F
Floo

Last updated: March 2026 · Version 1.0

Privacy Policy

Your privacy is fundamental to how Floo is built. This policy explains exactly what data we collect, what we don't, and why.

1. Overview

Floo is a personal finance analysis tool designed with a privacy-first architecture. We collect the minimum data necessary to provide the Service and have made deliberate technical choices to protect your privacy — such as hashing your email address and never storing uploaded files.

We do not sell, share, or monetize your data in any way. We do not use third-party analytics or advertising trackers.

2. Data We Collect

When you use Floo, we collect and store the following:

Account Data

  • Email hash: a SHA-256 cryptographic hash of your email address. This allows us to identify your account for login purposes without storing your actual email address.
  • Display name: the name you choose to show within the app.
  • Preferences: your preferred currency, locale, and theme (dark/light mode).

Financial Data

  • Transaction data: date, description, amount, currency, and category of transactions extracted from your uploaded bank statements.
  • Account metadata: bank account names, types, and currency as configured by you.

Technical Data

  • Authentication tokens: JWT tokens stored as httpOnly cookies for session management.
  • Rate-limiting counters: ephemeral, in-memory counters tied to request identifiers. These are not persisted and are automatically cleared.

3. Data We Do NOT Collect

Floo is designed to minimize data collection. We explicitly do not collect:

  • Your actual email address — only its SHA-256 hash is stored
  • Bank credentials — we never ask for bank passwords, API keys, or access tokens
  • Uploaded files — bank statements are parsed in memory and discarded; the original files are not retained
  • Location data — we do not request or store geolocation
  • IP addresses — beyond ephemeral rate-limiting, IP addresses are not logged or stored
  • Biometric data — no fingerprints, face scans, or similar data
  • Device identifiers — no device fingerprinting or tracking IDs
  • Browsing history — we do not track pages you visit outside of Floo

4. How We Use Your Data

The data we collect is used exclusively to:

  • Authenticate you and maintain your session
  • Display your transactions, analytics, and insights
  • Generate financial health scores, spending forecasts, and pattern detection
  • Convert currencies using ECB exchange rates
  • Remember your preferences (language, currency, theme)
  • Enforce service tier limits

We do not use your data for profiling, advertising, machine learning training, or any purpose beyond providing the Service to you.

5. External Services

Floo connects to one external service:

  • Frankfurter API (frankfurter.app): a free, open-source proxy for European Central Bank exchange rate data. We send only currency codes and dates to this API — no user data whatsoever is shared with this service.

We do not use Google Analytics, Facebook Pixel, Mixpanel, Hotjar, or any other third-party analytics, tracking, or advertising service.

6. Cookies & Local Storage

Floo uses only essential cookies. We do not use analytics cookies, marketing cookies, or third-party cookies of any kind. For full details, see our Cookie Policy.

Summary of what we use:

  • floo_access: httpOnly JWT authentication cookie (session, 15 min)
  • floo_refresh: httpOnly refresh token cookie (30 days)
  • NEXT_LOCALE: language preference cookie (1 year)
  • theme: dark/light mode preference (localStorage, not a cookie)
  • cookie-consent-v1: consent record (localStorage, not a cookie)

7. Data Storage & Security

Your data is stored in a PostgreSQL database with encryption at rest. We employ the following security measures:

  • Passwords are hashed with bcrypt (cost factor 12) — never stored in plain text
  • Email addresses are hashed with SHA-256 before storage
  • Authentication uses httpOnly, Secure, SameSite=Strict cookies
  • API endpoints are protected with rate limiting
  • All data transmission uses HTTPS/TLS encryption

8. Data Retention

Your data is retained for as long as your account is active. We do not impose automatic data expiration on transaction records — your financial history remains available to you for as long as you use Floo.

When you delete your account, all associated data is permanently and irreversibly erased from our database, including your email hash, display name, transaction records, preferences, and account metadata. There is no recovery process after account deletion.

9. Your Rights

You have the right to:

  • Access your data: all your data is visible within the app at all times.
  • Export your data: use the CSV export feature to download your transactions at any time (data portability).
  • Delete your data: delete your account from the settings page to permanently erase all data.
  • Rectify your data: edit your display name, preferences, and transaction categories at any time.
  • Object to processing: since we only process data to provide the Service to you and for no other purpose, you can stop processing by simply deleting your account.

10. Children's Privacy

Floo is not directed at children under 16 years of age. We do not knowingly collect data from children under 16. If you believe a child under 16 has created an account, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by the "Last updated" date at the top of this page. For material changes, we will provide notice through the Service. Your continued use of Floo after changes take effect constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us through the in-app support channel or at the contact information provided on our website.

In case of discrepancy between translations, the English version prevails.