Privacy Policy

Last updated: 24 March 2026

1. Who we are

Finlusion ("we", "us", "our") is a social platform for financial discussion and education, operated from the United Kingdom. Our website is finlusion.com. We are the data controller responsible for your personal data under UK GDPR.

Finlusion Ltd.
85 Great Portland Street, London, England, W1W 7LT
Email: privacy@finlusion.com

2. What data we collect

We collect the following personal data when you use Finlusion:

• Account information: email address, username, display name, and password (stored as a secure hash)
• Profile information: avatar image, bio, social media links, and any other details you choose to add
• Identity verification data: if you choose to verify your identity, we use a third-party provider (Didit) to process your ID documents. We store only the verification status, not your documents
• Content you create: posts, comments, reposts, and any images you upload
• Messaging data: private messages exchanged between you and your peers, including message reactions
• Interactions: likes, bookmarks, follows, peer connections, peer reviews, and notification preferences
• Platform activity: conviction marketplace data (virtual token trades, holdings, and balances), promotion credits, and subscription details. Note: conviction tokens are virtual and do not involve real money. Credit purchases and subscriptions are processed by Stripe
• Usage data: profile views, post impressions, and session activity timestamps
• Technical data: IP address, browser type, and device information collected via server logs

3. How we use your data

We use your personal data to:

• Provide and maintain your Finlusion account
• Display your content to other users
• Send verification codes for authentication and account changes
• Deliver in-app and email notifications based on your preferences
• Process payments and manage your subscription, credits, and marketplace activity
• Calculate engagement metrics such as Alpha Rating and trending scores
• Facilitate peer connections and private messaging between users
• Fund environmental impact initiatives (tree planting and carbon offsetting) through promoted posts
• Display commercial content including MPU advertisements purchased by company accounts and promoted posts boosted by users, neither of which are targeted using your personal data
• Moderate content and enforce our Terms of Service
• Analyse platform usage to improve the service

4. Legal basis for processing (GDPR)

We process your data under the following legal bases:

• Contract: processing necessary to provide the Finlusion service you signed up for (Article 6(1)(b))
• Legitimate interests: platform security, fraud prevention, analytics, and service improvement (Article 6(1)(f))
• Consent: analytics cookies, advertising cookies, and marketing communications (Article 6(1)(a))
• Legal obligation: where we are required to retain or disclose data under applicable law (Article 6(1)(c))

5. Cookies and local storage

Finlusion uses cookies and similar technologies to operate the Site, analyse usage, and deliver relevant content. For full details on the cookies we use, their purpose, and how to manage your preferences, please see our Cookie Policy.

6. Data sharing

We do not sell your personal data. We share data with the following categories of third-party providers who process data on our behalf:

• Stripe (payment processing for subscriptions and credit purchases)
• Postmark (transactional email delivery)
• Google Analytics (website analytics, with your consent)
• Cloudflare (security, performance, and content delivery)
• Didit (identity verification for account badge)
• Ecologi (environmental impact purchases linked to promoted posts)
• Finnhub (real-time market data for the Market Pulse feature — no personal data is shared; only anonymous API requests are made)
• Advertising partners: we do not share your personal data with advertisers. MPU ad placements and promoted posts are non-targeted and do not involve third-party data sharing
• Legal authorities where required by law or to enforce our rights
• Third parties in connection with a merger, sale, or acquisition

7. Data retention

• Account data: retained for as long as your account is active
• Content: retained until you delete it, or until your account is deleted
• Messages: retained until you delete the conversation, or until your account is deleted
• Transaction data: credit purchases and payment records processed via Stripe are retained for up to 7 years in accordance with UK record-keeping requirements. Virtual marketplace data (conviction token trades and balances) is retained for the lifetime of your account
• Verification codes: automatically expire after 15 minutes
• Session data: expires after 30 days of inactivity

When you delete your account, all associated data (posts, comments, messages, likes, follows, bookmarks, and notifications) is permanently removed via cascading deletion. Transaction records may be retained as required by law.

8. Your rights

Under the UK GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate data (via your profile settings)
• Erase your data (via Settings > Delete Account, or by contacting us)
• Restrict processing in certain circumstances
• Data portability — receive your data in a structured format
• Object to processing based on legitimate interests
• Withdraw consent at any time for consent-based processing (without affecting the lawfulness of processing before withdrawal)

To exercise any of these rights, email privacy@finlusion.com. We will respond within 30 days.

9. Data security

We protect your data with:

• HTTPS encryption on all connections
• Secure password hashing (bcrypt)
• Session regeneration on login to prevent fixation attacks
• Rate limiting on authentication endpoints
• HTTP security headers (X-Frame-Options, CSP, XSS protection)
• HMAC signature verification on third-party webhooks

10. International transfers

Your data is primarily stored on servers in the United Kingdom. Some third-party services we use (such as Google Analytics and Stripe) may process data in the United States or other jurisdictions. Where data is transferred outside the UK, appropriate safeguards are in place, including Standard Contractual Clauses and the service provider's participation in recognised data protection frameworks.

11. Age restriction

In accordance with the UK GDPR and the Data Protection Act 2018, Finlusion is not intended for individuals under the age of 16. We do not knowingly collect, solicit, or process personal data from children under the age of 16.

If you are under 16, you are prohibited from registering for an account, accessing the Services, or submitting any personal data to us. Any accounts or data suspected of being associated with individuals under 16 will be terminated and permanently deleted.

If we become aware that personal data has been collected from a child under the age of 16, we will promptly take steps to delete such data. If you believe that someone under 16 has provided us with personal data, please email support@finlusion.com.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification. The "Last updated" date at the top indicates the most recent revision.

13. Complaints

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113