Skip to content
finkavo.
TRUST & SECURITY

How your data flows through Finkavo

Last reviewed 2026-07-18

This page answers the question a Portuguese tax user should ask before uploading anything: who sees my data, where does it live, and how do I get it out. We list every third-party (subprocessor) we route data through, what they do, and where they store it. If you find something missing or inaccurate, email security@finkavo.com and we will fix it publicly.

What we handle

Six categories of your data touch Finkavo: • Account — email + password hash (Better-Auth) or OAuth linked identity. • Profile — residency, employment, regime, arrival date, CAE / CIRS codes, tax context you enter. • Documents — files you upload to the Vault (PDFs, images) and letters forwarded to your inbox address. • Conversations — Ask questions + answers, cited sources, and reproductions. • Payments — Stripe customer ID + subscription state (we never see card numbers). • Analytics — masked distinct-id + product events (button clicks, page views). Emails and free-text never leave for analytics.

Subprocessors

Every third-party we route data through, ranked by how much of your data they touch. All EU-based vendors are inside the Union; the four US-hosted vendors are covered by the EU-US Data Privacy Framework and, where applicable, Standard Contractual Clauses.

VendorPurposeRegionData touchedRetention
Cloudflare WorkersApp hosting + edge computeEU + global edgeAll requests transit the WorkerAccess logs 24h
Cloudflare R2Encrypted document storage (Vault + inbound letters)Frankfurt (EU-West)PDFs, images, encrypted at restUntil you delete the doc or account
CockroachDB CloudPrimary databaseFrankfurt (aws-eu-central-1)Account, profile, conversations, ask history, subscriptionsUntil account deletion
Cloudflare Workers AIbge-m3 embeddings + light completionsEU edgeQuestion text, chunk text at query timeNot retained after response
OpenAILarger LLM completions for Ask and letter parsingUnited StatesQuestion text, retrieved excerpts, uploaded doc text (when opted in)Not retained after response (no-training default)
ResendTransactional email (verify, reset, waitlist confirmation, reminders)United StatesEmail address + message body30-day send logs at Resend
Stripe Payments EuropePayments + subscription lifecycleIreland (EU)Stripe customer id, plan state, billing emailPayment records retained per Stripe policy + PT accounting law
PostHog EUProduct analytics (page views, button clicks)FrankfurtMasked distinct-id, event name, page path. Email + free text never sent.12 months rolling
Google (OAuth)Google OAuth sign-in + Google Calendar sync (opt-in)Ireland (EU region)Email + profile id at sign-in; calendar events when sync is onOAuth refresh tokens until you disconnect
cron-job.orgTriggers our scheduled crons (corpus refresh, reminders)GermanyNo user data — just a POST to /api/cron with a shared secretNo user data
TavilyWeb-search fallback when the corpus doesn't cover a topicUnited StatesThe query text onlyNot retained per Tavily API terms

Table reviewed 2026-07-18. We commit to a review every quarter and on every new subprocessor.

AI processing disclosure

Ask, letter parsing, and vault-document extraction call large-language-model providers. When you use these features: • The question or document text is sent to Cloudflare Workers AI (embeddings, edge) and to OpenAI (larger completions, US) for processing. • The plaintext of vault documents leaves R2 only when you have opted for server-side extraction. If you toggle 'End-to-end encrypt with my passphrase' on upload, that specific document is never decrypted server-side — AI extraction is disabled for it as a trade-off. • Prompts, retrieved excerpts, and completions are stored in our database (CockroachDB) so we can show you the answer receipt, reproduce it, and improve retrieval quality over time. They are not shared with third parties beyond the model provider. • We do not train models on your data. OpenAI and Cloudflare Workers AI both offer no-training defaults for API traffic; we rely on those defaults.

Encryption + deletion

Data at rest: everything in R2 and CockroachDB is stored on encrypted volumes. Vault documents are additionally encrypted with a per-document data-key wrapped by a key-encryption-key (KEK). If you turn on end-to-end mode with a passphrase, only your device can unwrap the data-key — Finkavo cannot decrypt those documents. Data in transit: TLS 1.2+ on every connection. Deletion: 'Delete my account' in /app/settings removes every row we hold for you in CockroachDB and every object in R2 keyed to your userId. The delete is transactional — if any R2 object fails to remove, the DB rows stay so a retry can finish the job (fixed 2026-07-17). Waitlist rows are separate; if you signed up before joining they need a separate email to hello@finkavo.com.

Reporting a vulnerability

If you find something that looks like a security issue, email us at security@finkavo.com. Please include enough detail to reproduce it and a preferred contact channel; we acknowledge every report within 72 hours and coordinate disclosure timing with you before publishing a fix. We do not currently run a paid bounty programme, but every valid report gets public credit on this page (with your consent).

Ownership + change log

This page is owned by the founder (opefyre@gmail.com) and reviewed every quarter or on any material change to how data is handled. Material changes are logged as commits on the finkavo repo and summarised at the top of this page. Substantive changes trigger an email to every active user.