Privacy Policy

This privacy policy applies to the HRM Fintilty app (hereby referred to as "Application") for mobile devices that was created by Fintilty Technologies Company (hereby referred to as "Service Provider") as a Commercial service. This service is intended for use "AS IS".

Information Collection and Use

The Application collects information when you download and use it. This information may include information such as:

• Your device's Internet Protocol address (e.g. IP address)
• The pages of the Application that you visit, the time and date of your visit, the time spent on those pages
• The time spent on the Application
• The operating system you use on your mobile device

Geolocation Services

The Application collects your device's location, which helps the Service Provider determine your approximate geographical location and make use of in below ways:

• Geolocation Services: The Service Provider utilizes location data to provide features such as personalized content, relevant recommendations, and location-based services.
• Analytics and Improvements: Aggregated and anonymized location data helps the Service Provider to analyze user behavior, identify trends, and improve the overall performance and functionality of the Application.
• Third-Party Services: Periodically, the Service Provider may transmit anonymized location data to external services. These services assist them in enhancing the Application and optimizing their offerings.

Communication

The Service Provider may use the information you provided to contact you from time to time to provide you with important information, required notices and marketing promotions.

For a better experience, while using the Application, the Service Provider may require you to provide us with certain personally identifiable information. The information that the Service Provider request will be retained by them and used as described in this privacy policy.

Third Party Access

Only aggregated, anonymized data is periodically transmitted to external services to aid the Service Provider in improving the Application and their service. The Service Provider may share your information with third parties in the ways that are described in this privacy statement.

Data Retention and Deletion

The Service Provider retains user data for as long as necessary to provide services and fulfill the purposes outlined in this privacy policy. Once you delete your account or request data deletion, the Service Provider will remove your personal information from active databases within 30 days, except where retention is required by law or for legitimate business purposes.

Backup copies may be retained for up to 90 days following deletion to ensure recovery capabilities. Transaction records and financial data may be retained for the period required by applicable laws and regulations, typically for audit and compliance purposes.

Security Measures

The Service Provider is committed to protecting your personal information through industry-standard security measures, including but not limited to:

• Encryption of data in transit using HTTPS and TLS protocols
• Encryption of sensitive data at rest
• Regular security audits and vulnerability assessments
• Multi-factor authentication for account protection
• Restricted access to personal data by authorized personnel only
• Regular backup procedures to prevent data loss

However, no system is 100% secure. While the Service Provider implements comprehensive security measures, they cannot guarantee absolute security of your information. Any transmission of data is at your own risk.

Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to Access: You can request a copy of all personal data the Service Provider holds about you.
• Right to Correction: You can request correction of inaccurate or incomplete personal data.
• Right to Deletion: You can request deletion of your personal data under certain circumstances.
• Right to Data Portability: You can request your data in a machine-readable format suitable for transfer to another service provider.
• Right to Opt-Out: You can opt out of marketing communications and certain non-essential data processing.

To exercise these rights, please contact the Service Provider using the information provided in the Contact Information section below.

Cookies and Tracking Technologies

The Application may use cookies and similar tracking technologies to enhance user experience and analytics. These include:

• Session Cookies: Temporary cookies that are deleted when you close your browser.
• Persistent Cookies: Cookies that remain on your device to remember preferences and login information.
• Analytics Cookies: Cookies used to track usage patterns and improve the Application.

You can control cookie settings through your browser preferences. However, disabling cookies may affect the functionality of the Application.

Children's Privacy

The Application is not intended for children under the age of 13 (or the minimum age of digital consent in your jurisdiction). The Service Provider does not knowingly collect personal information from children under this age. If the Service Provider becomes aware that personal information of a child under 13 has been collected, they will take immediate steps to delete such information and terminate the child's account.

Parents or guardians who believe their child has provided information to the Service Provider should contact them immediately using the contact information below.

Third-Party Links and Services

The Application may contain links to third-party websites, applications, and services that are not operated by the Service Provider. This privacy policy applies only to the Application. The Service Provider is not responsible for the privacy practices of third-party services, and we encourage you to review their privacy policies before providing any personal information.

International Data Transfer

Your personal information may be processed and stored in countries other than your country of residence, which may have data protection laws that differ from your home country. By using the Application, you consent to the transfer of your personal information to countries outside your country of residence for the purposes described in this privacy policy. The Service Provider will take appropriate measures to ensure that international transfers of personal information are protected in accordance with applicable laws.

Changes to This Privacy Policy

The Service Provider may update this privacy policy from time to time to reflect changes in their practices, technology, legal requirements, and other factors. The updated version will be posted on the Application with the "Effective Date" updated accordingly. Continued use of the Application following any changes constitutes your acceptance of the modified privacy policy.

