Privacy Policy

Operator — The Services are currently operated by Steven Michael Snary, a sole proprietor located in Ontario, Canada, doing business as MyFinancialApps.io. We may, in the future, transfer ownership and operation of the Services to a U.S. limited liability company affiliated with the same principal. If that occurs, this Policy will be updated to reflect the new operator and you will be notified in accordance with Section 11.

Advisor as Controller; MyFinancialApps as Processor — When a financial advisor ("Advisor") inputs, uploads, or generates personal information about a client they have invited to the App ("Client Data"), the Advisor acts as the data controller of that Client Data and we act as the data processor on the Advisor's behalf. Advisors are responsible for obtaining all necessary consents from their clients, complying with the privacy and financial-services laws applicable to them, and providing their clients with their own privacy notices where required.

Account Categories — The Services support two categories of accounts: (a) Advisor accounts, created by financial advisors who subscribe to the App, and (b) Client accounts, which can only be created by an end-client after receiving an invitation from an Advisor. Without an Advisor invitation, a person cannot proceed past the welcome screen or create a Client account.

Information You Provide — We collect information you provide directly, such as your name, email address, phone number, business address (for Advisors), licensing or registration information (for Advisors), and the financial planning information you enter into the App (which may include income, expenses, insurance coverage, budget allocations, paycheck allocations, cashflow data, and related notes).

Client Data Entered by Advisors — Where an Advisor enters Client Data on behalf of an invited client, we process that information on behalf of the Advisor in accordance with Section 1.2. The Advisor is responsible for the accuracy, lawfulness, and consent basis of any Client Data they input.

Usage and Device Information — We collect information about how you interact with the App and Services, including device identifiers, operating system, app version, IP address, log data, crash reports, and usage events. This information helps us operate, secure, and improve the Services.

Cookies and Similar Technologies — On our websites, we use cookies and similar technologies for authentication, security, and basic analytics. You can disable cookies in your browser settings, but some features of our websites may not work properly.

Information from Third-Party Sign-In — If you choose to sign in or connect a third-party account (such as Google), we collect the limited information authorized by you through that provider. See Section 9 for Google-specific disclosures.

Providing the Services — We use information to create and authenticate accounts, deliver the App's functionality (including the Insurance, Budget, Payday Planner, and Cashflow Calendar modules), generate compliance documents at the Advisor's direction, send service-related notifications, and respond to support requests.

Improving and Securing the Services — We use aggregate and de-identified usage information to monitor performance, diagnose issues, prevent fraud and abuse, and improve the Services. We do not use Client Data for product analytics in a way that identifies individual clients.

Communications — We may send you transactional messages (such as account, security, billing, and service notices). We will only send marketing or promotional messages where permitted by applicable law (including Canada's Anti-Spam Legislation, "CASL," and applicable U.S. laws), and you may opt out at any time using the unsubscribe link in such messages or by contacting us using Section 12.

Legal and Safety — We may use information to comply with applicable laws, respond to lawful requests from public authorities, enforce our Terms, and protect the rights, property, or safety of MyFinancialApps, our users, or others.

No Sale of Personal Information — We do not sell personal information for monetary or other valuable consideration, and we do not engage in "sharing" of personal information for cross-context behavioural advertising as those terms are defined under applicable U.S. state privacy laws.

Where Your Data Is Stored — Personal information processed through the Services is stored in encrypted form in our database, which is hosted on Google Cloud Platform / Firebase, with primary servers located in Montreal, Quebec, Canada.

Cross-Border Transfers — Because the Services are available to users in both Canada and the United States, personal information may be accessed, transferred to, or processed in jurisdictions other than your own. By using the Services, you acknowledge that your information may be subject to the laws of those jurisdictions, including lawful access requests by government authorities. We rely on contractual and technical safeguards (including the use of Google Cloud's standard data-processing terms and our internal access controls) to protect your information during any such transfer.

With the Inviting Advisor (for Clients) — If you are a Client, the financial planning information you and your Advisor enter into the App is shared with your Advisor as part of the core function of the Services. This sharing is the reason the App exists.

Service Providers (Sub-Processors) — We share personal information with vetted service providers that help us operate the Services, including Google Cloud Platform / Firebase (hosting, database, authentication, analytics), email delivery providers, and similar infrastructure providers. These providers are contractually bound to use the information only to provide services to us and to protect it with safeguards no less protective than ours.

Legal and Compliance — We may disclose information in response to a valid subpoena, court order, or other lawful request; to comply with applicable laws and regulations; to enforce our Terms; or to protect the rights, property, or safety of MyFinancialApps, our users, or others.

Business Transfers — We may share or transfer information in connection with the planned transfer of the Services to our affiliated U.S. limited liability company (see Section 1.1), or in connection with any future merger, acquisition, financing, or sale of all or part of our business. Any successor will be bound by privacy commitments no less protective than this Policy, and we will provide notice of material changes per Section 11.

