Privacy Policy

Last reviewed: June 26, 2026 · In effect since the public release of Finolio

The short version: Finolio keeps your finances in your own private iCloud account, on your own devices, under your own Apple ID — no accounts, no analytics, no ads, no profile of you. There is exactly one optional feature, Email Forwarding, that is different: if you turn it on, your bank's transaction alerts pass through a Finolio relay that reads only the amount, merchant, date, and card, then discards the email. It is off until you enable it, and it's described in full in Section 4. Everything else stays on your device and in your iCloud, where we cannot see it.

1. Who runs Finolio

Finolio is published by Finolio. You can reach us at support@finolioapp.com for any privacy question, data request, or concern. We respond to every message we receive, usually within one business day.

2. What data Finolio handles, and where it lives

Finolio is a personal finance app. The data you create inside it — expenses, income, budgets, savings goals, recurring transactions, spending sprints, custom categories, payment methods, and receipt photos — belongs entirely to you and is stored in two places, both of which we cannot access:

Your device. Records are saved locally using Apple's SwiftData on-device database. They never leave your device unless you have iCloud sync enabled.
Your private iCloud database. If iCloud is enabled, Finolio mirrors your data through Apple's CloudKit service into a database that is private to your Apple ID. Apple's documentation describes this as the user's "private CloudKit database." We are not a party to that database and have no ability to query, read, or modify it. Apple manages encryption at rest and in transit.

We have no user accounts, no login system, no analytics service, no advertising partner, and no profile of your activity. The only server Finolio operates is the optional Email Forwarding relay described in Section 4 — and it stores nothing beyond a short-lived, already-parsed charge that is deleted the moment your device collects it. Apart from that one feature you choose to switch on, there is no copy of your data we can be compelled, hacked, or persuaded to disclose.

3. Permissions Finolio asks for

iOS will prompt you the first time the app uses any sensitive capability. Each permission is used only for the purpose described and only when you explicitly invoke the relevant feature.

Camera — to scan paper receipts when you tap "Scan Receipt." Images are processed on your device and saved with the related expense. Nothing is uploaded to us.
Photo Library — to import an existing receipt image and attach it to an expense. We use Apple's privacy-protected photo picker, so the app never sees your full library.
Siri & Shortcuts — so you can say "Add an expense in Finolio" or run app shortcuts. Voice input is handled entirely by Apple's Siri service under your Apple ID.
Notifications — used only for silent CloudKit sync notifications and, optionally, budget reminders you choose to enable.
iCloud — used to keep your data in sync across your own devices. You can turn iCloud off entirely in iOS Settings; Finolio will run in local-only mode.

Finolio does not request access to your contacts, location, microphone (beyond Siri), calendar, motion data, or health information.

4. Auto-Import — connecting your cards and email

Auto-Import is optional and stays switched off until you turn it on in Settings → Auto-Import. When enabled, it can bring transactions into Finolio from several sources. All but one of these sources are processed entirely on your device. The exception — Email Forwarding — is the only Finolio feature that sends data through a server we operate, and it is called out first and in full below.

Email Forwarding (optional; the one feature that uses our server). If you turn this on, Finolio gives you a private inbox address (something@in.finolioapp.com). You point your bank's transaction-alert emails at it. Those alerts arrive at a Finolio relay (running on Cloudflare's infrastructure), which:
- reads only the amount, merchant, date, and card from each alert;
- sends that parsed charge to your device and discards the raw email immediately — the message body, the sender, and your own email address are never stored;
- holds the parsed charge in a queue for at most 30 days, and deletes it the moment your device collects it.
The only data the relay retains between deliveries is a random token that maps your inbox to your device's push identifier, so we can notify the right phone. That token is rotatable and is deleted when you turn the feature off. The credential that reads your queue is a separate secret held only on your device, so knowing your inbox address alone does not let anyone read your charges. This feature is less private than the rest of Finolio — your alerts transit our relay rather than staying on your device — which is why it is off by default and requires an explicit confirmation to enable. If you prefer a strictly on-device path, use the Gmail option below instead.
Apple Card (FinanceKit). With your explicit permission, Finolio reads your Apple Card transactions on-device through Apple's FinanceKit framework and turns them into expense records. This data is used only on your device and is never transmitted to us or any third party.
Bank email alerts (Gmail). If you connect a Google account, Finolio uses a read-only Gmail scope (gmail.readonly) solely to fetch your bank's transaction-alert emails. Those emails are parsed entirely on your device into expense records. Finolio retains no email content beyond the resulting expense, and nothing is sent to us — the only network calls are directly between your device and Google's APIs. Your Google sign-in tokens are stored in your device's Keychain. Finolio's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Apple Pay tap logging. The optional Shortcuts automation that logs a charge when you tap to pay runs entirely on your device through Apple's Shortcuts app. No transaction data is shared with us.
CSV statement import. Statement files you choose to import are read locally on your device and never uploaded.

You can disconnect any source at any time in Settings → Auto-Import. Disconnecting removes the stored access tokens from your device's Keychain. Turning off Email Forwarding also deletes the relay's record of your device and clears any charge still waiting in its queue.

5. Optional AI features (you bring your own key)

Finolio's intelligent features — reading a receipt with "Smart Scan," cleaning up merchant names, summarizing your month, parsing a typed expense, and the Finolio Coach chat — are designed to run on your device by default. A cloud path exists, but it is strictly opt-in and uses an API key you provide. You always control which path runs.

