GDPR Compliance

Last updated: December 9, 2025

1. Introduction

Finn is committed to protecting the privacy and security of your personal data in compliance with the General Data Protection Regulation (GDPR). This page outlines how we comply with GDPR requirements and your rights under the regulation.

The GDPR applies to any organization that processes personal data of individuals in the European Union (EU), regardless of where the organization is located.

2. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contractual Necessity: Processing is necessary to provide you with the Finn service and fulfill our contract with you
  • Consent: You have given clear consent for us to process your personal data for specific purposes (e.g., marketing communications)
  • Legitimate Interests: Processing is necessary for our legitimate interests in improving our service, preventing fraud, and ensuring security
  • Legal Obligations: Processing is necessary to comply with legal requirements

3. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

Right to Access

You have the right to request a copy of all personal data we hold about you. This includes information about how we use your data, who we share it with, and how long we keep it.

Right to Rectification

You have the right to correct any inaccurate or incomplete personal data we hold about you. You can update most of your information directly in your account settings.

Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data. You can delete your account at any time from the settings page, which will permanently remove all your personal data within 30 days.

Right to Restriction of Processing

You have the right to request that we limit how we use your personal data in certain circumstances, such as while we verify the accuracy of your data or assess your objection to processing.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. You can export your data from your account settings.

Right to Object

You have the right to object to our processing of your personal data based on legitimate interests or for direct marketing purposes. You can opt out of marketing communications at any time.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects. Finn does not use automated decision-making that produces such effects.

4. How to Exercise Your Rights

To exercise any of your GDPR rights, you can:

  • Access your account settings to update or delete data
  • Export your data using the data export feature in settings
  • Contact us at hello@finnfocus.app with subject line "GDPR Request"

Response Time: We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this period by two additional months, and we will inform you of any such extension.

5. Data We Collect

We collect and process the following categories of personal data:

  • Identity Data: Email address, username, display name
  • Account Data: Password (encrypted), authentication tokens
  • Usage Data: Focus sessions, tasks, XP, achievements, productivity statistics
  • Technical Data: IP address, browser type, device information, timezone
  • Communication Data: Support requests, feedback, correspondence
  • Payment Data: Subscription status (payment details are processed by our payment provider and not stored by us)

6. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication requirements
  • Regular backups and disaster recovery procedures
  • Staff training on data protection and security
  • Monitoring and logging of system access

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Active Accounts: Data is retained while your account is active
  • Deleted Accounts: Personal data is deleted within 30 days of account deletion
  • Legal Obligations: Some data may be retained longer if required by law (e.g., payment records for tax purposes)
  • Backup Data: Data in backups is deleted according to our backup retention schedule

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When we transfer your data internationally, we ensure appropriate safeguards are in place, including:

  • Using service providers certified under the EU-U.S. Data Privacy Framework
  • Implementing Standard Contractual Clauses (SCCs)
  • Ensuring adequate data protection measures are in place

9. Data Protection Officer

For questions about our GDPR compliance or to exercise your rights, you can contact us at hello@finnfocus.app.

10. Data Breach Notification

In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR.

11. Third-Party Processors

We work with the following third-party data processors who are also GDPR compliant:

  • Supabase: Database and authentication services
  • Polar: Payment processing for Pro subscriptions
  • Hosting Providers: For website and application hosting

We have Data Processing Agreements (DPAs) in place with all third-party processors to ensure they handle your data in compliance with GDPR.

12. Children's Data

Finn is not directed at children under 16 years of age (or the applicable age of digital consent in your country). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

13. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local supervisory authority. However, we encourage you to contact us first so we can address your concerns.

You can find your local supervisory authority at: European Data Protection Board - Supervisory Authorities

14. Updates to This Page

We may update this GDPR compliance page from time to time to reflect changes in our practices or regulatory requirements. We will notify you of any material changes by posting the updated information on this page and updating the "Last updated" date.

15. Contact Information

For any questions about our GDPR compliance, to exercise your rights, or to raise concerns about how we handle your data, please contact us at hello@finnfocus.app.

Please include "GDPR Request" in the subject line and provide sufficient information to verify your identity and specify the nature of your request.