Showing English version — localized document not available yet.
Finmail Privacy Policy
How Finmail Limited and its affiliates collect, use, disclose, and protect personal data for enterprise webmail — United States production hosting, Hong Kong operating entity, GDPR, CCPA, and Hong Kong PDPO alignment.
- Effective:
- Last updated:
1. Introduction and scope
Finmail Limited (Hong Kong operating entity, “Finmail,” “we,” “us,” or “our”) provides an AI-native enterprise webmail platform for regulated financial institutions, asset managers, and professional services firms (“Customer,” “you,” or “your”).
This Privacy Policy explains how we process personal data when you visit our marketing sites, request a demo, create an account, or use the Finmail Webmail service (the “Service”). It applies to visitors, trial users, administrators, and end users whose organizations subscribe to Finmail.
Production data hosting (material): Mail index metadata, compliance audit logs, outbound queue records, and related application databases for the Service are hosted in United States–based datacenter infrastructure (currently Virginia). Message bodies and attachments remain on customer-controlled IMAP infrastructure (e.g., Dovecot) unless your organization configures otherwise. Engineering source code and non-production assets are maintained by our Shanghai R&D entity. R&D environments do not store production database credentials, HttpOnly session secrets, or IMAP decryption keys. Access to US-hosted production infrastructure is limited to designated operational roles under least-privilege policy, MFA, and audit logging; routine engineering does not require production mailbox access.
This Policy is designed to align with:
- the EU General Data Protection Regulation (GDPR) where applicable;
- the California Consumer Privacy Act (CCPA) / CPRA for California residents where applicable;
- the Hong Kong Personal Data (Privacy) Ordinance (Cap. 576) (“PDPO”); and
- applicable US federal and state privacy laws for US-hosted processing.
If you use Finmail on behalf of an organization, your employer or fund administrator is typically the data controller for mailbox content; Finmail acts as a processor for that content and as an independent controller for account billing, security, and product analytics as described below.
Contact: [email protected]
Data protection inquiries (EU/UK): [email protected] (subject line: “DPO Request”)
2. Roles and entities
| Role | Entity / location | Processing summary |
|---|---|---|
| Commercial operator | Finmail Limited (Hong Kong) | Contracts, billing, support, demo requests |
| Application hosting | US (Virginia) production region | mail_index, audit logs, settings, AI task metadata |
| Mail bodies | Customer IMAP / mail infrastructure | Primary storage of message content |
| R&D (segregated from production) | Shanghai R&D entity | Source code; no production credentials in R&D environments; production access least-privilege, audited |
We do not sell personal data. We do not use personal data for cross-context behavioral advertising as defined under CPRA.
3. Categories of personal data we process
| Category | Examples | Typical purpose | Legal basis (GDPR) |
|---|---|---|---|
| Account & identity | Name, work email, org name | Account creation, authentication | Contract; legitimate interests |
| Authentication | Password hash, 2FA secrets (encrypted) | Secure login | Contract |
| Mail metadata | Headers, subjects, flags, folder placement | Indexing, search, sync | Contract; legitimate interests |
| Mail content | Bodies, attachments (via IMAP) | Display, send, AI features (with controls) | Contract (processor) |
| Compliance | Audit chain entries, Legal Hold flags | Regulatory workflows | Legal obligation; contract |
| Usage & security | IP, device, API logs, rate limits | Fraud prevention, SOC operations | Legitimate interests |
| AI processing | Redacted/plaintext excerpts per settings | Summaries, audits (customer-configured) | Contract |
| Product analytics | Aggregated traffic, response-time estimates, keyword trends | Finmail Analytics dashboards for your account | Contract; legitimate interests |
| Signal Hub | Classified subscription/research mail metadata | Daily intelligence briefing and publisher views | Contract |
HttpOnly session note: Your mailbox password is sealed in an HttpOnly JWT (mp claim) for IMAP/SMTP transport in Webmail and is not stored in our database as plaintext for reuse.
Client-side Vault: Encrypted device sync payloads are stored as ciphertext only; Finmail cannot decrypt them without your local master password.
External mail clients (optional): If you configure Outlook, Thunderbird, Apple Mail, or similar apps, those clients authenticate directly to imap.finmail.com and smtp.finmail.com with credentials you provide. Finmail logs standard mail-access and security events; the third-party app stores credentials per its own settings. See External mail clients.
