Legal ยท Privacy

Privacy you can read in one sitting.

We built Fit Finance for businesses that take their numbers seriously. That means treating your data the same way โ€” minimal collection, clear purposes, no advertising trackers, and exports you control. This policy explains exactly what we hold and why.

Last updated ยท 5 May 2026 v2.1 GDPR-aligned (EU/EEA) No advertising trackers ~6 min read

Four promises that drive everything below.

If you only have time for the headline version, this is it. The detailed sections back each one up.

We never sell your data

Your records, traffic patterns, and account profile are never sold, traded, or given to data brokers.

EU residency by default

Application data is hosted in Frankfurt. Cross-border flows use Standard Contractual Clauses.

Always exportable

Every record you create can be downloaded as CSV at any time. Leave whenever โ€” no clauses.

Deletable on demand

Cancel and we permanently delete your data within 90 days, except where law requires longer.

1. Scope of this Privacy Policy

This Privacy Policy applies to the Fit Finance marketing website, the Fit Finance web application, and related services where this policy is linked or referenced. Fit Finance is a product operated by Quantum-22 LTD, a company registered in Cyprus and the data controller for the purposes of this policy ("we", "us", "our").

By accessing or using the Services, you agree to the collection and use of information in accordance with this Policy.

2. Information we collect

We collect different types of information in order to provide and improve the Services. We deliberately keep this list short.

2.1 Information you provide

  • Account details: name, email address, password hash, and other details when you create an account or sign up for early access.
  • Business information: company name, VAT number, billing details, and other organisation profile fields you choose to provide.
  • Financial records you create: invoices, expenses, customer/vendor records, accounts, and KPI data you input into the Services.
  • Support and communication: messages, requests, and information you send us via email or support channels.

2.2 Information collected automatically

  • Usage data: pages visited, features used, time spent in the app, and aggregated interaction with the Services. We capture this through our own server-side analytics (no third-party advertising trackers, no fingerprinting).
  • Device and technical data: IP address, browser type and version, operating system, device identifiers, and basic diagnostic data needed to operate the Services and prevent abuse.
  • Cookies and similar technologies: see the Cookie Policy for the full list.

2.3 Information from third parties

We may receive information about you from third-party providers โ€” for example, authentication providers, payment processors (Stripe), or transactional-email providers (Resend) โ€” when you authorise these connections or when they are necessary to operate the Services.

3. How we use your information

  • To provide, operate, and maintain the Services.
  • To create and manage your account, organisations, and team workspaces.
  • To process and store the invoices, expenses, KPIs, and related financial data that are the core function of the Services.
  • To personalise your experience (locale, default VAT rate, currency preferences).
  • To communicate with you about updates, security alerts, and support โ€” never to send marketing without your explicit opt-in.
  • To analyse aggregate usage so we can improve performance, identify regressions, and prioritise features.
  • To comply with legal obligations and to enforce our Terms of Service.

5. How we share your information

We do not sell your personal data. Ever.

We share information only with the following categories of recipients:

  • Service providers and processors: infrastructure, payment, email, and support providers who process data on our behalf under contractual safeguards. See section 6 for the list.
  • Professional advisors: lawyers, accountants, or auditors when reasonably necessary for compliance or business purposes.
  • Legal and regulatory bodies: when required by law, court order, or to protect our rights, users, or the public.
  • Business transfers: in connection with a merger, acquisition, or sale of assets, with appropriate protections for your data.

6. Sub-processors

We rely on a small set of EU-first specialised vendors โ€” covering database hosting, edge delivery, payments, transactional email, and error monitoring. They process data only as instructed by us and only for the purposes for which they were engaged.

The named, up-to-date list lives on our Security overview โ€” a single source of truth that we update whenever we add or change a provider. Material changes are also communicated in-app.

7. International data transfers

Your application data lives in the European Union by default. Some sub-processors (Stripe, Cloudflare) are global by nature; where data leaves the EU/EEA we rely on Standard Contractual Clauses (SCCs) and other safeguards to keep your information protected.

Origin

Your browser

TLS 1.2+

Storage

Supabase EU

Frankfurt ยท AES-256

Egress

CSV exports

Always to you

8. Data retention

We retain personal data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.

Active account data

While subscription is active

Yours, accessible, exportable

Cancelled accounts

Up to 90 days, then erased

Unless legal retention applies

Financial records

Up to 7 years

Required by tax law

Backups

30-day rolling window

Auto-overwritten

You can request immediate deletion of your account from Settings โ†’ Account or by emailing us. We will confirm by email when deletion is complete.

9. Data security

We use technical and organisational measures appropriate to the risk:

  • Encryption in transit (TLS 1.2+) and at rest for the underlying database and object storage.
  • Row-level security so each organisation only sees its own records โ€” enforced at the database layer.
  • Single sign-on, password rotation, and least-privilege access for our internal staff.
  • Regular dependency scanning and security review of changes before they ship.

For more, see our Security overview. No system is impossible to breach โ€” but we treat your records the way we would want our own treated.

10. Your rights

Depending on your location and applicable law, you may have some or all of the following rights:

Access

Get a copy of all personal data we hold about you.

Rectify

Correct anything that's inaccurate or incomplete.

Erase

Request permanent deletion in certain circumstances.

Restrict

Pause or limit how we process your data.

Object

Object to processing based on legitimate interests.

Portability

Export every record you own as CSV โ€” anytime.

Withdraw

Pull consent back where processing relies on it.

Complain

Lodge a complaint with the Cyprus DPA or your local authority.

To exercise these rights, contact us using the details below. We may need to verify your identity before responding to your request, and we will reply within 30 days.

11. Cookies and similar technologies

We use cookies and similar technologies to operate the Services, keep you signed in, remember your preferences, and analyse usage in aggregate. The full list โ€” including how to opt out โ€” lives in our Cookie Policy.

12. Children's privacy

The Services are intended for use by businesses and are not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us so we can take appropriate steps to remove it.

13. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, the Services, or legal requirements. When we make material changes, we will take reasonable steps to notify you โ€” for example, by updating the "Last updated" date, posting a notice in the app, or sending you an email. Material changes also bump the version (currently v2.1).

14. Contact us

Questions, requests, or concerns? Reach the team that builds Fit Finance:

Privacy, DPA & security disclosure

info@fit-finance.eu

Data subject requests, security reports, and general questions all reach the same inbox.

Data controller

Quantum-22 LTD

Cyprus, European Union

Supervisory authority: Office of the Commissioner for Personal Data Protection, Cyprus.