Privacy at Fynn

Fynn is an independent credit card recommendation tool built and operated by a single developer. As of this writing, the product is in a free, experimental phase — we're not charging users, we're not running affiliate links, and there is no business model attached to your data. The product exists to test whether transparent, spend-based card recommendations are useful to people. Your data exists to power those recommendations, not to fund the product.

Fynn is available at fynn-credit.com and as a Chrome browser extension. This policy covers both.

From your Fynn account

When you sign up — either with email and password or through Google — we receive and store:

• Your email address
• Your name, if you signed in with Google
• A securely hashed password, if you signed up with email and password
• Authentication session tokens issued by our identity provider (Supabase)

From the onboarding questionnaire

To recommend cards that fit you, we ask for self-reported information about your finances. None of this is verified against external sources unless you explicitly link a bank:

• Credit score range (and exact score if you choose to provide it)
• Annual income range
• Stated monthly spending by category (dining, groceries, rent, travel, etc.)
• Reward preferences and primary financial goals
• Cards you currently own (selected from a list — no card numbers)
• Whether you pay your statements in full, and optionally your revolving balance

From Plaid, if you connect a bank (optional)

Bank linking is optional. If you choose to connect an account, Plaid handles the login flow directly — your bank credentials never touch Fynn's servers. After you authenticate with Plaid, we receive:

• Transaction details: date, amount, merchant name, Plaid-assigned category, and the account the transaction belongs to. We pull approximately the last 90 days plus a year-to-date backfill on first connection.
• Account information: institution name, account type (credit, depository, etc.), last four digits of the account number, and current balance.
• Access tokens that let us refresh transactions over time. These are encrypted before being stored.

We use this data to compute your real monthly spending by category, which feeds the recommendation engine and the spend optimizer. We do not use it for anything else, and we never initiate transactions, move money, or interact with your bank in any way other than reading the transaction stream you authorized.

From the browser extension

When the Fynn extension is active on a merchant's checkout page, it reads:

• The URL of the page you're on, to identify the merchant
• A few structured-data fields on the page (Schema.org JSON-LD) to detect the merchant name and purchase amount, when those exist
• Generic page metadata (title, OpenGraph site name) as a fallback when structured data is absent

The extension sends only the resolved merchant identifier and inferred category to Fynn's API — never the full page contents, your cart, the URL parameters, or any form fields. It never reads payment forms, card numbers, addresses, or anything you type. Your session token, stored in chrome.storage.session, is cleared when you quit your browser.

The extension does not track which sites you visit. It only runs on pages where you've granted it permission, and it does not phone home about your browsing unless it's actively asking for a card recommendation.

What we do NOT collect

• Your credit card numbers (we use card identifiers — slugs like "chase-sapphire-preferred" — never PANs)
• Your bank login credentials (Plaid handles authentication; we never see them)
• Your location or device identifiers
• Your browsing history across sites
• Social security numbers, government IDs, or any verified identity data

Everything we collect is in service of a small set of purposes:

• Authentication. Sign you in, keep you signed in, sign you out when you ask.
• Card scoring. Run our recommendation engine over your profile and stated or detected spending to rank cards.
• Recurring spend detection. Group Plaid transactions to surface your subscriptions in the Recurring Spend view.
• Spend optimization. Recommend which of your existing cards earns the most for each spending category, and suggest which new card would add the most value if added to your wallet.
• Browser-extension recommendations. When the extension asks "which card here?", our API takes the merchant + category and returns the best match from your Fynn wallet.
• Product improvement. Anonymous, aggregated usage signals (e.g., how often features are used) help us understand what to build next. Personally identifying data is not used for marketing.

We do not use your data for advertising, behavioral profiling outside the app, building models for sale, lending decisions, credit reporting, or any other purpose unrelated to the core product.

Fynn uses a small number of third-party processors to operate. They process your data on our behalf under their own privacy commitments — we never sell or rent your data to anyone.

