Privacy Policy

1. Introduction

This Privacy Policy describes how Finnly (“we,” “us,” or “our”) collects, uses, and protects information when you use our professional community platform (“Service”). Finnly is operated from California, United States.

We do not sell, rent, or trade your personal information to third parties. We never have, and we never will.

This Privacy Policy should be read in conjunction with our Terms of Service.

2. Definitions

• “Service” refers to the Finnly website at finnly.ai, our professional community, and all related features.
• “Personal Information” means any information that identifies, relates to, or could reasonably be linked to you or your household.
• “Processing” means any operation performed on Personal Information, whether automated or manual.
• “You” and “Your” refer to the individual accessing or using the Service.
• “We,” “Us,” and “Our” refer to Finnly.

3. Information We Collect

3.1 Information You Provide Directly

When you apply to the professional community:

• Name, email address, LinkedIn profile URL
• Professional specialty, years of experience
• AI tools used and comfort level
• Motivation for joining, referral source

When you communicate with us:

• Email correspondence
• Information shared during consultation calls

3.2 Information Collected Automatically

When you visit our website, we may automatically collect:

• IP addresses
• Browser type and version
• Device information and operating system
• Pages viewed, time spent, and referring URLs
• Access times and dates

3.3 What We Do Not Collect

• No payment or financial account information (we do not process payments through the website)
• No government IDs or social security numbers
• No biometric data
• No precise geolocation tracking

4. How We Use Your Information

Core Functionality

• Evaluate community applications and conduct vetting
• Facilitate community membership and communications
• Respond to your inquiries and support requests

Platform Improvement

• Analyze usage patterns to enhance user experience
• Identify and fix bugs or technical issues

Communications

• Send service-related communications and updates
• Respond to your inquiries and support requests
• Comply with legal obligations

5. Cookies and Tracking Technologies

Essential Storage

We use localStorage to remember your cookie consent preference. This is required for the site to function properly and cannot be disabled.

Analytics

We use Plausible Analytics, a privacy-friendly, cookie-free analytics service. Plausible does not use cookies, does not collect personal data, and does not track you across websites. All data is aggregated and anonymous. Plausible is GDPR, CCPA, and PECR compliant out of the box. For details, see Plausible's data policy.

What We Do Not Use

• No advertising cookies or ad-tracking pixels
• No cross-site tracking for advertising purposes
• No social media tracking pixels
• No third-party marketing cookies

Managing Cookies

You can manage cookies through your browser settings. Most browsers allow you to block or delete cookies. Clearing localStorage will reset your cookie consent preference.

6. Data Storage and Security

Data Location

All data is stored and processed in the United States. Our website is hosted by Render and served through Cloudflare's CDN. Form submissions are processed by Formspree.

Security Measures

• All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
• DDoS protection via Cloudflare
• Static site architecture with no database or server-side code exposed to the public internet
• Form data transmitted securely to Formspree's encrypted infrastructure

Security Limitations

No method of internet transmission or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

7. Information Sharing and Disclosure

We do not sell, trade, or rent your Personal Information to third parties.

We may share information only in these limited circumstances:

• Service Providers: With trusted sub-processors who assist in operating the Service (see Section 8), solely for the purposes described in this policy
• Legal Requirements: When required by law, court order, or government request
• Safety and Security: To protect our rights, property, safety, or that of users or the public
• Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case we will notify affected users before Personal Information is transferred

8. Sub-Processors

The following third-party services process data on our behalf:

Each sub-processor is contractually obligated to protect your data and may only process it for the specific purposes described above.

9. Data Retention

We retain information only as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our Terms of Service.

• Community applications: Retained for up to 2 years unless you request deletion
• Email correspondence: Retained for the duration of the business relationship
• Server logs: Retained for approximately 90 days
• Cookie consent preference: Retained in your browser until you clear localStorage

10. Your Privacy Rights

Regardless of your location, you have the following rights:

• Access: Request a copy of all Personal Information we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your Personal Information
• Portability: Request your data in a structured, commonly used format
• Restriction: Request limitation of processing
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time where consent is the basis for processing

To exercise any of these rights, contact us at marc@finnly.ai with the subject line “Privacy Request.”

