Privacy Policy

1. Who we are

FortuneSage (“we”, “us”, “our”) is a personal finance management application. We are the data controller for the personal information you provide to us through the FortuneSage app and website. You can reach us at hello@fortunesage.app with any questions about this policy or your data.

2. What FortuneSage actually is

FortuneSage is a financial monitoring and guidance app. We are not a bank, we do not hold your money, and we cannot move money on your behalf. What we do is:

• Connect to your bank accounts through TrueLayer (a regulated Open Banking provider) so you can see balances and transactions from multiple banks in one place
• Use artificial intelligence to analyse your spending patterns and provide insights and observations
• Allow you to scan receipts, set budgets, track financial goals, and add manual notes about your money

The connection to your banks is read-only. We can see your transactions and balances, but we cannot initiate payments, transfer funds, or make any changes to your accounts.

3. The data we collect

3.1 Information you provide

• Account details: your name, email address, and a password (stored securely as a hash, never in plain text)
• Profile preferences: currency, display name, notification settings, AI preferences
• Manual entries: any transactions, budgets, savings goals, or notes you add yourself
• Receipt images: if you choose to scan receipts, the images and the data extracted from them
• App PIN: stored on your device only, never sent to our servers

3.2 Information we receive from your banks via TrueLayer

When you connect a bank account through TrueLayer, we receive:

• Account names, types, and account numbers (last 4 digits only)
• Current balances
• Transaction history (typically the last 12 to 24 months, depending on your bank)
• Transaction descriptions, amounts, dates, and categories

We do not receive or store your bank login credentials, PINs, passwords, or any information that would allow us to log into your bank account directly.

3.3 Information collected automatically

• Device information: device type, operating system version, app version (used for diagnostics and crash reporting)
• Usage information: which features you use and how often (used to improve the app — never linked to your transactions)
• Push notification tokens: if you enable notifications, we store the token your device provides so we can send them

4. How we use your data

We use your data only for the following purposes:

• To provide the service: displaying your transactions, calculating spending totals, generating budgets, showing balance summaries
• To generate AI insights: we send aggregated and anonymised summaries of your spending patterns to our AI model providers (see Section 6) so they can produce written observations about your finances
• To keep your data secure: authentication, fraud monitoring, and detecting unauthorised access
• To communicate with you: service notifications, app updates, security alerts. Marketing emails only if you explicitly opt in
• To improve FortuneSage: understanding which features help users, fixing bugs, planning new features. This uses aggregated and anonymised data only

5. Important: AI and your financial data

When the AI generates insights for you, we send a summary of your spending data — not your full transaction history — to the AI provider. This summary is used only to generate that specific insight and is not retained by the provider for training their models. The insight is then stored in your account so we don't need to regenerate it on every visit.

6. Who we share your data with

We share your data only with carefully selected service providers (“sub-processors”) who help us operate FortuneSage. We do not sell your data. We do not share it with advertisers. We do not share it with data brokers.

6.1 Our current sub-processors

• TrueLayer Limited (UK): regulated Open Banking provider (FCA authorised). Provides the connection to your bank accounts. TrueLayer's privacy policy is available at truelayer.com/legal/privacy.
• Supabase Inc. (UK/EU): our database and backend provider. Stores your account data in encrypted form, in UK or EU data centres.
• Anthropic / OpenAI / Google (varies): AI model providers used to generate spending insights. Receives only aggregated summaries, not raw transaction data. Configured with zero-retention policies where supported.
• Apple and Google: for app distribution, push notifications, and crash reporting on their respective platforms.

6.2 We may also share your data:

• When required by law (e.g. court orders, lawful requests from authorities)
• To prevent fraud or protect the rights, safety, and property of FortuneSage, our users, or others
• In the event of a business sale or restructure, in which case we'll notify you in advance and your rights under this policy will continue to apply

7. Where your data is stored

Your data is stored on servers in the United Kingdom and European Union. Some sub-processors (notably AI providers) may process data in other regions, including the United States. Where this happens, we rely on UK GDPR-approved transfer mechanisms such as Standard Contractual Clauses and the UK-US Data Bridge.

8. How long we keep your data

• Account data: for as long as your account is active
• Transaction history: for as long as your bank connection is active, plus up to 90 days after disconnection (so you can reconnect without losing context)
• AI insights: retained with your account; you can delete individual insights at any time
• Receipt images: until you delete them, or until you delete your account
• After account deletion: all data is removed within 30 days, with limited exceptions for legal record-keeping (transaction logs may be retained for up to 7 years where required by UK financial regulations)

9. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Access: request a copy of the data we hold about you
• Rectification: correct any data that's inaccurate
• Erasure: ask us to delete your data (the “right to be forgotten”)
• Portability: receive your data in a machine-readable format
• Restriction: ask us to limit how we process your data
• Objection: object to certain types of processing, including direct marketing
• Withdraw consent: where we rely on your consent for processing, you can withdraw it at any time

To exercise any of these rights, email privacy@fortunesage.app. We aim to respond within 30 days.

If you're unhappy with how we've handled your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

10. How we keep your data secure

• In transit: all data sent between your device and our servers uses TLS 1.3 encryption
• At rest: stored data is encrypted. Sensitive credentials such as bank access tokens are encrypted at the column level using a key separate from the database
• Authentication: we support biometric unlock (Face ID, Touch ID, fingerprint) and a 6-digit PIN, both stored on your device only
• Access control: our systems use row-level security to ensure each user can only access their own data
• Sessions: the app locks automatically when closed and requires re-authentication

No system is perfectly secure, and we cannot guarantee absolute security of data transmitted over the internet. If we ever become aware of a security incident affecting your data, we will notify you without undue delay as required by UK GDPR.

11. Children

FortuneSage is not intended for use by anyone under 18. We do not knowingly collect personal data from children. If we learn that we've collected data from a child, we'll delete it.

12. Changes to this policy

We may update this policy from time to time. If we make significant changes, we'll notify you in the app and update the “Last updated” date at the top of this page. We'd encourage you to review it periodically.

13. Contact us

For privacy-related queries:

• Email: privacy@fortunesage.app
• General contact: hello@fortunesage.app