Farlio

Legal

Privacy Policy

Last updated: 5 July 2026 · Governing law: United States

1. About this policy

Farlio ("we", "us", "our") is committed to protecting your personal information in accordance with applicable U.S. federal and state privacy laws, including the California Consumer Privacy Act (CCPA/CPRA) for California residents.

This policy explains what personal information we collect, why we collect it, how we use and disclose it, how you can access or correct it, and how to make a complaint.

If you have any questions, contact us at privacy@farlio.app

2. What personal information we collect

We collect the following categories of personal information:

Account information: Email address, encrypted password.
Business details: Business name, trade/industry type, EIN, sales tax collection setting, business address.
Financial records: Expense amounts, categories, dates, vendor names, sales tax amounts, income records, invoice amounts, client names and email addresses.
Uploaded documents: Photographs and PDFs of receipts, invoices and other financial documents you upload for AI processing.
Payment information: Subscription status. Card details are processed directly by Stripe and never stored on our servers.
Profile information: Full name, bank account details (optional, used for invoice payment details only), logo image.
Usage data: Pages visited, features used, device type, browser type, IP address, timestamps — collected for service improvement and security.
Communication data: Messages you send to our support team.

We collect this information when you register, use features of the service, upload documents, or contact support. We do not collect sensitive information such as health, racial or political data.

3. Why we collect your information (purpose of collection)

We collect personal information only for the following purposes:

  • Providing the expense tracking, income management, invoice and tax tools described in the service
  • Processing receipt and invoice uploads using AI data extraction (OpenAI API)
  • Generating PDF invoices containing your business details for you to send to clients
  • Sending invoice emails to your nominated client email addresses on your instruction
  • Calculating sales tax estimates, quarterly estimated tax worksheets and federal tax estimates
  • Processing subscription payments and managing your account
  • Communicating with you about your account, service updates and security
  • Complying with our legal obligations and protecting our legal rights
  • Improving the accuracy of our AI and the features of the service (using anonymised aggregate data only)

We do not sell, rent or trade your personal information. We do not use your financial data for marketing to third parties.

4. Disclosure to third parties

We disclose your personal information to the following third-party service providers, solely for the purpose of delivering the service to you:

Supabase

Database, authentication and encrypted file storage. Your data is stored in Supabase's secure cloud infrastructure. Supabase is SOC 2 Type II certified. Servers may be located in the United States.

Privacy policy: supabase.com/privacy

OpenAI

AI-powered data extraction from uploaded receipts and invoices. The content of your uploaded documents (images and text) is sent to OpenAI's API for processing. OpenAI does not use API input/output data to train its models. Data is processed in the United States.

Privacy policy: openai.com/policies/privacy-policy

Stripe

Subscription payment processing. Your payment card details are entered directly into Stripe's secure interface and are never transmitted to or stored on our servers. Stripe is PCI-DSS Level 1 certified. Data may be processed internationally.

Privacy policy: stripe.com/privacy

Resend

Email delivery service for invoice emails sent to your clients, and service notification emails sent to you. Email addresses and email content are processed by Resend.

Privacy policy: resend.com/privacy

Vercel

Application hosting and global content delivery. Servers are located in multiple regions including the United States and Europe.

Privacy policy: vercel.com/legal/privacy-policy

Data transfers

Some of our service providers (Supabase, OpenAI, Vercel, Stripe, Resend) may process data outside your home state, including internationally. By using Farlio, you consent to your personal information being transferred to and processed in the United States and other countries. We take reasonable steps to ensure these providers maintain adequate protections.

5. Cookies and local storage

Farlio uses the following technologies to operate the service:

  • Authentication cookies: set by Supabase to maintain your login session. These are essential for the service to function.
  • Local storage: used to cache UI preferences such as theme settings.
  • No third-party advertising or tracking cookies are used.
  • No analytics cookies (Google Analytics, etc.) are used.

You can disable cookies in your browser settings, but this will prevent you from logging in to the service.

6. Data security

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. Our security measures include:

  • HTTPS (TLS) encryption for all data in transit
  • Row Level Security (RLS) on our database — your data is logically isolated from other users' data
  • Time-limited signed URLs for file access (7-day expiry)
  • Supabase SOC 2 Type II certified infrastructure
  • Stripe PCI-DSS Level 1 certified payment processing
  • Passwords are hashed and never stored in plain text

No method of transmission over the internet is 100% secure. While we implement industry-standard protections, we cannot guarantee absolute security.

7. Data retention

We retain your personal information for as long as your account is active or as needed to provide the service.

  • Account data: retained while your account is active.
  • Financial records: retained for the life of your account. The IRS generally recommends keeping tax records for at least 3 years (longer in some situations) — we recommend exporting your data before account deletion.
  • Uploaded files: deleted within 30 days of account deletion.
  • Anonymised usage statistics: may be retained indefinitely for service improvement.
  • Payment transaction records: retained as required by Stripe's compliance obligations.

When you delete your account from Profile settings, your personal data and uploaded files are permanently deleted within 30 days. This action cannot be undone — export your data first.

8. Your rights

You have the following rights regarding your personal information:

Access: Request a copy of the personal information we hold about you. We will respond within 30 days.
Correction: Request correction of inaccurate, incomplete or outdated information. You can update most information directly in your Profile.
Deletion: Delete your account and all associated data at any time from Profile settings.
California residents (CCPA/CPRA): Right to know what personal information we collect, right to delete, right to correct, and right to opt out of the sale or sharing of personal information — though we do not sell or share your personal information.
Residents of Virginia, Colorado, Connecticut, Utah and other states with comprehensive privacy laws: Right to access, correct, delete and obtain a portable copy of your personal information, and right to opt out of targeted advertising, sale, or profiling — none of which we engage in. We will honour these rights for residents of any U.S. state that grants them, regardless of your specific state of residence.
Complaint: Contact us if you believe we have mishandled your personal information.

To exercise any of these rights, contact us at privacy@farlio.app. We will respond within 30 days. We will not discriminate against you (e.g. by denying service or changing pricing) for exercising any privacy right.

We honour Global Privacy Control (GPC) browser signals as a valid opt-out request where recognised by applicable law, although we do not sell or share personal information in the first place.

9. Data breach notification

If we become aware of a data breach that is likely to result in harm to individuals, we will notify affected individuals and any relevant state regulators as required by applicable state data breach notification laws, and will:

  • Notify affected individuals as soon as practicable
  • Notify relevant state Attorneys General where required by law
  • Provide details of the breach and recommended steps to minimise harm

10. Children's privacy

Farlio is intended only for persons aged 18 years or older who are self-employed, an independent contractor, freelancer or small business owner in the United States, or authorised to use the Service on behalf of one. In accordance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from persons under 13. If we become aware that a person under 13 has provided us with personal information, we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our practices or legal obligations. We will notify you of material changes by email at least 14 days before they take effect, and update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance.

12. How to make a complaint

If you believe we have mishandled your personal information, please contact us first:

Email: privacy@farlio.app

We will acknowledge your complaint within 5 business days and endeavour to resolve it within 30 days.

If you are not satisfied with our response, you may file a complaint with the Federal Trade Commission (FTC) or your state Attorney General's consumer protection office:

FTC complaint website: reportfraud.ftc.gov

California residents may also contact the California Attorney General's office regarding CCPA rights.