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

• Identifiers: name, email, IP address, LinkedIn profile URL
• Professional information: specialty, experience, credentials
• Internet activity: pages viewed, interactions, browser info

Your California Rights

• Right to know: Request disclosure of categories and specific pieces of Personal Information collected
• Right to correct: Request correction of inaccurate Personal Information
• Right to delete: Request deletion of your Personal Information
• Right to opt-out of sale: We do not sell Personal Information
• Right to non-discrimination: We will not discriminate against you for exercising privacy rights
• Right to limit use of sensitive information: We do not collect sensitive Personal Information as defined by the CPRA

We will respond to verified CCPA requests within 45 days. Email marc@finnly.ai with subject line “CCPA Request.”

12. Other U.S. State Privacy Rights

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or another state with applicable consumer privacy legislation, you may have similar rights including:

• Right to access, correct, and delete your Personal Information
• Right to data portability
• Right to opt out of the sale of Personal Information (we do not sell your data)
• Right to opt out of targeted advertising (we do not engage in targeted advertising)
• Right to opt out of profiling

To exercise your rights, email marc@finnly.ai with subject line “State Privacy Request.”

13. European and UK Privacy Rights (GDPR)

If you are located in the EEA or UK, the GDPR provides you with additional rights.

Legal Basis for Processing

• Contract performance: Processing necessary to provide the Service and respond to inquiries
• Legitimate interests: Operating and improving the Service, preventing abuse, security
• Consent: Where required (e.g., non-essential cookies)
• Legal obligation: Compliance with applicable laws

Your GDPR Rights

• Access: Request a copy of your Personal Information
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion (“right to be forgotten”)
• Restriction: Request restriction of processing
• Portability: Receive your data in a structured format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent at any time
• Lodge a complaint: File a complaint with your local data protection authority

Data Controller

Finnly is the data controller. Sub-processors listed in Section 8 act as data processors on our behalf. We will respond to GDPR requests within 30 days. Email marc@finnly.ai with subject line “GDPR Request.”

14. International Data Transfers

If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

Transfer Mechanisms

For transfers from the EEA/UK:

• Standard Contractual Clauses (SCCs), where applicable through sub-processors
• EU-U.S. Data Privacy Framework (DPF), where sub-processors are certified
• Your explicit consent where no other mechanism applies

All international data transfers are protected by TLS encryption in transit.

15. Data Breach Notification

In the event of a data breach affecting your Personal Information:

• Timeline: We will notify affected users within 72 hours of becoming aware of the breach
• Method: Email notification and/or prominent notice on the Service
• Content: Description of the breach, types of data involved, steps we are taking, steps you can take, and contact information for follow-up
• Regulatory notification: We will notify relevant authorities as required by law, including under the GDPR (within 72 hours) and California Civil Code 1798.82

16. Use of Artificial Intelligence

Current AI Usage

Finnly shares AI tools and workflows with community members to help them work more effectively. The Finnly website was built with the assistance of AI coding tools.

No Training on User Data

We do not use your Personal Information or submitted content for training artificial intelligence or machine learning models.

Future AI Features

If we implement additional AI-powered features, we will update this Privacy Policy and our Terms of Service with clear disclosure and provide opt-out mechanisms where feasible.

17. Do Not Track Signals

We honor Do Not Track (DNT) signals sent by your browser. Our analytics provider, Plausible, does not use cookies or collect personal data, so it is compliant with DNT by design. Essential functionality (such as form submissions and cookie consent state) is not affected by DNT signals.

18. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect Personal Information from anyone under 18. If we become aware that we have collected Personal Information from a person under 18, we will delete such information promptly. If you believe we have inadvertently collected information from a minor, please contact us immediately.

19. Third-Party Links

The Service may contain links to third-party websites, including LinkedIn profiles and external resources. This Privacy Policy does not apply to third-party sites. We are not responsible for the privacy practices, content, or security of any third-party websites. We encourage you to review the privacy policy of every site you visit.

20. Changes to This Privacy Policy

When we update this Privacy Policy, we will post the updated policy on the Service, update the effective date, and for material changes, provide at least 30 days notice before changes take effect.

Your continued use of the Service after the effective date constitutes acceptance. If you do not agree, you must stop using the Service.

21. Contact Information

For privacy-related questions or to exercise your rights, contact us at:

Recommended subject lines: “CCPA Request” for California privacy rights, “GDPR Request” for European/UK privacy rights, “State Privacy Request” for other U.S. state rights, or “Privacy Inquiry” for general questions.