Privacy Policy

Last updated: 2026-05-26

We take your privacy seriously. This policy explains what data FinDash, Inc. ("FinDash," "we," "our," and "us") collects, how we use it, when we disclose it, how long we retain it, and the controls available to users and firms.

Information We Collect and Process

Depending on the features a user or firm enables, FinDash may collect and process the following categories of information:

• Account and identity data: names, email addresses, phone numbers, mailing addresses, organization membership, user roles, authentication metadata, OAuth/MCP connection grants, scopes, and audit events.
• Advisor, client, and contact data: contact profiles, household and family relationships, professional contacts, tags, service levels, referral/source fields, relationship status, assigned advisor information, notes, tasks, workflows, opportunities, and onboarding responses.
• Financial planning data: assets, liabilities, account balances, net worth history, holdings, positions, investment transactions, cash-flow transactions, income and expense scenarios, goals, projections, tax summaries, estate planning records, ownership and beneficiary designations, insurance policy details, and custodial/provider metadata.
• Documents and extracted content: uploaded document metadata, file names, folders, document text, extracted document data, generated download links, and document binary chunks when requested by an authorized user.
• Connected provider data: information retrieved from user-authorized financial, custodial, email, calendar, meeting, and other integrations, including connected mailbox metadata, email participants, subject lines, snippets, headers, message bodies, and attachments when a connected-email feature is used.
• AI Notetaker and meeting data: meeting metadata, transcripts, summaries, action items, participant information, recording/transcript availability, and user-configured privacy settings.
• Usage, device, and security data: IP address, browser and device information, session activity, feature usage, request metadata, error diagnostics, audit logs, and security monitoring events.

FinDash does not intentionally collect bank login credentials. When users connect financial institutions or other providers, those connections are handled through authorized integration providers and access tokens or grants are stored and protected as needed to deliver the service.

How We Use Information

We use information to provide, secure, support, and improve FinDash, including to authenticate users, enforce firm-level permissions, search and retrieve authorized records, create or update workspace records at the user's direction, generate client briefs and planning summaries, process documents, retrieve connected emails and meeting transcripts, operate AI features, troubleshoot issues, prevent abuse, maintain auditability, and comply with legal, security, contractual, and regulatory obligations.

ChatGPT App and MCP Tools

When an authorized user connects FinDash to ChatGPT or another Model Context Protocol (MCP) client, that client may call FinDash tools on the user's behalf. Tool inputs can include client/contact references, search terms, filters, requested fields, document identifiers, task/workflow/opportunity details, notes, and other instructions entered by the user. Tool outputs can include the authorized FinDash records needed to answer the user's request, such as client profiles, contact details, financial summaries, documents or document text, notes, tasks, workflows, opportunities, connected email content, and meeting transcript content.

FinDash sends tool outputs to the connected MCP client only when the authorized user invokes the app and only according to that user's FinDash permissions. Some tools may create, update, delete, start workflows or jobs, or otherwise change private FinDash workspace records when the user requests those actions and has the required permissions. FinDash also records audit and security events for MCP activity.

AI Data Use and Retention

FinDash uses enterprise API contracts with AI providers and does not train our own foundation models on identifiable customer data. FinDash also requires third-party AI providers to prohibit model training on FinDash customer data when processing FinDash requests.

Where supported by provider capabilities and contract, FinDash configures zero-retention or no-training controls. If limited transient retention is required for security, abuse prevention, or legal compliance, it is restricted to those purposes and governed by contractual controls.

Information Sharing and Recipients

We do not sell, lease, or trade personal information. We share information only as needed to deliver and secure the service, at the user's or firm's direction, under contractual data protection obligations, or when required by law. Recipients may include hosting and infrastructure providers, database and storage providers, AI processing providers, integration providers for financial accounts, custodial feeds, email, calendar, meetings, payments, support, security, logging, and analytics, professional advisors, regulators, law enforcement, or parties involved in a business transaction with continued protection obligations.

Each firm's workspace data is segregated. Users can access only the accounts, firms, clients, contacts, documents, emails, meetings, and records they are authorized to access in FinDash.

Retention

We retain personal information for as long as needed to provide the service, maintain security and auditability, comply with legal or contractual obligations, resolve disputes, and enforce agreements. Workspace records, documents, transcripts, connected email indexes, OAuth/MCP grants, provider tokens, audit logs, and backups may have different retention periods based on firm settings, feature configuration, legal requirements, and operational safeguards. When data is no longer needed, we delete or de-identify it according to our retention practices and backup lifecycle.

User Controls

Users and firms may request access, correction, export, or deletion of personal data as permitted by law and contract. Users can also disconnect integrated providers, revoke OAuth or MCP app access, adjust AI Notetaker privacy settings, limit which accounts or firm members can access data, and request assistance with data or privacy controls. Some requests may be limited by legal, regulatory, security, backup, or contractual retention requirements.

Security

We use encryption in transit and at rest, least-privilege access controls, firm-level data segregation, access auditing, monitoring, backup controls, and other technical and organizational safeguards designed to protect sensitive financial and personal data.

Contact