No Sale of Information — We do not sell personal information. See Section 3.5.

Encryption and Access Controls — Personal information is encrypted in transit using industry-standard TLS, and is encrypted at rest within our Google Cloud Platform / Firebase database. We maintain role-based access controls, audit logging, and least-privilege access for our personnel and authorized service providers.

No Absolute Security — No method of transmission over the internet, or method of electronic storage, is fully secure. While we use reasonable safeguards designed to protect personal information, we cannot guarantee absolute security.

Retention — We retain personal information for as long as your account remains active and as needed to provide the Services. We may retain certain information for a limited period afterwards as required for legal, tax, regulatory, audit, security, fraud-prevention, or dispute-resolution purposes, or as otherwise permitted by applicable law.

Breach Notification — In the event of a security breach affecting personal information, we will notify affected users and applicable regulators (including the Office of the Privacy Commissioner of Canada and applicable U.S. state regulators) as required by applicable law.

Access, Correction, and Deletion — You may review and update most of your information directly in the App. You may also delete your account and associated user-generated data using the Delete Account function in the Profile section of the App, or by contacting us using Section 12. Where Client Data is involved, deletion requests by Clients may be coordinated with the inviting Advisor in their capacity as data controller.

Withdrawing Consent — Where we rely on consent to process your information, you may withdraw that consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent may limit your ability to use parts of the Services.

Canadian Users (PIPEDA, Quebec Law 25, and Provincial Equivalents) — If you are located in Canada, you have the right under the Personal Information Protection and Electronic Documents Act ("PIPEDA"), Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25), and substantially similar provincial laws (including Alberta's PIPA and British Columbia's PIPA where applicable), to request access to and correction of your personal information, to file a complaint, and to receive information about our policies and practices. You may direct any request or complaint to our Privacy Officer (Section 12). If we are unable to resolve your complaint, you may contact the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information du Québec, or your provincial regulator.

Quebec-Specific Rights — Users in Quebec have additional rights under Law 25, including the right to request the cessation of dissemination of personal information, the right to be informed of any automated decision-making affecting them, and the right to data portability in a structured, commonly used technological format, subject to the conditions and exceptions set out in applicable law.

U.S. State Privacy Rights — Depending on your state of residence (including California, Colorado, Connecticut, Virginia, Utah, and other states with comprehensive consumer-privacy laws), you may have rights to: (a) confirm whether we process your personal information and access it; (b) correct inaccurate personal information; (c) request deletion of personal information; (d) opt out of the sale of personal information or its use for targeted advertising (we do neither — see Section 3.5); and (e) appeal a denial of a request. To exercise any of these rights, contact us using Section 12. We will verify your identity before fulfilling a request and will respond within the time periods required by your state's law.

Non-Discrimination — We will not discriminate against you for exercising any of the rights described above.

The Services are not directed to, and we do not knowingly collect personal information from, individuals under the age of 18. If we learn that we have collected personal information from a person under 18 without verifiable parental consent or other legal basis, we will delete that information.

Data Accessed — Where you choose to connect a Google account, we access the following Google user data via OAuth scopes: https://www.googleapis.com/auth/gmail.readonly. We only request the minimum scopes necessary for secure sign-in and, where applicable, read-only access to emails between you and a specified client.

Data Usage — We use Google user data solely to provide and improve the Services (for example, authenticating users and surfacing data relevant to a financial planning session). We do not use Google user data for advertising, marketing, profiling, or any purpose other than delivering the Services.

Data Sharing — We do not sell Google user data. We share it only with our hosting provider (Google Cloud Platform / Firebase) under data-processing terms, and with sub-processors who help deliver the Services under contractual protections no less protective than this Policy.

Data Storage and Protection — Google user data is encrypted in transit and at rest within our Firebase backend (servers located in Montreal, Quebec, Canada). We maintain strict access controls and comply with Google's security requirements.

Data Retention and Deletion — We retain Google user data only as long as necessary to provide the Services or as required by law (typically no longer than 30 days after account deletion). You may request deletion of all your data (including any linked Google data) at any time using the Delete Account feature in the App or by emailing Steve@MyFinancialApps.io. We will action the request within 30 days and confirm by email.

Limited Use Disclosure — MyFinancialApps's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

The Services may contain links to, or integrations with, third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information to them.

We may update this Policy from time to time to reflect changes in our practices, in the Services, or for legal, regulatory, or operational reasons. When we make material changes, we will update the "Last updated" date above and provide reasonable notice through the App, by email, or by posting a notice on our website before the change takes effect.

Privacy Officer — Steven Michael Snary serves as our designated Privacy Officer for MyFinancialApps.io.

Contact — For privacy questions, requests to exercise the rights described in Section 7, or complaints, please email us at Steve@MyFinancialApps.io.

Response Time — We aim to acknowledge privacy requests within 10 business days and respond substantively within 30 days, or such shorter period as required by applicable law.