Privacy Policy

Effective Date: March 12, 2026 · Last updated: March 12, 2026

1. Who We Are

FARO Financial Technologies Inc. ("FARO," "we," "us," or "our") operates the FARO Financial Command Center web application (the "Service") available at https://faro.finance.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service. We are committed to protecting your privacy and complying with the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Charter of the French Language (Bill 96), Law 25 (Québec), and, where applicable, the General Data Protection Regulation (GDPR).

If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information: Name, email address, and profile picture, provided through our authentication provider Clerk (Google OAuth or email/password).
  • Financial data: Income amounts, expense descriptions, merchant names, categories, vault balances, goals, recurring rules, and scheduled bills that you enter manually into the Service.
  • Budget configuration: Vault names, percentages, and allocation settings.

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, session duration, and interaction patterns.
  • Device information: Browser type, operating system, and general geographic region (country/province inferred from IP address).
  • Log data: Server logs including IP address, timestamps, and error reports. Logs are retained for a maximum of 90 days.

2.3 Information We Do NOT Collect

  • We do not collect or store your banking credentials, Social Insurance Number (SIN), or credit card numbers.
  • We do not currently integrate with any banking institution or perform bank account verification. All financial data is entered manually by you.

3. How We Use Your Information

We use your information to:

  • Provide, operate, and improve the Service
  • Authenticate you and maintain your session
  • Process your financial data to display budgets, reports, and projections
  • Send transactional emails (account creation, password reset) via Clerk
  • Enforce subscription tier limits and billing
  • Respond to your support requests
  • Meet our legal obligations under PIPEDA and applicable provincial law
  • Detect and prevent fraud, abuse, or security incidents

We do not sell your personal information to third parties. We do not use your financial data for advertising purposes.

4. Legal Basis for Processing (GDPR / PIPEDA)

We process your personal information on the following bases:

  • Contractual necessity: Processing required to deliver the Service you have signed up for.
  • Legitimate interests: Security monitoring, fraud prevention, and service improvement, balanced against your privacy rights.
  • Consent: For any optional communications or analytics, which you may withdraw at any time.
  • Legal obligation: Compliance with applicable laws and regulations.

5. Third-Party Service Providers

We share data with trusted third parties solely to operate the Service:

ProviderPurposeData SharedLocation
ClerkAuthentication & identity managementName, email, profile pictureUnited States
Neon (Neon, Inc.)Database hosting (Postgres)All financial data you enterUnited States (AWS us-east-1)
VercelWeb application hosting & CDNRequest logs, IP addressesUnited States / Canada

All providers are contractually obligated to protect your data and may not use it for any purpose other than providing services to us. We ensure appropriate data transfer mechanisms (Standard Contractual Clauses where required by GDPR) are in place for international transfers.

6. Data Retention

We retain your personal information as follows:

  • Account and financial data: Retained for the duration of your account plus 30 days after deletion to allow recovery from accidental deletions.
  • Server logs: Retained for 90 days, then automatically purged.
  • Billing records: Retained for 7 years as required by Canadian tax law.

When you delete your account (see Section 8), all personal data and financial records are permanently deleted within 30 days, except where retention is required by law.

7. Data Security

We protect your data using:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS).
  • Encryption at rest: Database storage is encrypted at rest by our hosting provider (Neon / AWS AES-256).
  • Authentication: Managed by Clerk, which provides secure session handling, password hashing (bcrypt), and supports two-factor authentication.
  • Access controls: Each user can only access their own financial data. Server-side authorization is enforced on every data request.
  • No storage of payment credentials: Payment processing is handled by Stripe; we never store your credit card numbers.

While we take these measures seriously, no system is 100% secure. Please use a strong, unique password and enable two-factor authentication on your account.

8. Your Rights & Choices

Depending on your jurisdiction, you have the following rights regarding your personal data:

All users:

  • Access: You can view and download all your financial data via the Transactions export (CSV) at any time.
  • Correction: You can edit any transaction, vault, or goal directly in the app.
  • Deletion: You can delete your account and all associated data at any time via Settings → Account → Delete Account, or by emailing privacy@faro.finance.

Quebec residents (Law 25 / Bill 64):

  • You have the right to request portability of your personal information in a commonly used structured format.
  • You have the right to be informed of and to consent to the collection of your personal information before it is collected.

EU/EEA residents (GDPR):

  • Right to restriction of processing
  • Right to object to processing
  • Right to lodge a complaint with your national supervisory authority

To exercise any of these rights, contact us at privacy@faro.finance. We will respond within 30 days (PIPEDA) or within the timeframe required by applicable law.

9. Cookies & Tracking

We use the following cookies and local storage:

  • Authentication cookies (Clerk): Strictly necessary to maintain your login session. Cannot be disabled without breaking the Service.
  • Theme preference (localStorage): Stores your dark/light mode preference. No personal data is involved.

We do not use advertising cookies, cross-site tracking pixels, or Google Analytics.

10. Children's Privacy

FARO is not directed at children under 16 years of age. We do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected such information, please contact us immediately at privacy@faro.finance.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy at this URL and, where appropriate, by email or in-app notification. The effective date at the top of this page indicates when the policy was last updated.

Your continued use of the Service after any changes constitutes your acceptance of the revised Privacy Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact our Privacy Officer at:

FARO Financial Technologies Inc.

Email: privacy@faro.finance

Montreal, Québec, Canada