Legal
Privacy Policy
Effective Date: February 17, 2026
FINCH AI Inc. ("Finch," "we," "us," or "our") is a Delaware corporation that provides on-premise compliance infrastructure for regulated enterprises. This Privacy Policy describes how we collect, use, and protect information in connection with our website (finch.io), platform, and services (collectively, "Services").
The key thing to know: Finch is an on-premise platform. In Private VPC and Air-Gapped deployment modes, your compliance documents, customer data, and transaction records never leave your infrastructure. We cannot and do not access them.
1. Information We Collect
1.1 Information You Provide to Us
- Account information: Name, email address, company name, job title, and phone number when you create an account, request a demo, or contact us.
- Billing information: Payment details and billing address processed through our third-party payment processor. We do not store credit card numbers on our systems.
- Communications: Information you provide when you contact our support team, respond to surveys, or communicate with us via email.
- Evaluation data: If using Public Cloud mode for evaluation, any data you upload to the platform during the evaluation period.
1.2 Information Collected Automatically
- Website analytics: Pages visited, referring URLs, browser type, device type, and IP address when you visit finch.io.
- Usage telemetry (Platform): Aggregate, anonymized platform usage metrics (e.g., number of decisions processed, uptime statistics) transmitted from the Platform to Finch for product improvement. This telemetry contains no Customer Data, PII, or compliance documents. Telemetry can be fully disabled by the Customer upon request.
1.3 Information We Do Not Collect
In Private VPC and Air-Gapped deployments, we do not collect, access, store, or process:
- Your compliance documents, policies, or manuals
- Your customers' personally identifiable information (PII)
- Transaction data or financial records
- Compliance decisions, audit trails, or officer actions
- Any data processed within your infrastructure by the Platform
2. How We Use Information
| Information Type |
Purpose |
Legal Basis |
| Account information |
Provide and administer the Services, communicate about your account |
Contract performance |
| Billing information |
Process payments and invoicing |
Contract performance |
| Website analytics |
Improve our website, understand visitor behavior |
Legitimate interest |
| Usage telemetry |
Product improvement, reliability monitoring |
Legitimate interest (opt-out available) |
| Communications |
Respond to inquiries, provide support |
Legitimate interest / consent |
We do not sell, rent, or trade your personal information to third parties. We do not use your data for advertising purposes.
3. Data Sharing
We share information only in the following limited circumstances:
- Service providers: Third-party vendors who help us operate our business (e.g., payment processing, email delivery, cloud hosting for our website). These providers are contractually bound to use data only for the services they provide to us.
- Legal requirements: When required by law, subpoena, court order, or government request.
- Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected customers.
- With your consent: When you explicitly authorize us to share information.
4. Data Security
We implement industry-standard security measures to protect information in our possession:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Access controls with role-based permissions
- Regular security assessments and monitoring
- Employee security training and background checks
- Incident response procedures
For the Platform deployed in your infrastructure, security is governed by your own infrastructure security controls. Finch provides security configuration guidance and best practices documentation.
5. Data Retention
We retain personal information for as long as necessary to provide the Services and fulfill the purposes described in this policy, unless a longer retention period is required by law. Specifically:
- Account information: Retained for the duration of the customer relationship plus 3 years.
- Billing records: Retained for 7 years per tax and accounting requirements.
- Website analytics: Retained for 26 months.
- Evaluation data (Public Cloud): Deleted within 30 days of evaluation period end.
6. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request correction of inaccurate or incomplete information.
- Deletion: Request deletion of your personal information, subject to legal retention requirements.
- Portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Withdrawal of consent: Where processing is based on consent, withdraw at any time.
To exercise any of these rights, contact us at privacy@finch.io. We will respond within 30 days.
7. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- The right to know what personal information we collect, use, and disclose.
- The right to delete personal information we hold about you.
- The right to opt-out of the sale of personal information. We do not sell personal information.
- The right to non-discrimination for exercising your privacy rights.
8. International Data Transfers
For customers using Private VPC or Air-Gapped deployments, no customer data crosses international borders as part of the Platform's operation — all processing occurs within the Customer's own infrastructure in the geography of their choosing.
For account information and website data, information may be processed in the United States. Where required, we implement appropriate safeguards including Standard Contractual Clauses (SCCs) for transfers from the EEA/UK.
9. Cookies
Our website uses the following types of cookies:
- Essential cookies: Required for website functionality (session management, security).
- Analytics cookies: Help us understand how visitors use our website. These can be disabled in your browser settings.
We do not use advertising cookies or tracking pixels. We do not engage in cross-site tracking.
10. Children's Privacy
Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered customers at least 30 days prior to taking effect. The "Effective Date" at the top of this page indicates when the policy was last revised.
12. Contact Us
For questions about this Privacy Policy or to exercise your privacy rights:
FINCH AI Inc.
Registered in the State of Delaware
privacy@finch.io
legal@finch.io