On-device (default). On devices that support Apple Intelligence, these features run Apple's on-device foundation model (Apple's Foundation Models framework), on top of Apple's Vision OCR for receipts. The receipt image, the extracted text, and your spending figures never leave your device. No API key is needed.
Smart Scan — cloud (only if you opt in and provide your own API key). You may add an API key from a third-party provider (currently Anthropic or xAI) in Settings. When that key is configured and you tap Smart Scan, the receipt image and extracted text are sent directly from your device to that provider over HTTPS, under your account with them, governed by their privacy policy. Finolio does not relay this traffic, does not see the contents, and does not retain a copy. Removing the key disables this path entirely.
Finolio Coach — Deep analysis (off by default). The Coach answers your questions on-device. If you turn on Deep analysis in Settings → AI (which requires a saved Anthropic key), a question you mark as "Deep" is sent to Claude through Apple's Foundation Models framework so it can reason over multiple steps and look up current context, such as whether a subscription's price is typical. In that case only the spending figures relevant to your question — not your full transaction history — are sent, directly from your device to Anthropic over HTTPS under your own API key and Anthropic's privacy policy. Quick questions always stay on-device. Turning Deep analysis off, or removing the key, disables this path entirely.

If you don't enter an AI key, no third-party AI calls are made and every intelligent feature still works on-device (or, on devices without Apple Intelligence, falls back to simple built-in rules). The cloud path is opt-in by configuration and opt-in by action.

6. On-device search index

So you can find a past purchase from the iOS or macOS system search — and so the Coach can pull up specific expenses when you ask — Finolio indexes your expenses into Apple's on-device Spotlight index (CSSearchableIndex). This index is created and stored locally by the operating system on your device; it is not transmitted to us or anyone else. Deleting an expense, or deleting the app, removes it from the index.

7. Receipt photos

When you attach a photo to an expense, the image is stored as a file inside the iCloud Drive container associated with your Apple ID, in an app-internal folder. The expense record stores a filename pointer; the image bytes are managed by Apple's iCloud Drive infrastructure under your account. You can delete a receipt at any time from inside the app, which removes both the file and the pointer.

8. Backups and exports

Finolio lets you export your entire dataset — every expense, budget, and goal — as a single JSON file from Settings → Export Full Backup. The file is written to the app's Documents folder, visible in the Files app under "On My iPhone → Finolio → Backups." You can move, share, or delete it like any other file. Because the backup is generated on your device and never sent to us, you control where it goes from there. Treat the file as sensitive — it contains your full financial history in plain text.

9. Children

Finolio is not directed to children under 13 and does not knowingly collect any data from anyone, of any age. If you believe a child is using Finolio in a way that warrants attention, please contact us.

10. Deleting your data

Because no copy of your data exists on a server we operate, deleting the app or signing out of iCloud removes your access to it from that device. To wipe every record across all your devices:

Open Finolio on any device signed into the same iCloud account.
Go to Settings → Delete All Data.
Confirm. The app deletes all expenses, income, budgets, goals, recurring items, sprints, and receipt files from both your device and your iCloud database.

You can also remove all CloudKit data directly from Apple's iCloud settings: iOS Settings → [Your Name] → iCloud → Manage Account Storage → Finolio → Delete Data from iCloud.

11. Security

Finolio relies on Apple's built-in security model: the iOS sandbox, Keychain for any sensitive token (such as an AI API key you provide, a connected Google account's sign-in tokens, or the Email Forwarding queue credential), TLS for all network traffic, and Apple's CloudKit encryption for sync. We do not use custom cryptography.

The optional Email Forwarding relay is the only server-side surface we operate. It is designed to hold as little as possible: it parses each alert in memory and discards the raw email, never writes message contents to disk, and the credential that reads your queued charges is a separate secret kept only on your device — so your inbox address, which necessarily appears in email headers and bank settings, is not by itself enough to read your data. Before the relay treats a message as a real alert, it verifies the sender's email authentication (DMARC), so a spoofed message claiming to be from your bank cannot inject a charge. Each parsed charge is also signed so your device can confirm it came from your relay. All relay traffic is over HTTPS, served with strict transport security (HSTS) and a hardened set of HTTP security headers; the same hardening applies to this website. If you never enable Email Forwarding, the app communicates with no server we operate at all.

12. International users

For everything other than Email Forwarding, Finolio does not transmit your data to a server we run, so there is no cross-border data transfer initiated by us — your data flows between your own devices and Apple's iCloud infrastructure, which Apple operates and discloses regional storage details for in Apple's own privacy documentation. If you enable Email Forwarding, the parsed-charge data passes through Cloudflare's global edge network on its way to your device; it is processed transiently and not stored beyond the short-lived queue described in Section 4. If you have specific regional questions (for example regarding the GDPR, UK GDPR, or CPRA), please contact us at support@finolioapp.com.

13. Changes to this policy

If we change this policy, we will update the date at the top of this page and, for material changes, present an in-app notice the next time you open the app. Continued use after a notice indicates acceptance of the updated policy.

14. Contact

Privacy questions, data requests, or anything else — email support@finolioapp.com.

Still have questions?

Send us an email. A human will read it.

support@finolioapp.com