finsafe-app

Privacy Policy

Language: en | Version: 2.2 | Updated: 3/25/2026, 12:00:00 AM

Terms (EN)Terms (TH)Privacy (EN)Privacy (TH)
PRIVACY POLICY Finsafe Application Effective Date: March 25, 2026 Whale Task Co., Ltd. (บริษัท เวล ทาสก์ จำกัด) ("Whale Task", "we", "our", or "us") respects your privacy and is committed to safeguarding your personal data. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data in connection with the Finsafe application and related services (collectively, the "Service"). This Policy applies to users of the Finsafe mobile application on Apple iOS and Android, including users who sign in with Apple, Google, or email/password and users who make in-app purchases through the Apple App Store or Google Play. This Policy is intended to comply with applicable data protection requirements, including Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA"), where applicable. 1. DATA COLLECTION AND STORAGE We collect and store personal data that is reasonably necessary to operate the Service. 1.1 Account and identity data When you create or access an account, we may store: - email address and normalized email address; - display name, profile name, and profile photo URL if provided by your sign-in provider; - Firebase user ID and the sign-in method used (for example: email, Google, or Apple); - email verification status, account status, and account creation/update timestamps; - account deletion request and reactivation status, where applicable. If you use Sign in with Apple or Google Sign-In, we receive the identity data made available by those providers and by Firebase Authentication. We do not receive your password for Apple or Google accounts. 1.2 Device, session, and notification data To secure your account, maintain active sessions, and send push notifications, we may store: - device ID, device model, operating system version, app version, language, region, timezone, and platform; - Firebase Cloud Messaging ("FCM") token and related session timestamps; - notification topic subscription data used to send broadcast or language-specific mobile notifications. For both iOS and Android, this device/session data is stored in our backend systems to manage sign-in activity and notification delivery. On iOS, push delivery may also involve Apple infrastructure through Firebase. On Android, push delivery may involve Google infrastructure through Firebase. Finsafe does not collect precise GPS location, does not use persistent background location tracking, and does not require continuous real-time location updates for the core features of the Service. 1.3 User content and service records When you use core product features, we may store content and records you submit or generate in the Service, including: - contract draft titles, subtitles, structured draft payload data, draft status, and related timestamps; - contract PDF files that you upload or unlock, along with a generated storage URL; - payment tracker records such as debtor name, due dates, payment amount, currency, and notification preference; - feedback and bug report data, including message content, subject, app version, platform, locale, and optional contact email. Contract PDFs are stored in cloud object storage. Drafts, payment trackers, support records, and most operational records are stored in Cloud Firestore under your user account. 1.4 Wallet, purchase, and payment data for Apple and Android If you buy in-app coin packages, we store payment records needed to verify the purchase, prevent duplicate credits, and credit the correct wallet. For Apple App Store purchases on iOS, we may process and store: - product ID; - transaction ID and original transaction ID; - App Store notification type, subtype, UUID, and environment; - appAccountToken or related account identifier used to match the purchase to your Finsafe account; - wallet ledger entry ID, credited coin amount, package details, and balance after credit. For Google Play purchases on Android, we may process and store: - product ID; - package and wallet credit details; - transaction metadata returned by verification workflows; - a one-way hash of the Google Play purchase token in our payment history records. For Google Play verification, the raw purchase token may be sent to Google Play Developer API during verification, but we persist a hashed token in our payment transaction history instead of storing the raw token there. We do not store your full payment card number or bank account details because billing is handled by Apple or Google. Finsafe does not provide Apple Pay checkout. Digital purchases in the app are handled through Apple App Store in-app purchase flows on iOS and Google Play billing flows on Android. 1.5 Where data is stored Depending on the feature used, personal data may be stored in: - Firebase Authentication for account identity and sign-in management; - Cloud Firestore for user profiles, sessions, drafts, payment trackers, feedback conversations, wallets, ledger entries, and payment transaction history; - Google Cloud Storage / Firebase Storage-compatible storage for contract PDF files; - operational logs and security records generated by backend services. 