4. How we use personal data
We use personal data to:
- Provide, secure, and maintain the Service;
- Authenticate users and enforce 2FA policies;
- Synchronize mail metadata and enable search;
- Operate compliance features (immutable audit chain, Legal Hold);
- Process AI features you enable (with PII masking on external AI egress where configured);
- Bill subscriptions and communicate service changes;
- Respond to legal requests and protect rights, safety, and integrity of the platform.
We do not use demo-form or marketing data to train generalized AI models on your mailbox content.
AI features and model training
When you enable AI-assisted features (including Ask Finmail and inbox analysis), processing is scoped to provide the Service for your account. Finmail does not use your emails, attachments, financial records, or AI prompts to train, retune, or improve proprietary or third-party large language models. You are responsible for verifying AI-generated outputs before relying on them for tax, accounting, audit, or regulatory filings.
Marketing site cookies and preferences
Our public marketing site may use cookies and similar technologies to remember locale preferences (finmail-locale), measure site performance, and—where disclosed—support affiliate or referral programs. You may refuse non-essential cookies through your browser settings; some preference features may not function without essential cookies.
Examples include session cookies (authentication and security), preference cookies (language and UI settings), and analytics cookies (aggregated visit statistics). Where we use advertising partners (such as Google Ads or affiliate networks), their policies govern any ad-personalization cookies they set; you may opt out via your browser or the partner’s ad settings.
We do not use mailbox content for cross-context behavioral advertising.
5. International transfers
Because production application data is hosted in the United States, personal data from the EEA, UK, and Hong Kong may be transferred to the US. Where required, we implement appropriate safeguards such as:
- Standard Contractual Clauses (SCCs) with subprocessors;
- Data Processing Agreements (DPAs) with enterprise customers; and
- Transfer impact assessments for high-risk processing.
Copies of relevant SCCs may be requested at [email protected].
6. Subprocessors
We use infrastructure and service providers (hosting, email delivery, payment, analytics, AI APIs when enabled by you) that process personal data on our instructions. A current subprocessor list is available on request. Material changes will be notified per contract or this Policy.
Payments: Subscription billing may be processed by Stripe, Inc. Payment card data is collected directly by Stripe; Finmail does not store full card numbers.
7. Retention
| Data type | Retention approach |
|---|---|
mail_index metadata |
While account active + contractual backup period |
| Compliance audit logs | Append-only; retention per customer policy / Legal Hold |
| IMAP mail bodies | Controlled by customer mail server retention |
| HttpOnly sessions | Short TTL (e.g., 2 hours) |
| Demo lead forms | Until CRM sync + reasonable business record period |
| Inactive unpaid accounts | Suspension after 180 days without activity (last_activity_at, falling back to last_login_at); mail storage purge after ~365 days total inactivity while suspended; see Inactive accounts & recovery FAQ and Terms §4.9–4.10 |
| Logs | Rolling window per security policy |
8. Security measures
We implement administrative, technical, and organizational measures including: TLS in transit, encryption at rest for sensitive fields, Edge JWT gating, rate limiting, append-only compliance hashing (CM6), and access controls segregating production from engineering. See our Security Trust Center for architecture summaries.
No method of transmission or storage is 100% secure; report concerns to [email protected].
9. Your rights
Depending on jurisdiction, you may have rights to access, rectify, erase, restrict, port, or object to processing, and to withdraw consent where processing is consent-based.
| Region | How to exercise |
|---|---|
| EEA / UK | Contact [email protected]; you may lodge a complaint with your supervisory authority |
| California (CCPA/CPRA) | Right to know, delete, correct, opt out of “sale/share” (we do not sell); authorized agent requests accepted |
| Hong Kong (PDPO) | Access and correction requests under DPP 6; complaints to the PCPD |
We may need to verify identity. Some requests may be limited by Legal Hold, litigation, or regulatory retention duties.
10. Children
The Service is intended for professional use by organizations. We do not knowingly collect data from children under 16.
11. Changes
We may update this Policy. Material changes will be posted at /legal/privacy with an updated “Last updated” date. Continued use after the effective date constitutes acknowledgment where permitted by law.
12. Contact
Finmail Limited
Email: [email protected]
Security: [email protected]
