Skip to main content

Finmail Privacy Policy

How Finmail Limited and its affiliates collect, use, disclose, and protect personal data for enterprise webmail — United States production hosting, Hong Kong operating entity, GDPR, CCPA, and Hong Kong PDPO alignment.

Effective:
Last updated:

1. Introduction and scope

Finmail Limited (Hong Kong operating entity, “Finmail,” “we,” “us,” or “our”) provides an AI-native enterprise webmail platform for regulated financial institutions, asset managers, and professional services firms (“Customer,” “you,” or “your”).

This Privacy Policy explains how we process personal data when you visit our marketing sites, request a demo, create an account, or use the Finmail Webmail service (the “Service”). It applies to visitors, trial users, administrators, and end users whose organizations subscribe to Finmail.

Production data hosting (material): Mail index metadata, compliance audit logs, outbound queue records, and related application databases for the Service are hosted in United States–based datacenter infrastructure (currently Virginia). Message bodies and attachments remain on customer-controlled IMAP infrastructure (e.g., Dovecot) unless your organization configures otherwise. Engineering source code and non-production assets are maintained by our Shanghai R&D entity. R&D environments do not store production database credentials, HttpOnly session secrets, or IMAP decryption keys. Access to US-hosted production infrastructure is limited to designated operational roles under least-privilege policy, MFA, and audit logging; routine engineering does not require production mailbox access.

This Policy is designed to align with:

  • the EU General Data Protection Regulation (GDPR) where applicable;
  • the California Consumer Privacy Act (CCPA) / CPRA for California residents where applicable;
  • the Hong Kong Personal Data (Privacy) Ordinance (Cap. 576) (“PDPO”); and
  • applicable US federal and state privacy laws for US-hosted processing.

If you use Finmail on behalf of an organization, your employer or fund administrator is typically the data controller for mailbox content; Finmail acts as a processor for that content and as an independent controller for account billing, security, and product analytics as described below.

Contact: [email protected]
Data protection inquiries (EU/UK): [email protected] (subject line: “DPO Request”)


2. Roles and entities

Role Entity / location Processing summary
Commercial operator Finmail Limited (Hong Kong) Contracts, billing, support, demo requests
Application hosting US (Virginia) production region mail_index, audit logs, settings, AI task metadata
Mail bodies Customer IMAP / mail infrastructure Primary storage of message content
R&D (segregated from production) Shanghai R&D entity Source code; no production credentials in R&D environments; production access least-privilege, audited

We do not sell personal data. We do not use personal data for cross-context behavioral advertising as defined under CPRA.


3. Categories of personal data we process

Category Examples Typical purpose Legal basis (GDPR)
Account & identity Name, work email, org name Account creation, authentication Contract; legitimate interests
Authentication Password hash, 2FA secrets (encrypted) Secure login Contract
Mail metadata Headers, subjects, flags, folder placement Indexing, search, sync Contract; legitimate interests
Mail content Bodies, attachments (via IMAP) Display, send, AI features (with controls) Contract (processor)
Compliance Audit chain entries, Legal Hold flags Regulatory workflows Legal obligation; contract
Usage & security IP, device, API logs, rate limits Fraud prevention, SOC operations Legitimate interests
AI processing Redacted/plaintext excerpts per settings Summaries, audits (customer-configured) Contract
Product analytics Aggregated traffic, response-time estimates, keyword trends Finmail Analytics dashboards for your account Contract; legitimate interests
Signal Hub Classified subscription/research mail metadata Daily intelligence briefing and publisher views Contract

HttpOnly session note: Your mailbox password is sealed in an HttpOnly JWT (mp claim) for IMAP/SMTP transport in Webmail and is not stored in our database as plaintext for reuse.

Client-side Vault: Encrypted device sync payloads are stored as ciphertext only; Finmail cannot decrypt them without your local master password.

External mail clients (optional): If you configure Outlook, Thunderbird, Apple Mail, or similar apps, those clients authenticate directly to imap.finmail.com and smtp.finmail.com with credentials you provide. Finmail logs standard mail-access and security events; the third-party app stores credentials per its own settings. See External mail clients.