2. PURPOSES OF PROCESSING We process personal data to: - create and manage your account; - authenticate users and secure access to the Service; - save drafts, generate contract outputs, and provide payment reminder functionality; - send account, security, transactional, and optional push notifications; - verify Apple App Store and Google Play purchases and credit wallet balances correctly; - prevent fraud, abuse, duplicate purchase credits, and unauthorized access; - provide customer support and respond to feedback or bug reports; - maintain internal records, perform troubleshooting, and improve reliability; - comply with legal obligations and enforce legal rights. 3. LEGAL BASES Where required by law, we process personal data on one or more legal bases, including consent, contractual necessity, legitimate interests, legal obligations, and protection of vital interests. 4. DATA USE AND SHARING We do not sell your personal data. We do not disclose personal data to data brokers. We do not use your personal data for third-party advertising sales. 4.1 Internal use Within Whale Task, authorized personnel may access personal data only to the extent necessary to operate, support, secure, and improve the Service. 4.2 Service providers and platform operators We may share personal data with service providers and platform operators that help us deliver the Service, including: - Firebase / Google Cloud for authentication, database hosting, file storage, and push notification infrastructure; - Apple, when needed to validate App Store receipts, process App Store Server Notifications, or reconcile iOS purchases; - Google, when needed to validate Google Play purchases, process Android billing records, or support Google sign-in; - communications, security, and infrastructure providers acting on our instructions and under appropriate confidentiality obligations. For iOS users, Apple may independently process your billing, device, and App Store account information under Apple's own privacy documentation. For Android users, Google may independently process your billing, Google account, and Google Play account information under Google's own privacy documentation. Those platform providers act as separate controllers for data they collect directly from you. 4.3 Support, compliance, and legal requests We may disclose personal data: - to support personnel handling bug reports, customer inquiries, or account recovery requests; - to auditors, legal advisers, and professional consultants where needed for compliance, risk management, or dispute handling; - to competent authorities, regulators, courts, or law enforcement where required by law or lawful request; - to successors in connection with merger, acquisition, financing, or restructuring, subject to lawful safeguards. 5. INTERNATIONAL TRANSFERS Where data is transferred across borders, we apply appropriate safeguards consistent with applicable legal requirements. 6. RETENTION AND ACCOUNT DELETION We retain personal data only for as long as necessary for the purposes stated in this Policy, unless a longer period is required or permitted by law. In general: - account records are retained while your account remains active; - drafts, payment trackers, feedback records, wallet history, and purchase history are retained while needed to provide the Service, support users, prevent fraud, and maintain business records; - contract PDF files are retained while associated with active account use or until they are deleted through our retention or account deletion processes; - if you request account deletion, we currently disable the account and schedule permanent deletion after a 30-day retention window, unless a longer retention period is legally required. You can initiate account deletion from the app. For a standard deletion request, we do not require you to call customer support or send an email to begin the process. During the 30-day retention window, an eligible user may reactivate the account. After the 30-day period expires, we delete the account from active systems, including the user profile, sign-in session registrations, token registrations, stored drafts, and related payment or support records that are deleted as part of our account deletion workflow, except where retention is required by law. When data is no longer required, it is deleted, anonymized, or securely archived, as appropriate. 7. DATA SECURITY We implement reasonable technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure. These measures include access controls, authenticated service integrations, and restricted operational access. No system can guarantee absolute security. 8. YOUR RIGHTS Subject to applicable law, you may have rights to: - access your personal data; - request correction of inaccurate data; - request deletion or restriction of processing; - object to certain processing activities; - request portability of eligible data; - withdraw consent where processing is based on consent. To exercise rights, please contact: privacy@whaletask.com If you want to delete your account, you may also use the in-app account deletion flow in addition to contacting us about privacy rights. 9. CHILDREN'S PRIVACY The Service is not intended for children under 18 years of age. We do not knowingly collect personal data from children without lawful basis. 10. POLICY UPDATES We may update this Privacy Policy periodically. Material changes will be communicated through the Service or other reasonable channels. 11. CONTACT Whale Task Co., Ltd. (บริษัท เวล ทาสก์ จำกัด) Email: privacy@whaletask.com Data Protection Contact: dpo@whaletask.com