• Supabase — Hosts our database and authentication. Your profile data, cards, sign-in credentials, and Plaid transactions are stored on Supabase's infrastructure (which in turn runs on AWS).supabase.com/privacy
• Plaid — Provides the bank-linking and transaction-aggregation service. If you choose to connect a bank, your bank credentials flow to Plaid, never to us, and Plaid's privacy practices apply to that data in addition to ours.plaid.com/legal
• Vercel — Hosts the web application. Vercel processes incoming requests and serves the Fynn UI.vercel.com/legal/privacy-policy
• Google — If you choose to sign in with Google, Google handles the authentication step and shares your email and name with us.policies.google.com/privacy

We will share your data when legally required — a valid court order, subpoena, or comparable government request that we cannot reasonably push back against.

Plaid access tokens are encrypted with AES-256-GCM before being written to the database. Passwords, when present, are hashed by Supabase before storage; we never see the plaintext. Session tokens in the browser extension live only inchrome.storage.session, which the browser clears when you quit it.

All traffic between you and Fynn is encrypted in transit (TLS). Database access is restricted to the Fynn application and the developer, and individual rows are additionally gated by Supabase's row-level security so that only your account can read your data.

That said: Fynn is a small, experimental project, not a banking-grade institution. We do our best with the practices above, but if you have especially sensitive requirements, please factor that into whether you connect a real bank account.

• Access. You can see everything we have on you by signing in and going to your profile, my-cards, and connect-bank pages.
• Correction. Anything in your stated profile is editable from the profile page.
• Deletion. Email us at privacy@fynn-credit.com and we'll delete your account and all associated data within a reasonable timeframe (usually a few days). We'll confirm when it's done.
• Bank disconnection. You can revoke Plaid access from the connect-bank page at any time. Past transactions we pulled before disconnection will be retained unless you also request deletion.
• Extension uninstall. Uninstalling the Chrome extension clears any data it stored locally (session tokens, dismissed banner state). It does not delete your Fynn account or any data on our servers — that's a separate request.
• Portability. We'll provide a JSON export of your data on request; same email.

The web app uses cookies and browser local storage for the following purposes only:

• Authentication session cookies set by Supabase
• An OAuth-intent cookie that briefly tracks whether you came from the login or signup button when round-tripping through Google
• UI preferences (e.g., dismissed banners, last-seen onboarding step)

We do not use third-party advertising cookies, analytics cookies that follow you across sites, or behavioral profiling tools.

Fynn is not directed at children. We do not knowingly collect data from anyone under 18. Credit cards aren't a product for minors and we'll delete any account we determine belongs to one.

Recommendations are not financial advice. Fynn estimates the value of credit cards based on your stated profile, the spending we detect (or you report), and publicly available information about each card's rewards structure. It does this with deterministic math, not professional judgment. We are not a financial advisor, broker, or licensed institution. Our recommendations are informational and educational. Treat them as a starting point for your own decision-making, not as advice.

Accuracy is best-effort, not guaranteed. Card terms change frequently — issuers raise fees, change category bonuses, sunset welcome offers, adjust caps. Our card catalog is maintained on a periodic refresh cycle and can lag the issuer's current terms. Reward valuations involve assumptions (point values, redemption modes, hitting signup-bonus thresholds) that may not match your actual usage. We may also misclassify a merchant or miscategorize a transaction. Always verify the current terms on the issuer's page before applying for a card or making a financial decision based on a Fynn recommendation.

Approval is the issuer's decision, not ours. Fynn estimates approval probability from your stated credit score and a few other signals. We don't pull credit, talk to issuers, or have any insight into their underwriting. The actual application outcome is between you and the bank.

Experimental status. Fynn is in active development. Features, data schemas, and the recommendation engine itself change over time. We may occasionally have bugs that affect recommendation quality. Please flag anything that looks off — see the contact section below.

Independence today, potentially affiliate revenue later. At this writing, Fynn earns no money from your usage. We have no affiliate relationships with any issuer, and our rankings are not influenced by any commercial arrangement. If that ever changes in the future, we'll disclose it clearly here and on the recommendation surfaces themselves — and rankings will remain independent of any payment arrangement.

We'll update this page when our practices change. The "last updated" date at the top reflects the most recent revision. If a change is material — e.g., we start collecting a new category of data, or share data with a new processor — we'll surface the change in the app and (if we have your email) email you before it takes effect.

Questions, deletion requests, or anything else privacy-related: email privacy@fynn-credit.com.

We aim to respond within a few business days. If we miss it, follow up — solo dev, inbox occasionally overflows.