4. How we use personal data

We use personal data to:

  1. Provide, secure, and maintain the Service;
  2. Authenticate users and enforce 2FA policies;
  3. Synchronize mail metadata and enable search;
  4. Operate compliance features (immutable audit chain, Legal Hold);
  5. Process AI features you enable (with PII masking on external AI egress where configured);
  6. Bill subscriptions and communicate service changes;
  7. Respond to legal requests and protect rights, safety, and integrity of the platform.

We do not use demo-form or marketing data to train generalized AI models on your mailbox content.

AI features and model training

When you enable AI-assisted features (including Ask Finmail and inbox analysis), processing is scoped to provide the Service for your account. Finmail does not use your emails, attachments, financial records, or AI prompts to train, retune, or improve proprietary or third-party large language models. You are responsible for verifying AI-generated outputs before relying on them for tax, accounting, audit, or regulatory filings.

Marketing site cookies and preferences

Our public marketing site may use cookies and similar technologies to remember locale preferences (finmail-locale), measure site performance, and—where disclosed—support affiliate or referral programs. You may refuse non-essential cookies through your browser settings; some preference features may not function without essential cookies.

Examples include session cookies (authentication and security), preference cookies (language and UI settings), and analytics cookies (aggregated visit statistics). Where we use advertising partners (such as Google Ads or affiliate networks), their policies govern any ad-personalization cookies they set; you may opt out via your browser or the partner’s ad settings.

We do not use mailbox content for cross-context behavioral advertising.


5. International transfers

Because production application data is hosted in the United States, personal data from the EEA, UK, and Hong Kong may be transferred to the US. Where required, we implement appropriate safeguards such as:

  • Standard Contractual Clauses (SCCs) with subprocessors;
  • Data Processing Agreements (DPAs) with enterprise customers; and
  • Transfer impact assessments for high-risk processing.

Copies of relevant SCCs may be requested at [email protected].


6. Subprocessors

We use infrastructure and service providers (hosting, email delivery, payment, analytics, AI APIs when enabled by you) that process personal data on our instructions. A current subprocessor list is available on request. Material changes will be notified per contract or this Policy.

Payments: Subscription billing may be processed by Stripe, Inc. Payment card data is collected directly by Stripe; Finmail does not store full card numbers.


7. Retention

Data type Retention approach
mail_index metadata While account active + contractual backup period
Compliance audit logs Append-only; retention per customer policy / Legal Hold
IMAP mail bodies Controlled by customer mail server retention
HttpOnly sessions Short TTL (e.g., 2 hours)
Demo lead forms Until CRM sync + reasonable business record period
Inactive unpaid accounts Suspension after 180 days without activity (last_activity_at, falling back to last_login_at); mail storage purge after ~365 days total inactivity while suspended; see Inactive accounts & recovery FAQ and Terms §4.9–4.10
Logs Rolling window per security policy

8. Security measures

We implement administrative, technical, and organizational measures including: TLS in transit, encryption at rest for sensitive fields, Edge JWT gating, rate limiting, append-only compliance hashing (CM6), and access controls segregating production from engineering. See our Security Trust Center for architecture summaries.

No method of transmission or storage is 100% secure; report concerns to [email protected].


9. Your rights

Depending on jurisdiction, you may have rights to access, rectify, erase, restrict, port, or object to processing, and to withdraw consent where processing is consent-based.

Region How to exercise
EEA / UK Contact [email protected]; you may lodge a complaint with your supervisory authority
California (CCPA/CPRA) Right to know, delete, correct, opt out of “sale/share” (we do not sell); authorized agent requests accepted
Hong Kong (PDPO) Access and correction requests under DPP 6; complaints to the PCPD

We may need to verify identity. Some requests may be limited by Legal Hold, litigation, or regulatory retention duties.


10. Children

The Service is intended for professional use by organizations. We do not knowingly collect data from children under 16.


11. Changes

We may update this Policy. Material changes will be posted at /legal/privacy with an updated “Last updated” date. Continued use after the effective date constitutes acknowledgment where permitted by law.


12. Contact

Finmail Limited
Email: [email protected]
Security: [email protected]