privacy

Privacy Policy

Effective: 1 May 2026 · Operator: Cognitive Products Labs Pvt. Ltd. · Product: fingine.ai

This Privacy Policy explains how Cognitive Products Labs Pvt. Ltd. ("we", "us", "our", or "the Company"), an Indian private limited company, collects, uses, stores, shares, and protects your personal data when you use fingine.ai (the "Service"). It is written to comply with India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and applicable rules. By using the Service, you consent to the practices described below.

Who we are
Data we collect
How we use your data
Legal basis
Sharing & subprocessors
Cross-border transfers
Retention
Security
Your rights under the DPDP Act
Cookies & analytics
Children
AI training
Grievance officer
Changes to this policy
Contact

1. Who we are

Cognitive Products Labs Pvt. Ltd. is the data fiduciary for personal data processed in connection with the Service. We are incorporated in India under the Companies Act, 2013. Our registered office address is available on request via the contact channels listed below.

2. Data we collect

2.1 Account information

Name and email address (from your Google sign-in).
Google account identifier (a non-secret unique ID).
Account creation timestamp and most-recent sign-in timestamp.

2.2 Financial model data you provide

Cash balance, monthly recurring revenue, growth rate, headcount and salary information, operating expenses, one-time costs, fundraise plans.
Project metadata (Business or Life), currency, intake state.
Decisions you create and their outcomes (committed, declined, dismissed).

2.3 Conversations and content

The full transcript of your chat sessions with the AI agent.
Tool calls the agent makes against your model, and the engine's outputs.
Follow-up items the agent generates and the status updates you record.
Product feedback you submit through the Service.

2.4 Usage telemetry

Page views, button clicks, session duration, feature usage events.
Hashed user identifier (SHA-256, first 16 hex chars) for cohort analytics.
Aggregate API cost per user, token counts, latency measurements.
Error logs and crash reports (without your message content).

2.5 Technical data

IP address, device type, operating system, browser version, language.
Approximate location derived from IP address (country and city).
Time zone.

We do not ask for, and you should not provide, your bank login credentials, debit/credit card numbers, government identifiers (PAN, Aadhaar, SSN), or other sensitive identifiers. The Service does not require them.

3. How we use your data

To deliver the Service: build and maintain your financial model, run the agent, persist your decisions, and present outputs back to you.
To compute runway and answer scenario questions deterministically on the server.
To identify and rate-limit your account so the Service stays available.
To detect, investigate, and prevent abuse, fraud, or security incidents.
To improve the product based on aggregate usage patterns.
To respond to your support, feedback, and grievance requests.
To comply with applicable laws and lawful requests from authorities.

4. Legal basis for processing

Under the DPDP Act, we process your personal data on the basis of your consent, given when you create an account and accept these terms. For specific operations such as security incident response, abuse prevention, and complying with legal obligations, we may also rely on the legitimate-uses provisions of the DPDP Act.

You may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

We do not sell your personal data. We do not share your personal data with third parties for marketing or advertising. We share limited data with the following subprocessors strictly to operate the Service:

Anthropic, PBC (USA) — provides the Claude API. Receives your messages and a snapshot of your model context to produce agent replies. Sent with cache-control: ephemeral; we have not opted in to model training.
Supabase Inc. (USA / EU regions) — provides the Postgres database, storage, and authentication. Stores your model, transcripts, decisions, follow-ups, and account information. Encrypted at rest (AES-256).
Fly.io, Inc. (USA, with Mumbai region for our app) — hosts our application servers. Processes requests in transit.
Google LLC (USA) — provides Google Sign-In and Google Analytics 4. GA4 is configured with anonymized IP and no advertising features.
PostHog Inc. (USA / EU regions) — provides product analytics. Receives event names, hashed user IDs, and event metadata. We do not send money values to PostHog.

Each subprocessor is contractually bound to handle your data only on our instructions and to apply industry-standard security measures.

We may also disclose data when required by law, valid legal process (subpoena, court order), or to protect the rights, property, or safety of users or the public.

6. Cross-border transfers

The subprocessors above are located outside India. Your personal data may be transferred to and processed in the United States and the European Union. The DPDP Act, 2023 permits cross-border transfers except to countries the Central Government may from time to time restrict. We monitor that list and will adjust subprocessors if any of them become restricted.

7. Retention

Account data, model state, transcripts, decisions, and follow-ups are retained for as long as your account is active.
Aggregate analytics and error logs are retained for up to 24 months.
When you delete your account, your data is removed from active databases immediately. Encrypted backup snapshots may retain copies for up to 30 days before being purged.
We may retain a minimal record of account-deletion timestamps for fraud-prevention and audit purposes for up to 12 months.

8. Security

TLS 1.2+ for all data in transit.
AES-256 encryption at rest, applied by Supabase by default.
Postgres row-level security on every user-keyed table; an authenticated request can read only its own rows even if our application code has a bug.
JWT-based authentication with short-lived access tokens and rotating refresh tokens.
Rate limiting and a per-day cost ceiling protect against runaway usage and abuse.
Defense in depth: even where the agent has tool access, the runway calculator is pure server-side TypeScript with 100% test coverage; the AI never executes the math itself.
Production access is restricted to authorized engineers and audited.

No internet-based service can be made entirely secure. We will notify affected users and the Data Protection Board of India in the event of a personal-data breach, in accordance with the timelines set by the DPDP Act and its rules.

9. Your rights under the DPDP Act

As a Data Principal, you have the following rights:

Right to information: a summary of the personal data we process about you and the purposes of processing.
Right to correction and erasure: ask us to correct inaccurate data or delete personal data that is no longer necessary for the purposes it was collected for.
Right to grievance redressal: raise a complaint with our grievance officer (see Section 13).
Right to nominate: name another individual to exercise your rights in the event of your death or incapacity.
Right to withdraw consent: at any time, by deleting your account or by writing to us.

Most of these can be exercised directly inside the app (Settings → Account). For anything you cannot do in-app, email the grievance officer.

10. Cookies & analytics

We use a small number of cookies for essential functionality (authentication session, CSRF protection) and for analytics (Google Analytics 4, PostHog). We do not use third-party advertising cookies, retargeting pixels, or data brokers. Browser-level controls let you block or clear cookies; doing so may make the Service unable to keep you signed in.

11. Children

The Service is not intended for individuals under 18 years of age. If we learn that we have collected personal data from a child, we will delete it. If you believe we have data on a minor, please contact the grievance officer.

12. AI training

We do not use your data to train artificial intelligence models. Anthropic does not train its models on API traffic that does not opt in; we have not opted in. Within our own systems, we may compute aggregate, de-identified statistics over your usage to improve heuristics (for example, scenario-suggestion ranking), but no individual content of yours is used to train models we deploy or distribute.

13. Grievance officer

Grievance Officer: Hemant Bangar

Entity: Cognitive Products Labs Pvt. Ltd.

Email: hemant@fingine.ai (subject line: "Privacy / Grievance")

We will acknowledge your complaint within 7 days and respond within the period prescribed under the DPDP Act and its rules. If you are unsatisfied with our response, you may escalate to the Data Protection Board of India once it is constituted.

14. Changes to this policy

We may update this policy as the product matures or as the law evolves. Material changes will be announced via the Service and the "Effective" date above will update. Continued use after changes constitutes acceptance.

15. Contact

For any privacy-related question, request, or complaint:

Email: hemant@fingine.ai
Subject line tag: "Privacy"