FinQuest
Français Join the list

Privacy Policy

Last updated: 10 June 2026

1. Data Controller

[Company Name]
[Legal form] with a share capital of [amount] €
Registered office: [Full address]
RCS [City] No. [number]
Email: [email protected]
Represented by Alexandre Vuillerot, Publication Director.

2. Personal Data Collected

2.1. Account Data

  • Email address (required*) — Account creation, communication
  • Password (hashed, required*) — Authentication
  • Display name (optional) — Personalization, leaderboards
  • Avatar / profile picture (optional) — Profile customization
  • Social identifier (Google, Apple) — Third-party login

* Email and password are required for standard accounts. For Google or Apple login, the social identifier replaces the password. Anonymous mode is available with limited features.

2.2. Usage and Progress Data

  • Lessons completed, modules and learning paths
  • Quiz answers and scores
  • Experience points (XP), daily streaks
  • League and leaderboard participation
  • Daily activity and login history
  • Energy, Coins and Tokens (balances and transactions)
  • Financial preferences and objectives

2.3. Financial Data (Optional)

If you choose to connect a bank account, the following data is collected in read-only mode:

  • Bank connection identifier (provided by third-party provider)
  • Transactions: amount, currency, category, merchant, date
  • Connection metadata (sync date, status)

FinQuest never has access to your banking credentials (login, password, codes). You can disconnect your bank account at any time.

2.4. Technical Data

  • Unique device identifier (Device ID)
  • Device model, operating system and version
  • Application version
  • IP address (retained for 30 days maximum)
  • Language and timezone
  • Platform (iOS / Android)

3. Purposes and Legal Bases

In accordance with Article 6 of the GDPR, each processing operation relies on a legal basis:

  • Contract performance (Art. 6.1.b): account creation and management, service delivery, AI-powered lesson and quiz personalization, subscription and purchase management, gamification
  • Consent (Art. 6.1.a): educational bank transaction analysis, push notifications
  • Legitimate interest (Art. 6.1.f): statistical analysis and service improvement, fraud detection and security
  • Legal obligation (Art. 6.1.c): compliance with legal and tax obligations

4. Recipients and Processors

Your data may be shared with the following processors:

  • Hetzner Online GmbH (Germany, EU) — Infrastructure hosting
  • RevenueCat Inc. (USA, SCCs) — Subscription management
  • Expo (650 Industries Inc.) (USA, SCCs) — Push notifications relay (APNs/FCM)
  • PostHog Inc. (European Union) — Usage analytics
  • Sentry / Functional Software Inc. (USA, SCCs) — Error monitoring
  • Anthropic PBC (USA, SCCs) — AI quiz generation
  • Apple Inc. / Google LLC (USA, SCCs) — Distribution, payments

We never sell your personal data to third parties.

4.1. Transfers Outside the EU

Some processors are located outside the EU (USA). These transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, in accordance with Article 46.2.c of the GDPR.

5. Data Retention

  • Account data: account lifetime + 3 years after deletion
  • Progress data: account lifetime, deleted upon closure
  • Financial data (bank transactions): 12 months maximum or until disconnection
  • Technical data (logs, IP): 30 days
  • Billing data: 10 years (legal accounting obligation)
  • Push notification data: until consent withdrawal

Upon expiration of retention periods, data is deleted or irreversibly anonymized.

6. Your Rights

Under Articles 15 to 22 of the GDPR, you have the following rights:

  • Access (Art. 15) — Confirm whether your data is processed and receive a copy
  • Rectification (Art. 16) — Correct inaccurate or incomplete data
  • Erasure (Art. 17) — Request deletion of your data ("right to be forgotten")
  • Restriction (Art. 18) — Request restriction of processing
  • Portability (Art. 20) — Receive your data in a structured, machine-readable format
  • Objection (Art. 21) — Object to processing based on legitimate interest
  • Withdrawal of consent (Art. 7.3) — Withdraw your consent at any time
  • Automated decisions (Art. 22) — Not be subject to solely automated decisions

6.1. How to Exercise Your Rights

Write to [email protected] or by post to the registered office. We will respond within a maximum of 30 days (Art. 12.3 GDPR).

6.2. Account Deletion

You can delete your account from the Application settings. Deletion results in the erasure of your personal data, subject to legal retention obligations.

6.3. Complaint to the CNIL

If you believe your data processing does not comply with regulations, you may file a complaint with the CNIL:
3, place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
Website: www.cnil.fr

7. Data Security

We implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR:

  • Encryption in transit: TLS protocol (HTTPS)
  • Encryption at rest: sensitive data encrypted on servers
  • Passwords: hashed with bcrypt (never stored in plain text)
  • Restricted access: principle of least privilege
  • Secure hosting: Hetzner Online GmbH in Germany (EU), ISO 27001 certified datacenters
  • Monitoring: continuous monitoring via Sentry

8. Cookies and Trackers

8.1. On the Website

  • Essential cookies (session, CSRF) — No consent required
  • Analytics cookies (PostHog) — Consent required

You can manage your preferences via the consent banner or your browser settings.

8.2. In the Mobile Application

The application uses third-party SDKs (PostHog, Sentry, Expo) that may collect technical data. In accordance with CNIL recommendations (September 2024), we obtain your consent for non-essential trackers and only request strictly necessary permissions.

9. Artificial Intelligence

FinQuest uses AI (Anthropic) to generate personalized quizzes. Data transmitted is limited to information necessary for content generation (lesson topic, level). No personal financial data is transmitted. This processing is governed by a processor agreement in accordance with Article 28 of the GDPR.

10. Leaderboards and Social Data

By participating in leagues and leaderboards, the following information may be visible to other users: display name (or pseudonym), avatar, experience points and ranking. No other personal data is shared.

11. Minors

The Application is intended for individuals aged 18 and over. We do not knowingly collect data from minors. If we discover that a minor has created an account, we will promptly delete it.

12. Policy Updates

We reserve the right to update this policy at any time. In case of substantial changes, you will be notified by in-app notification and email. The last update date is shown at the top of this page.

13. Contact

For any questions regarding your data protection:
Email: [email protected]
Post: [Company Name] — [Full address]