For significant changes that affect your rights, the Service Provider will provide additional notice, such as through email or a prominent notice on the Application.

Data Breach Notification and Incident Response

In the event of a data breach or security incident that compromises the confidentiality, integrity, or availability of personal information, the Service Provider will undertake immediate investigation and remediation efforts in accordance with applicable data protection regulations.

Users and affected individuals will be notified of any data breach without unreasonable delay, typically within 72 hours of discovery when required by law. The notification will include: (a) the nature of the data breach and categories of personal data affected; (b) the likely consequences of the data breach; (c) measures taken or proposed to address the breach and mitigate harm; (d) the contact point for further information; and (e) recommendations for protective measures individuals can take.

For significant breaches, the Service Provider will also notify relevant supervisory authorities and maintain detailed records of all security incidents, including the facts relating to the breach, its effects, and remedial actions taken.

Privacy by Design and Data Protection Impact Assessment

The Service Provider is committed to implementing privacy by design and by default throughout all processing activities. This means that data protection considerations are integrated into every stage of system development and operations.

For processing activities that pose high risks to individuals' rights and freedoms, the Service Provider conducts Data Protection Impact Assessments (DPIA) to identify and mitigate potential risks. These assessments include: systematic evaluation of the processing operation; identification of necessity and proportionality; risk analysis and mitigation strategies; and consultation with relevant stakeholders when appropriate.

Legitimate Interests and Processing Bases

Personal data processing is undertaken on the following legal bases:

• Contractual Necessity: Processing necessary to enter into or perform a contract with you.
• Legal Obligation: Processing required by applicable laws, regulations, court orders, or government requests.
• Legitimate Interests: Processing pursued for legitimate business interests including fraud prevention, security, product improvement, analytics, and business operations, where such interests are not overridden by your privacy rights.
• Consent: Processing based on your explicit, informed, and freely given consent, which you may withdraw at any time.
• Vital Interests: Processing necessary to protect vital interests of you or another natural person.

Automated Decision-Making and Profiling

The Service Provider may use automated decision-making processes and profiling to analyze user behavior, prevent fraud, detect security threats, and personalize the user experience. You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects concerning you, except where such processing is necessary for contract performance, required by law, or based on your explicit consent.

If automated decision-making is used, you have the right to: (a) request information about the logic underlying such processing; (b) request meaningful human review of the decision; and (c) contest the decision if you believe it to be inaccurate or unjust.

Data Processors and Vendor Management

The Service Provider may engage third-party data processors and service providers to process personal information on its behalf. These processors are bound by written Data Processing Agreements (DPA) that ensure they: (a) process personal data only on documented instructions from the Service Provider; (b) maintain appropriate technical and organizational security measures; (c) implement data protection by design principles; (d) maintain detailed records of processing; (e) notify the Service Provider of data breaches; and (f) provide cooperation with supervisory authorities.

All processors are subject to strict confidentiality obligations and are prohibited from processing personal data for their own purposes. The Service Provider remains responsible and liable for any processor failures to comply with data protection obligations.

Technical and Organizational Security Measures

The Service Provider implements comprehensive technical and organizational measures to protect personal information against accidental or unauthorized processing, destruction, loss, alteration, or access. These measures include but are not limited to:

• Advanced cryptographic algorithms (AES-256, RSA-2048 or stronger) for data encryption
• Secure hash functions (SHA-256 or stronger) for data integrity verification
• Firewall systems and intrusion detection/prevention systems
• Access control lists and role-based access control (RBAC) mechanisms
• Secure network segmentation and demilitarized zones (DMZ)
• Continuous monitoring, threat detection, and incident response capabilities
• Data anonymization and pseudonymization techniques where applicable
• Regular vulnerability scanning, penetration testing, and security assessments

While these measures significantly reduce risk, the Service Provider acknowledges that no security system is impenetrable. Users accept the inherent risks associated with electronic communication and data transmission.

Sub-processors, Subcontractors, and Service Providers

The Service Provider may engage sub-processors and subcontractors to perform specific functions on its behalf. These include but are not limited to cloud infrastructure providers, payment processors, analytics providers, customer support platforms, email service providers, and data backup services. Each sub-processor is subject to: written contractual obligations; adequate data protection safeguards; restrictions on personal data use; cooperation with supervisory authorities; and immediate notification of any unauthorized access or data breaches.

The Service Provider maintains an up-to-date list of sub-processors and will notify users of any changes to sub-processor arrangements, specifically when new sub-processors are added or when the location of processing changes in a manner that materially affects data protection.

