Privacy Policy

Effective Date: May 12, 2026 · Last Updated: May 12, 2026

1. Introduction

FNDR Tools, Inc. ("FNDR Tools," "we," "our," or "us") operates a financial operating system for ecommerce founders at app.fndr.tools and fndr.tools (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal and business information, including data we access on your behalf from third-party integrations you connect.

2. Information We Collect

a) Information you provide: name, email, business name, password, billing details.

b) Automatically collected: usage data, IP address, browser/device info, session cookies.

c) From third-party integrations you connect (on your behalf): see Section 3 for the per-integration breakdown.

3. Per-Integration Data Access

We only access the data necessary to deliver the features you use. You can disconnect any integration at any time from Settings → Integrations; disconnecting revokes our access token and triggers deletion of integration-derived data within the retention windows below.

QuickBooks Online (Intuit)

Data accessed: chart of accounts, transactions, invoices, bills, vendors, customers, journal entries, company info. Used to: reconcile bank activity, compute P&L and cash position, post writebacks you authorize. QuickBooks data remains the property of your QuickBooks Company; we do not sell it. Deleted within 30 days of disconnect or upon Intuit's request.

Shopify

Data accessed: orders, transactions, payouts, products, inventory, customers (name, email, order history). Used to: compute revenue, refunds, net revenue, margin, payout reconciliation. We implement the three Shopify GDPR webhooks: customers/data_request (we respond within 30 days), customers/redact (we delete the requested customer's data), and shop/redact (we delete all personal data tied to the shop within 48 hours of app uninstall). Customer data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

Plaid (Bank Connections)

We use Plaid Inc. to access banking information you authorize. By connecting a financial institution through our Service, you grant Plaid the right, power, and authority to act on your behalf to access and transmit your personal and financial information from the relevant financial institution, according to the terms of Plaid's Privacy Policy. Data accessed: account names, balances, account/routing numbers (masked), and transaction history (typically 24 months). Used to: surface cash position, runway, expense categorisation, and bank-to-books reconciliation. You may revoke Plaid's access at any time via Plaid Portal (my.plaid.com) or by disconnecting in our Service.

Klaviyo

Data accessed: campaign performance, flow metrics, list and segment counts, email/SMS engagement aggregates. We do not pull individual subscriber PII into our database. All locally cached Klaviyo data is deleted when you disconnect. FNDR Tools is a B2B tool serving merchants — we do not receive, process, or forward individual subscriber deletion requests; those must be submitted directly to Klaviyo by your organization.

Meta Ads (Facebook / Instagram)

Data accessed: ad account info, campaign/adset/ad metadata, spend, impressions, clicks, conversions, attribution settings. We do not access user-level audience data. We share data with Meta solely as required to call the Meta Marketing API on your behalf. To request deletion of data we hold about you that originated from Meta, email support@fndr.tools or use the Disconnect button in Settings → Integrations; we delete the data within 30 days.

Google Ads

Data accessed: account, campaign, ad group, and keyword metadata, spend, impressions, clicks, conversions. Read-only access via Google Ads API; we hold the minimum scopes required to deliver the Service (Required Minimum Functionality / Minimum Scope Principle). You may revoke our access at any time via your Google Account permissions page.

TikTok Ads & TikTok Shop

TikTok Ads data accessed: ad account, campaign metrics, spend, conversions. TikTok Shop data accessed: orders, products, payouts, refunds. TikTok Shop order data is used solely to process and display orders, refunds, returns, cancellations, and related disputes — it is not used for any other purpose. Deleted on disconnect.

Amazon Seller (SP-API)

Data accessed: settlement statements, referral fees, FBA fees, deposit history, and FBA inventory metrics via the Selling Partner API. We process this data in accordance with the Amazon SP-API Data Protection Policy (DPP). We do not store individual customer PII (name, shipping address, phone) from Amazon orders — only financial and inventory aggregates are retained. Aggregate non-PII data is retained no longer than 18 months unless a longer period is legally required. Upon Amazon's request we delete applicable data within 30 days.

Stripe (Billing)

We use Stripe, Inc. to process your subscription payments. Payment-card data is collected directly by Stripe and never stored on our systems; we store only the Stripe customer ID, subscription metadata, and billing-address information you provide. Stripe's handling of your data is governed by Stripe's Privacy Policy.

4. How We Use Your Information

• Provide and operate the Service
• Sync and display financial, commerce, and marketing data you have connected
• Generate AI-powered insights and reports about your business
• Process payments and manage subscriptions
• Send transactional notifications and (with consent) digest emails
• Monitor and improve performance, security, and reliability
• Comply with legal obligations

We do not sell your data. We do not use data accessed from third-party integrations to train general-purpose AI models. AI features process your data only to generate insights for your account, and only the minimum context necessary is included in each call to our AI providers.

5. Data Storage and Security

• Stored on Supabase (PostgreSQL), EU West region (eu-west-1)
• Encrypted at rest (AES-256) and in transit (TLS 1.2+)
• Row-level security enforced at the database layer; all queries scoped by organization
• OAuth 2.0 (with PKCE where supported) for all third-party integrations
• All integration access tokens and refresh tokens encrypted (AES-GCM) before storage
• Webhook signatures verified for all inbound webhooks (Shopify HMAC, Plaid ES256, Stripe, Klaviyo)
• Critical vulnerabilities patched within 24 hours; high-severity within 7 days

6. Sub-Processors and Sharing

We do not sell or rent your data. We share data only with the sub-processors required to run the Service:

• Supabase (hosting / database) — EU West
• Vercel (application hosting / edge runtime)
• Stripe (subscription billing)
• Anthropic, OpenAI (AI inference, where used)
• Sentry (error monitoring, with PII scrubbing)
• PostHog (product analytics, EU-hosted)
• Inngest (background job queue)
• Resend (transactional email)
• Plaid, Intuit/QuickBooks, Shopify, Klaviyo, Meta, Google, TikTok, Amazon — only when you connect them

We may disclose data to legal authorities when required by law, and to an acquirer in a business transfer (with advance user notice).

7. Data Retention

Data is retained while your account is active and for as long as needed to provide the Service. Upon account termination, personal data is deleted within 30 days, except where the integration-specific retention rules in Section 3 require earlier deletion or where applicable law requires longer retention (e.g., tax records). To request deletion at any time, email support@fndr.tools.

8. Your Rights

You have the right to access, correct, delete, port, and object to processing of your personal data, and to withdraw consent at any time. Contact support@fndr.tools — we respond within 30 days. Residents of the EEA, UK, and Switzerland may lodge a complaint with their supervisory authority. California residents have additional rights under the CCPA/CPRA.

9. Cookies

Essential session and security cookies only. Product analytics (PostHog) use first-party cookies for funnel and feature usage measurement. No third-party advertising cookies.

10. Children's Privacy

The Service is not directed to individuals under 18. If you believe a minor has provided us data, contact support@fndr.tools.

11. International Transfers

Primary data processing occurs in the EU (eu-west-1). Sub-processors based outside the EEA operate under appropriate safeguards (Standard Contractual Clauses, adequacy decisions, or equivalent).

12. Changes

Material changes will be communicated by email or prominent in-app notice. Continued use after the effective date of changes constitutes acceptance.

13. Contact

FNDR Tools, Inc.
support@fndr.tools
fndr.tools