Data Policy & Information Security

1. Introduction

FlowyCash is committed to protecting the privacy, security, and confidentiality of all user data. This Data Policy outlines our comprehensive approach to information security, data protection, and privacy practices. We have implemented robust policies and procedures to identify, mitigate, and continuously monitor information security risks relevant to our financial technology services.

2. Information Security Framework

2.1 Security Governance

• Our information security program follows industry-standard frameworks including NIST Cybersecurity Framework and incorporates security best practices
• We conduct regular security assessments and vulnerability scans to identify potential risks
• Security policies are reviewed and updated annually or when significant changes occur
• All team members undergo security awareness training and follow secure development practices

2.2 Risk Identification & Assessment

• Quarterly risk assessments to identify new and evolving security threats
• Continuous vulnerability scanning and penetration testing
• Third-party vendor security assessments and ongoing monitoring
• Regular review of data flows and access patterns
• Threat modeling for all new features and system changes

2.3 Risk Mitigation

• Multi-layered security controls including firewalls, intrusion detection, and endpoint protection
• Implementation of zero-trust architecture principles
• Regular security patches and system updates
• Incident response procedures with defined escalation paths
• Business continuity and disaster recovery planning

2.4 Continuous Monitoring

• Continuous monitoring of system logs and security events
• Automated vulnerability scanning and threat detection
• Regular review of access logs and user activities
• Monitoring of third-party service provider security status
• Incident tracking and response documentation

3. Data Collection and Use

3.1 Types of Data We Collect

• Account Information: Name, email address, password (encrypted)
• Financial Data: Bank account information, transaction data, balances
• Usage Data: Application usage patterns, feature interactions, device information
• Authentication Data: Login credentials, session tokens, multi-factor authentication data

3.2 How We Use Your Data

• Provide and improve our financial management services
• Process transactions and maintain account balances
• Generate insights and analytics for budgeting and financial planning
• Authenticate users and prevent unauthorized access
• Comply with legal and regulatory requirements
• Communicate important account and service information

4. Data Protection Measures

4.1 Encryption and Security

• All data is encrypted in transit using TLS 1.3 or higher
• Data at rest is encrypted using AES-256 encryption
• Database encryption with customer-managed encryption keys
• End-to-end encryption for sensitive financial data
• Secure key management and rotation practices

4.2 Access Controls

• Role-based access control (RBAC) with principle of least privilege
• Multi-factor authentication required for all accounts
• Regular access reviews and deprovisioning procedures
• Segregation of duties for critical operations
• Audit logging of all data access and modifications

Note: For detailed information about our access controls, see our Access Control Policy.

4.3 Infrastructure Security

• Cloud infrastructure hosted on secure platforms (Supabase, Vercel - Vercel is SOC 2 Type II certified)
• Secure network configurations and access controls
• Web application firewalls and DDoS protection provided by our hosting platforms
• Regular security scanning and vulnerability assessments
• Secure development lifecycle (SDLC) practices

5. Banking Integration Security

We use Plaid, a certified financial technology provider, to securely connect to your bank accounts:

• Plaid is SOC 2 Type II certified and follows strict security standards
• We never store your banking credentials or passwords
• All banking connections use read-only access with user consent
• Bank-level security with 256-bit SSL encryption
• Regular security audits of third-party integrations

6. Data Retention and Deletion

• Personal data is retained only as long as necessary to provide our services
• Financial transaction data is retained for 7 years to comply with regulatory requirements
• Users can request data deletion through their account settings
• Secure data destruction procedures for end-of-life systems
• Regular purging of unnecessary logs and temporary data

7. Your Rights and Controls

• Access: Request a copy of your personal data
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and data
• Portability: Export your data in a machine-readable format
• Opt-out: Withdraw consent for data processing where applicable

To exercise these rights, please contact us at privacy@flowycash.com

8. Incident Response

In the unlikely event of a security incident:

• We will assess and respond to security incidents promptly upon detection
• Affected users will be notified within 72 hours as required by applicable laws
• We will work with law enforcement and regulatory bodies as appropriate
• Post-incident reviews will be conducted to improve our security measures
• We maintain documented incident response procedures

9. Regulatory Compliance

FlowyCash is committed to complying with applicable data protection regulations:

• GDPR (General Data Protection Regulation) for EU users
• CCPA (California Consumer Privacy Act) for California residents
• We follow financial privacy best practices and applicable state regulations
• Our payment processing and banking integrations are handled by PCI DSS compliant providers
• We maintain data processing agreements with all third-party service providers

10. Third-Party Services

We partner with reputable, security-certified service providers to ensure data protection:

• Supabase: Database and authentication services
• Plaid: Banking data aggregation (SOC 2 Type II certified)
• Vercel: Application hosting and CDN (SOC 2 Type II certified)
• We select vendors based on their security certifications and compliance standards
• Data processing agreements (DPAs) are in place with all critical service providers

11. Policy Updates

This policy may be updated periodically to reflect changes in our practices, technologies, or legal requirements. We will notify users of material changes via email and through our application. Continued use of our services after policy updates constitutes acceptance of the revised terms.

12. Contact Us

If you have questions about this Data Policy or our security practices, please contact us: