, asset created, dashboard viewed). We use these to detect abuse and to keep audit trails.
• Preferences — your display currency and (with your consent) your light/dark theme choice.
We do not collect any special-category data under Article 9 (health, biometrics, political views, etc.). If you upload supporting documents for an insurance policy, please do not include sensitive personal information.
Why we use it (lawful basis)
Article 6 of the GDPR requires us to identify a lawful basis for each processing activity. Ours are:
• Running your account, storing your portfolio, sending password-reset and verification emails — Article 6(1)(b), performance of a contract. This processing is necessary to deliver the service you asked us for.
• Optional reminder emails for insurance and term-deposit due dates — Article 6(1)(a), your consent. You opt in per asset and can switch reminders off at any time on the asset record.
• Anti-bot CAPTCHA, rate limiting, account lockout, and audit logging — Article 6(1)(f), our legitimate interest in keeping the service secure and accountable.
• Aggregate analytics about feature usage and churn, to improve the product — Article 6(1)(f), our legitimate interest. These are produced in-house from your account activity and server-side logs; we do not use third-party analytics services or analytics cookies. No automated decision producing legal or similarly significant effects is made (Article 22).
If you are in India, the DPDP Act does not recognise "legitimate interest" as a basis. We process your data either with your consent or for a permitted "legitimate use" — including the purpose for which you voluntarily gave it to us and compliance with law. Security, fraud-prevention, and audit-logging are necessary to provide the service you signed up for; optional reminder and marketing emails rely on your consent, which you can withdraw at any time.
If you are in the United States, this notice serves as our notice at collection. We do not sell or share your personal information, and we do not use it for cross-context behavioural advertising.
Do you have to provide this data?
Providing your email address and a password is necessary to create and secure your account — without them we cannot give you access to the service, so this is a requirement of our agreement with you. Everything else is optional: a mobile number, the holdings and cash-flow entries you record, and opt-in reminders are entirely up to you. If you choose not to provide them, the related features simply won't be available, but you can still use the rest of the service.
Service communications
We send essential emails you cannot opt out of while you hold an account: password resets, security alerts, and — if it ever applies to you — a personal-data-breach notification.
We also send non-essential emails you control. When you register we send a one-time welcome email (and occasionally product announcements); you can turn these off at any time from the Email preferences section of your profile, or via the unsubscribe link in the email footer. Insurance and term-deposit due-date reminders are opt-in per asset and can be switched off on each asset's record.
Who we share your data with
| Processor | Purpose | Data they receive | Region | Transfer |
|---|---|---|---|---|
| PostgreSQL host (Neon) | Primary application database | All application PII (users, holdings, cash-flow, audit/event logs) | configurable | Blank |
| Vercel | Hosting, CDN, serverless functions, logs | Request metadata, IP, logs, all traffic | US (default) | SCC |
| Cloudflare Turnstile | Anti-bot CAPTCHA | IP address, challenge token | Global | SCC |
| Upstash Redis | Rate limiting, login lockout, short-lived tokens | IP, normalised email (lockout) | configurable | Blank |
| SMTP provider (Gmail or admin-configured) | Transactional email | Recipient email, email body | US (Gmail) or admin-configured | SCC |
Where your data is stored
Hosting region varies by processor — see the live processor registry above for each component. Where data is transferred outside the EEA or UK to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) as the transfer safeguard.
Following the Schrems II decision, we have assessed the risk of these transfers and apply supplementary measures — encryption in transit (TLS), encryption at rest, and application-layer encryption of identifier data — so that the data exposed to any single processor is minimised and protected. Our Data Transfer Impact Assessment sets out this analysis per processor.
If you are in India, the DPDP Act permits transfers to countries other than any the Indian government restricts by notification; we will comply with any such restriction and with sector rules (for example, Reserve Bank of India requirements) that apply to financial data.
If you are in the United States, your personal information may be processed in the US and in other countries where our processors operate.
We are working with each processor to confirm the exact region of storage and the executed transfer-safeguard mechanism. The processor table above will be updated as this work completes.
You can ask us for a copy of the transfer safeguards we rely on (the Standard Contractual Clauses or the UK IDTA) by writing to support@myfinmaps.com.