Specific Data Processing Scenarios and Activities

The Application engages in multiple distinct processing activities:

• Account Registration Processing: Name, email, phone number, and demographic information collected during registration are processed for account creation, user authentication, and service provision. This processing is necessary for contract performance.
• Behavioral Analytics: Aggregated clickstream data, feature usage patterns, and session duration metrics are collected and analyzed to improve user experience, identify technical issues, and develop new features. This processing is based on legitimate interests.
• Fraud Prevention and Security: IP addresses, login patterns, payment information, and device identifiers are analyzed using machine learning algorithms to detect suspicious activities, prevent unauthorized access, and combat fraud. This processing is necessary for legitimate security interests.
• Marketing Communications: Email addresses and communication preferences are used to send promotional content, product updates, and service announcements. Processing is based on user consent or legitimate marketing interests, and users may opt out at any time.

Detailed Data Retention and Deletion Schedules

Different categories of personal data are retained according to the following schedules:

• Account profile data: Retained for duration of active account plus 1 year
• Transaction records: Retained for 7 years (in compliance with tax regulations)
• Support communications: Retained for 3 years or until issue resolution plus 6 months
• Analytics data: Aggregated data retained indefinitely; individual-level data deleted after 24 months
• System logs: Retained for 90 days for security purposes
• Marketing data: Retained until opt-out or 2 years of inactivity, whichever is sooner

Data subject to legal holds or litigation remains exempt from automatic deletion until the hold is lifted or legal proceedings conclude.

Procedures for Exercising User Privacy Rights

To exercise any privacy rights, users must submit a detailed written request to support@fintilty including: (a) your full legal name; (b) current email address and phone number; (c) specific description of your request and affected data categories; (d) proof of identity; and (e) any relevant account information.

The Service Provider will verify your identity before processing your request. Verification may require submission of government-issued ID or additional documentation. Following verification, the Service Provider will respond within the timeframe specified by applicable law (typically 30 calendar days).

Requests may be refused if they are manifestly unfounded, excessive, duplicative of recent requests, or would be technically unfeasible. In such cases, the Service Provider will provide detailed explanation and information about available remedies.

International Data Transfers and Transfer Mechanisms

Where the Service Provider transfers personal data internationally, it implements appropriate legal mechanisms including: Standard Contractual Clauses (SCCs); Binding Corporate Rules (BCRs); adequacy decisions by competent authorities; or your explicit consent. International transfers are subject to applicable laws in both originating and destination jurisdictions.

Specifically, transfers to jurisdictions outside the European Economic Area require compliance with GDPR Chapter V requirements. Transfers may only proceed to jurisdictions with adequate data protection or where appropriate safeguards are in place. Users have the right to receive information about specific transfer mechanisms and request details of adequacy decisions.

Privacy Impact Assessments and Risk Evaluations

The Service Provider conducts comprehensive Privacy Impact Assessments (PIA) for all new processing activities that involve: (a) large-scale systematic processing; (b) automated processing with legal or significant effects; (c) systematic monitoring; (d) processing of special categories of data; or (e) new technologies or methodologies.

Each PIA includes: description of processing operations; necessity and proportionality assessment; data flow diagrams; identification of risks to data subject rights; risk mitigation strategies; security measures evaluation; and recommendations for processing modifications. PIAs are reviewed annually and updated when processing activities change materially.

Regulatory Compliance Framework and Legal Basis for Processing

The Service Provider complies with applicable data protection regulations including but not limited to: GDPR (EU/UK), CCPA (California), LGPD (Brazil), PIPEDA (Canada), PDPA (Singapore), and other state, provincial, and national privacy laws. The specific legal basis for each processing activity is identified in the application data inventory and Privacy Impact Assessments.

Users in regulated jurisdictions have additional rights specific to those regulations, and the Service Provider will provide jurisdiction-specific privacy notices when required by law. A compendium of all applicable privacy regulations and the Service Provider's compliance mechanisms is available upon request.

Emerging Technologies and Future Data Processing

The Service Provider may implement emerging technologies in the future, including artificial intelligence, machine learning, facial recognition, biometric authentication, or blockchain-based systems. Any new processing methodology will be subject to Privacy Impact Assessment, user notification requirements, and regulatory compliance obligations prior to implementation.

Users will be notified of material changes to data processing through: email notification; in-application notices; privacy policy updates; and where required, explicit consent requests. The Service Provider commits to maintaining transparency regarding the purposes, means, and consequences of any new processing activities.

Contact Information and Data Subject Requests

For any privacy inquiries, data subject access requests, complaints, or other matters related to this Privacy Policy, please contact: