1. Scope of this Privacy Policy
This Privacy Policy applies to the Fit Finance marketing website, the Fit Finance web application, and related services where this policy is linked or referenced. Fit Finance is a product operated by Quantum-22 LTD, a company registered in Cyprus and the data controller for the purposes of this policy ("we", "us", "our").
By accessing or using the Services, you agree to the collection and use of information in accordance with this Policy.
2. Information we collect
We collect different types of information in order to provide and improve the Services. We deliberately keep this list short.
2.1 Information you provide
- Account details: name, email address, password hash, and other details when you create an account or sign up for early access.
- Business information: company name, VAT number, billing details, and other organisation profile fields you choose to provide.
- Financial records you create: invoices, expenses, customer/vendor records, accounts, and KPI data you input into the Services.
- Support and communication: messages, requests, and information you send us via email or support channels.
2.2 Information collected automatically
- Usage data: pages visited, features used, time spent in the app, and aggregated interaction with the Services. We capture this through our own server-side analytics (no third-party advertising trackers, no fingerprinting).
- Device and technical data: IP address, browser type and version, operating system, device identifiers, and basic diagnostic data needed to operate the Services and prevent abuse.
- Cookies and similar technologies: see the Cookie Policy for the full list.
2.3 Information from third parties
We may receive information about you from third-party providers โ for example, authentication providers, payment processors (Stripe), or transactional-email providers (Resend) โ when you authorise these connections or when they are necessary to operate the Services.
3. How we use your information
- To provide, operate, and maintain the Services.
- To create and manage your account, organisations, and team workspaces.
- To process and store the invoices, expenses, KPIs, and related financial data that are the core function of the Services.
- To personalise your experience (locale, default VAT rate, currency preferences).
- To communicate with you about updates, security alerts, and support โ never to send marketing without your explicit opt-in.
- To analyse aggregate usage so we can improve performance, identify regressions, and prioritise features.
- To comply with legal obligations and to enforce our Terms of Service.
4. Legal basis for processing
Where data protection laws (such as the EU/EEA General Data Protection Regulation โ GDPR) apply, we process your personal data under one or more of the following legal bases:
- Contract: processing is necessary to deliver the Services, maintain your account, or fulfil our agreement with you.
- Legitimate interests: to improve the Services, secure our systems, prevent abuse, and communicate reasonable updates โ provided your rights and freedoms do not override these interests.
- Consent: when you explicitly agree to specific processing (e.g., analytics opt-in via the cookie banner, marketing email opt-in). You can withdraw consent at any time.
- Legal obligation: when we must process data to comply with laws or regulatory requirements (for example, retaining invoice records for tax compliance).
6. Sub-processors
We rely on a small set of EU-first specialised vendors โ covering database hosting, edge delivery, payments, transactional email, and error monitoring. They process data only as instructed by us and only for the purposes for which they were engaged.
The named, up-to-date list lives on our Security overview โ a single source of truth that we update whenever we add or change a provider. Material changes are also communicated in-app.
7. International data transfers
Your application data lives in the European Union by default. Some sub-processors (Stripe, Cloudflare) are global by nature; where data leaves the EU/EEA we rely on Standard Contractual Clauses (SCCs) and other safeguards to keep your information protected.
Data flow at a glance
Origin
Your browser
TLS 1.2+
Storage
Supabase EU
Frankfurt ยท AES-256
Egress
CSV exports
Always to you
8. Data retention
We retain personal data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.
Active account data
While subscription is active
Yours, accessible, exportable
Cancelled accounts
Up to 90 days, then erased
Unless legal retention applies
Financial records
Up to 7 years
Required by tax law
Backups
30-day rolling window
Auto-overwritten
You can request immediate deletion of your account from Settings โ Account or by emailing us. We will confirm by email when deletion is complete.
9. Data security
We use technical and organisational measures appropriate to the risk:
- Encryption in transit (TLS 1.2+) and at rest for the underlying database and object storage.
- Row-level security so each organisation only sees its own records โ enforced at the database layer.
- Single sign-on, password rotation, and least-privilege access for our internal staff.
- Regular dependency scanning and security review of changes before they ship.
For more, see our Security overview. No system is impossible to breach โ but we treat your records the way we would want our own treated.
10. Your rights
Depending on your location and applicable law, you may have some or all of the following rights:
Access
Get a copy of all personal data we hold about you.
Rectify
Correct anything that's inaccurate or incomplete.
Erase
Request permanent deletion in certain circumstances.
Restrict
Pause or limit how we process your data.
Object
Object to processing based on legitimate interests.
Portability
Export every record you own as CSV โ anytime.
Withdraw
Pull consent back where processing relies on it.
Complain
Lodge a complaint with the Cyprus DPA or your local authority.
To exercise these rights, contact us using the details below. We may need to verify your identity before responding to your request, and we will reply within 30 days.
12. Children's privacy
The Services are intended for use by businesses and are not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us so we can take appropriate steps to remove it.
13. Changes to this Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, the Services, or legal requirements. When we make material changes, we will take reasonable steps to notify you โ for example, by updating the "Last updated" date, posting a notice in the app, or sending you an email. Material changes also bump the version (currently v2.1).
14. Contact us
Questions, requests, or concerns? Reach the team that builds Fit Finance:
Privacy, DPA & security disclosure
info@fit-finance.eu
Data subject requests, security reports, and general questions all reach the same inbox.
Data controller
Quantum-22 LTD
Cyprus, European Union
Supervisory authority: Office of the Commissioner for Personal Data Protection, Cyprus.