Data Transfer Impact Assessment
Read our Data Transfer Impact Assessment for a per-processor summary of the transfer mechanisms and safeguards we rely on.
How long we keep it
| Category | Retention period |
|---|---|
| Password-reset and email-verification tokens | 7 days after creation or use |
| Sign-in sessions (UserSession records) | 90 days after last activity |
| HTTP request metrics | 90 days |
| Application event log (non-security) | 365 days |
| Security audit log | 365 days |
| Your account, portfolio, cash-flow | Until you delete your account |
Your rights
Wherever you live, you can act on the two most common rights yourself from your profile: "Download my data" gives you a machine-readable (JSON) copy of the personal data we hold about you, and "Delete my account" submits a request to erase your account and all associated data. For anything else, write to support@myfinmaps.com.
If you are in the EU or UK, under the GDPR you can ask us to:
• give you a copy of the personal data we hold about you (Article 15);
• correct anything that is wrong or incomplete (Article 16);
• delete your account and your data (Article 17);
• restrict how we use your data while a dispute is resolved (Article 18);
• receive your data in a portable, machine-readable format (Article 20);
• object to processing we carry out on the basis of legitimate interest (Article 21);
• withdraw any consent you previously gave (Article 7) — withdrawal is as easy as giving consent, and does not affect processing already carried out.
You also have the right to lodge a complaint with your national data-protection supervisory authority (in the UK, the Information Commissioner's Office).
Your rights in India (DPDP Act)
If you are in India, under the DPDP Act you can: obtain a summary of the personal data we process and how; have it corrected, completed, updated, or erased; nominate another person to exercise your rights if you die or become incapacitated; and readily withdraw any consent you have given.
Grievance redressal: if you have a complaint about how we handle your data, contact our Grievance Officer, [Grievance Officer name — to be appointed], at support@myfinmaps.com. We will acknowledge and respond within the timeline set by the DPDP Rules. If you remain unsatisfied, you may complain to the Data Protection Board of India.
Your rights in the United States
If you are a US resident, depending on your state (for example, California under the CCPA/CPRA) you may have the right to know and access the personal information we have collected, to delete it, to correct it, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share your personal information.
We will not discriminate against you for exercising these rights. To exercise them, use the controls in your profile or write to support@myfinmaps.com.
Where your state provides them, you also have the right to appeal a decision on a request and to use an authorised agent to submit requests on your behalf. We honour recognised browser opt-out preference signals such as Global Privacy Control (GPC) where they apply.
Our incident-response commitment
If we discover a personal-data breach, we will notify the relevant authority without undue delay — for EU/UK users the competent supervisory authority (in the UK, the Information Commissioner's Office), within 72 hours where feasible as required by Article 33; and for India the Data Protection Board of India, in the form and time required by the DPDP Act and its Rules.
We will also notify affected users directly where the law requires it — under the GDPR where a breach is likely to result in a high risk to your rights and freedoms (Article 34), and as required by the DPDP Act and applicable US state laws — describing what happened, the likely consequences, and the steps you can take.
Cookies and similar technologies
We use a small number of cookies and browser-storage items: a strictly necessary sign-in session cookie, a record of your cookie-consent choice, and — only if you accept — your light/dark theme preference. Our sign-in, registration, and password-reset pages also load Cloudflare Turnstile, a third-party anti-bot service that may set its own security cookies. We do not use cookies for advertising, analytics, profiling, or cross-site tracking. Full detail, including how to change your choice, is on our Cookie Policy page.
Children (under 18)
The service is intended only for adults and is not directed at children. You confirm at registration that you are at least 18 years old. We do not knowingly collect personal data from children, and we do not track, profile, or serve targeted advertising to children. If you believe a child has registered, contact support@myfinmaps.com and we will delete the account.
Languages
This notice is written in English. If you are in India, we can provide it in English and in any of the languages in the Eighth Schedule to the Constitution of India on request — write to support@myfinmaps.com.
Changes to this notice
When we make material changes to this notice we will bump its version and ask you to re-acknowledge it on your next sign-in. The current version is 2026-07-02.
Contact us
Privacy questions, data-subject requests, and complaints: support@myfinmaps.com.