Privacy Policy
Last updated 22 May 2026
Who we are
Finalizo is operated by Finalizo Ltd, registered in the United Kingdom. For account holders and visitors to finalizo.com, we act as the data controller for the personal information we collect to provide, secure, bill, and improve the service.
For client data uploaded by freelancers, agencies, or teams into handover packs, Finalizo generally acts as a data processor. The account holder is responsible for deciding what client data is uploaded, why it is processed, and how long it should be retained.
For privacy questions, data rights requests, or data processing questions, contact privacy@finalizo.com.
What data we collect
We collect account data including your name, email address, profile image from Google sign-in, authentication provider, timezone, workspace preferences, referral code, onboarding state, role, and subscription plan.
We collect product usage data including projects created, handover packs sent, pack views, sign-off timestamps, certificate records, support terms, integrations configured, API keys created, webhooks delivered, and product interactions needed to operate the service.
We store client data that you add to Finalizo, including client names, email addresses, company names, project names, handover records, resources, comments, support boundaries, and sign-off details. We process this client data on your behalf.
We store credential data that you choose to add to a handover pack. Credential passwords are encrypted with AES-256-GCM before storage. You should only add credentials you are authorised to process and hand over.
We collect billing metadata such as Stripe customer IDs, subscription status, invoice IDs, invoice URLs, payment status, billing period dates, cancellation feedback, and tax-related billing metadata. Stripe processes card details directly; we never see or store full card numbers or CVC values.
We collect technical data such as IP address, browser type, device information, request logs, session cookies, user agent, referrer, error traces, analytics events, and approximate location derived from infrastructure logs for security, fraud prevention, reliability, support, and product functionality.
How we use your data
We use your data to provide the Finalizo service, authenticate users, create handover packs, send transactional emails, collect sign-offs, deliver credential records, process billing, maintain integrations, and provide customer support.
We use transactional emails for magic links, handover notifications, sign-off requests, pack-view alerts, billing notices, trial reminders, account deletion confirmations, and account security events.
We may send product emails about Finalizo features and educational content where permitted. You can unsubscribe from marketing emails at any time. Transactional emails required to operate the service may still be sent.
We use technical and usage data to prevent fraud and abuse, monitor reliability, debug errors, improve the product, measure feature adoption, and understand product usage through privacy-conscious analytics.
Our legal bases under UK GDPR and EU GDPR may include performance of a contract, legitimate interests in running and securing the service, compliance with legal obligations, consent where required, and your instructions where we process client data as a processor.
Processors and sub-processors
We use trusted service providers to operate Finalizo. These include Supabase for database infrastructure, Vercel for hosting and deployment, Stripe for payments and tax, Resend for email delivery, UploadThing for file uploads, PostHog for product analytics, Sentry for error monitoring, Google for OAuth, and other infrastructure providers needed to operate the service.
When we act as your processor, these providers may act as sub-processors. We only share the data needed for each provider to perform its function. We do not sell personal data.
International transfers
Some processors may process data outside the United Kingdom or European Economic Area. Where required, we rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, or equivalent contractual protections.
Data storage and security
Finalizo stores application data in Supabase PostgreSQL. Production data is intended to be hosted in an EU region where available.
Credential passwords are encrypted with AES-256-GCM before storage. Encryption keys are stored separately in environment variables and are not committed to source control.
Traffic is protected with HTTPS/TLS. Production access is limited to authorised team members who need access to operate, secure, and support the service. We use role-based access, audit trails where available, rate limiting, and security monitoring.
Backups are retained for up to 30 days. Backup retention may differ for infrastructure providers, but we configure retention to support recovery while limiting unnecessary storage.
Data retention
Active account data is retained while your account remains active. You can export your data or request deletion from account settings where available or by contacting us.
When you delete your account, we schedule account data for permanent deletion within 30 days. We may retain billing, security, fraud prevention, backup, and legal records where required by law or necessary to establish, exercise, or defend legal claims.
Sign-off certificates and related audit evidence may be retained for up to 7 years as a legal and operational record unless deletion is required by law and no overriding retention obligation applies.
Your rights
If UK GDPR, EU GDPR, or similar privacy law applies to you, you may have the right to access your data, correct inaccurate data, request deletion, export your data in a portable format, restrict processing, object to processing, and withdraw consent where processing is based on consent.
To exercise any of these rights, email privacy@finalizo.com from the email address associated with your account. We aim to respond within 30 days. We may ask you to verify your identity before acting on a request.
If you are a client of a freelancer or agency using Finalizo, please contact that freelancer or agency first because they are usually the controller of your client data. We will support them in responding to lawful requests.
You may also have the right to complain to the UK Information Commissioner's Office or your local supervisory authority.
Cookies
Finalizo uses essential cookies for authentication sessions, security, preference storage, and core application functionality, including Auth.js/NextAuth session cookies.
We use analytics cookies or similar browser storage through PostHog to understand product usage, improve onboarding, and measure reliability. Analytics can be disabled where required by law or product settings.
We do not use advertising cookies, cross-site behavioural advertising pixels, or sell personal data.
Third-party processors
| Processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Supabase | Database, auth-related infrastructure | EU / global | https://supabase.com/privacy |
| Stripe | Payments, tax, invoices, billing portal | US / global | https://stripe.com/privacy |
| Resend | Transactional email delivery | US | https://resend.com/privacy |
| PostHog | Product analytics | EU / global | https://posthog.com/privacy |
| Uploadthing | File uploads and storage | US | https://uploadthing.com/privacy |
| Vercel | Hosting and deployment | US / global | https://vercel.com/legal/privacy |
Contact
Data controller: Finalizo Ltd
Privacy contact: privacy@finalizo.com
We respond to privacy rights requests within 30 days unless a shorter period is required by applicable law.