How your data flows through Finkavo
Last reviewed 2026-07-18
This page answers the question a Portuguese tax user should ask before uploading anything: who sees my data, where does it live, and how do I get it out. We list every third-party (subprocessor) we route data through, what they do, and where they store it. If you find something missing or inaccurate, email security@finkavo.com and we will fix it publicly.
What we handle
Six categories of your data touch Finkavo: • Account — email + password hash (Better-Auth) or OAuth linked identity. • Profile — residency, employment, regime, arrival date, CAE / CIRS codes, tax context you enter. • Documents — files you upload to the Vault (PDFs, images) and letters forwarded to your inbox address. • Conversations — Ask questions + answers, cited sources, and reproductions. • Payments — Stripe customer ID + subscription state (we never see card numbers). • Analytics — masked distinct-id + product events (button clicks, page views). Emails and free-text never leave for analytics.
Subprocessors
Every third-party we route data through, ranked by how much of your data they touch. All EU-based vendors are inside the Union; the four US-hosted vendors are covered by the EU-US Data Privacy Framework and, where applicable, Standard Contractual Clauses.
| Vendor | Purpose | Region | Data touched | Retention |
|---|---|---|---|---|
| Cloudflare Workers | App hosting + edge compute | EU + global edge | All requests transit the Worker | Access logs 24h |
| Cloudflare R2 | Encrypted document storage (Vault + inbound letters) | Frankfurt (EU-West) | PDFs, images, encrypted at rest | Until you delete the doc or account |
| CockroachDB Cloud | Primary database | Frankfurt (aws-eu-central-1) | Account, profile, conversations, ask history, subscriptions | Until account deletion |
| Cloudflare Workers AI | bge-m3 embeddings + light completions | EU edge | Question text, chunk text at query time | Not retained after response |
| OpenAI | Larger LLM completions for Ask and letter parsing | United States | Question text, retrieved excerpts, uploaded doc text (when opted in) | Not retained after response (no-training default) |
| Resend | Transactional email (verify, reset, waitlist confirmation, reminders) | United States | Email address + message body | 30-day send logs at Resend |
| Stripe Payments Europe | Payments + subscription lifecycle | Ireland (EU) | Stripe customer id, plan state, billing email | Payment records retained per Stripe policy + PT accounting law |
| PostHog EU | Product analytics (page views, button clicks) | Frankfurt | Masked distinct-id, event name, page path. Email + free text never sent. | 12 months rolling |
| Google (OAuth) | Google OAuth sign-in + Google Calendar sync (opt-in) | Ireland (EU region) | Email + profile id at sign-in; calendar events when sync is on | OAuth refresh tokens until you disconnect |
| cron-job.org | Triggers our scheduled crons (corpus refresh, reminders) | Germany | No user data — just a POST to /api/cron with a shared secret | No user data |
| Tavily | Web-search fallback when the corpus doesn't cover a topic | United States | The query text only | Not retained per Tavily API terms |
Table reviewed 2026-07-18. We commit to a review every quarter and on every new subprocessor.
AI processing disclosure
Ask, letter parsing, and vault-document extraction call large-language-model providers. When you use these features: • The question or document text is sent to Cloudflare Workers AI (embeddings, edge) and to OpenAI (larger completions, US) for processing. • The plaintext of vault documents leaves R2 only when you have opted for server-side extraction. If you toggle 'End-to-end encrypt with my passphrase' on upload, that specific document is never decrypted server-side — AI extraction is disabled for it as a trade-off. • Prompts, retrieved excerpts, and completions are stored in our database (CockroachDB) so we can show you the answer receipt, reproduce it, and improve retrieval quality over time. They are not shared with third parties beyond the model provider. • We do not train models on your data. OpenAI and Cloudflare Workers AI both offer no-training defaults for API traffic; we rely on those defaults.
Encryption + deletion
Data at rest: everything in R2 and CockroachDB is stored on encrypted volumes. Vault documents are additionally encrypted with a per-document data-key wrapped by a key-encryption-key (KEK). If you turn on end-to-end mode with a passphrase, only your device can unwrap the data-key — Finkavo cannot decrypt those documents. Data in transit: TLS 1.2+ on every connection. Deletion: 'Delete my account' in /app/settings removes every row we hold for you in CockroachDB and every object in R2 keyed to your userId. The delete is transactional — if any R2 object fails to remove, the DB rows stay so a retry can finish the job (fixed 2026-07-17). Waitlist rows are separate; if you signed up before joining they need a separate email to hello@finkavo.com.
Reporting a vulnerability
If you find something that looks like a security issue, email us at security@finkavo.com. Please include enough detail to reproduce it and a preferred contact channel; we acknowledge every report within 72 hours and coordinate disclosure timing with you before publishing a fix. We do not currently run a paid bounty programme, but every valid report gets public credit on this page (with your consent).
Ownership + change log
This page is owned by the founder (opefyre@gmail.com) and reviewed every quarter or on any material change to how data is handled. Material changes are logged as commits on the finkavo repo and summarised at the top of this page. Substantive changes trigger an email to every active user.