HomeLegal · Updated June 6, 2026

Privacy Policy.

The whole point of Finn is to know your stuff — so here's exactly what we collect, how it's used, and where it lives.

Introduction

Finn, a product of Raliworks LLC (“we,” “our,” or “us”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and services.

Information We Collect

Account & In-App Content

Information you provide directly to us:

  • Email address and password (for account creation), or your Apple/Google sign-in identifier if you use social login
  • Notes and other content you create in the app
  • Profile information you choose to share with Finn (name, location, income sources, etc.)

Email Data (Gmail and Microsoft Outlook)

If you connect a Gmail or Outlook mailbox, Finn accesses message metadata and — only with your per-message approval — specific message bodies, as described in detail in the Google API Services User Data Policy section below. Connecting a mailbox is optional and you can disconnect at any time from Settings → Connections.

Calendar Data

If you grant calendar access, Finn reads upcoming events from your local Apple Calendar (next 14 days) so it can surface time-sensitive items. Calendar events stay on your device and are sent to our AI provider only as part of the chat or scan you initiate. We do not store calendar events on our servers.

Financial Data

If you connect a financial account through Plaid, we receive account balances, transactions, and (for investment accounts) holdings. This data is stored on our servers so Finn can analyze your finances across sessions. You can disconnect any institution from Settings → Connections, which removes the data on our side.

Subscription & Purchase Data

If you subscribe to a paid plan (Pro or Max), your purchase is processed by Apple through the App Store. We do not receive or store your payment card details. We receive your subscription status and entitlement (for example, which plan is active and whether it is current) so we can unlock the right features and usage allowance for your account.

Automatically Collected Information

When you use our app, we automatically collect:

  • Device information (model, OS version)
  • Usage data (features accessed, AI token usage)
  • Error logs and performance data

How We Use Your Information

We use your information to:

  • Provide and maintain Finn's features
  • Power the AI assistant with your notes, calendar, email subject lines, and (with explicit per-message approval) email bodies
  • Surface relevant time-sensitive items (bills, deliveries, appointments, travel)
  • Improve and optimize the application
  • Detect and prevent fraud, abuse, or security issues

We do not sell your personal information, use it for advertising, or use it to train generalized AI models.

Google API Services User Data Policy

Finn's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What Gmail data we access and why

When you connect a Gmail account, Finn requests the gmail.readonly scope. We use this access for two narrow purposes:

  • Subject-line context. Finn reads the subject, sender, date, and read/unread status of messages from the last 7 days (excluding promotional mail) so it can surface time-sensitive items like deliveries, appointments, and travel.
  • Per-message body reads, with your approval. When the subject line strongly suggests the body contains something Finn needs to answer your question (for example, a shipping tracking number or a travel itinerary), Finn asks you for permission before reading that specific message. You can configure the default behavior in Settings → Email Privacy: “Always Allow,” “Always Ask” (default), or “Always Deny.”

Where Gmail OAuth tokens are stored

The Gmail OAuth access and refresh tokens that authorize Finn to read your mail are stored exclusively in your device's secure Keychain. Tokens are not transmitted to or stored on our servers. All Gmail API calls (listing messages, fetching a specific body when approved, refreshing tokens) happen on the device.

Where Gmail data is transmitted

Subject lines and the small amount of metadata described above are transmitted from your device to our backend and to our AI provider so Finn can use them as conversational context. Full message bodies are transmitted only when you approve them, for that single conversation turn, and only to the extent needed to answer your question. We do not store message bodies on our servers.

Limited Use commitments

In line with Google's Limited Use requirements, we commit that:

  • We only use Google user data to provide or improve user-facing features that are prominent in the Finn user experience.
  • We do not transfer Google user data to others except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets (with users notified).
  • We do not use Google user data for serving advertisements.
  • We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, we are doing so for security purposes (such as investigating abuse), to comply with applicable law, or where the data is aggregated and used for internal operations under applicable privacy laws.
  • We do not use Google user data to develop, improve, or train generalized or non-personalized AI or machine learning models.

Microsoft Outlook

The same handling applies to mailboxes connected via Microsoft Outlook (Microsoft Graph Mail.Read scope). Tokens are stored only in your device's Keychain; bodies are read only with per-message approval.

Data Security

We implement appropriate technical and organizational security measures to protect your information, including encryption in transit (TLS), encryption at rest for stored data, row-level security on our database, and storing email OAuth tokens only in the device Keychain (not on our servers). No method of transmission or storage is 100% secure; while we use commercially reasonable measures, we cannot guarantee absolute security.

Your Rights

You have the right to:

  • Access your personal information
  • Correct inaccurate data
  • Disconnect any mailbox, calendar, or financial account at any time from Settings → Connections
  • Delete your account, which removes all data we hold about you
  • Export your data
  • Revoke Finn's access to Gmail directly from your Google Account permissions page

Children's Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the “Last updated” date.

Contact Us

If you have questions about this Privacy Policy, please contact us at:

support@raliworks.com

Finn · A product of Raliworks LLC