Privacy Policy
Last updated: 2026-06-12
This Privacy Policy describes how Finch Labs, Inc.(“Finch,” “we,” “us,” or “our”) collects, uses, and shares information when you use our advertising-automation platform available at finchlabs.ai (the “Service”). Finch Labs, Inc. is a Wyoming corporation with its registered address at 1908 Thomes Ave STE 44233, Cheyenne, WY 82001, USA.
1. Information we collect
We collect the following categories of information:
- Account information. Name, email address, password hash, and tenant (workspace) name when you sign up.
- Connected-platform data. When you authorize Finch to connect to Meta (Facebook / Instagram), Google (Ads / Analytics 4), or Shopify, we receive an OAuth token via our broker (Nango) and use it to read advertising metrics, audience definitions, lead-form responses, and (for Shopify) orders + customer counts. We do not request write access to commerce data.
- Ad performance data. Impressions, clicks, conversions, spend, CTR, CPC, CPM, ROAS, and similar aggregate metrics from connected ad platforms.
- Lead outcomes. When you connect a chatbot integration (e.g., Agata IA), we periodically poll for lead-quality signals (qualified / not qualified, status updates) and associate them with the originating ad.
- Creative assets. Images, videos, and copy you upload or that our AI generates on your behalf.
- Usage data. Page views, feature interactions, evolution-run configurations, error logs, and IP address.
- Cookies. We use first-party session cookies (managed by Supabase) to keep you signed in. We do not use third-party advertising or tracking cookies on our marketing site.
2. How we use information
- To provide and operate the Service (generate ad variants, evaluate fitness, sync metrics).
- To improve the Service (debug errors, analyze feature usage in aggregate).
- To communicate with you about your account, billing, security, and product updates.
- To comply with legal obligations and enforce our Terms of Service.
- To detect, prevent, and respond to fraud, abuse, or violations of platform partners’ terms.
3. Subprocessors and third parties
We use the following service providers (subprocessors) to operate the Service. Each has its own privacy policy linked below.
- Supabase — database + authentication. Privacy
- Google Cloud Platform — application hosting (Cloud Run), object storage (Cloud Storage). Privacy
- Anthropic — AI model inference (Claude). Privacy
- Google AI — image generation (Imagen) and assistant (Gemini). Privacy
- Nango — OAuth token broker for Meta / Google / Shopify connections. Privacy
- Sentry — application error monitoring. Privacy
- Cloudflare — DNS and DDoS protection. Privacy
- Upstash — managed Redis for the job queue. Privacy
- Meta, Google, Shopify — the integrations you choose to connect. Their handling of your data is governed by their own policies.
We do not sell or rent personal information to third parties for advertising purposes.
4. Google user data and Limited Use
When you connect a Google account, Finch requests OAuth access — via our broker (Nango) — to the following Google services, and only for the purposes described:
- Google Ads. Read campaign, ad group, ad, and performance data (impressions, clicks, conversions, spend, CTR, CPC, CPM, ROAS) to evaluate creative fitness and produce optimization suggestions.
- Google Analytics 4. Read aggregate traffic and conversion metrics to attribute outcomes to your advertising.
We request the minimum scopes necessary for these features. We do not request write access to your Google Ads account and do not create, edit, pause, or delete your campaigns.
Limited Use.Finch Labs’ use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Concretely, Google user data is used only to provide and improve the user-facing features described above. It is not used for serving advertising; not sold or transferred to third parties for any purpose other than providing the Service (or as required by law, or in connection with a merger/acquisition with continued protection); not used to develop, improve, or train generalized AI/ML models; and is accessible to humans only with your explicit consent, to investigate security or abuse, or where required by applicable law.
You can revoke Finch’s access at any time from your Google Account’s third-party access settings or by disconnecting the integration inside Finch. OAuth tokens are deleted immediately upon disconnection.
5. International data transfers
Finch Labs is based in the United States, and our subprocessors are located in the United States and the European Union. By using the Service, you consent to the transfer of your information to these jurisdictions. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.
6. Data retention
We retain account information for as long as your account is active and for up to 90 days after deletion (to allow recovery and to satisfy backup-retention cycles). Connected-platform tokens are deleted immediately upon disconnection or account closure. Ad performance and lead-outcome data are retained for analytics for up to 24 months unless you request earlier deletion. Server logs are retained for up to 30 days.
7. Your rights
- Access and export. You can export your data via /api/data-export (authenticated) or by emailing privacy@finchlabs.ai.
- Deletion. Request deletion at /data-deletion or by emailing privacy@finchlabs.ai.
- Correction. Update profile information from your account settings, or email us.
- EU/UK residents (GDPR). You also have the right to object to processing, restrict processing, withdraw consent, and lodge a complaint with your supervisory authority. For data-protection inquiries, email privacy@finchlabs.ai.
- California residents (CCPA/CPRA). You have the right to know what personal information we collect, to delete it, to correct it, to opt out of any “sale” or “sharing” (note: we do not sell personal information), and to non-discrimination for exercising these rights.
8. Security
We use industry-standard measures to protect your data, including TLS in transit, encryption at rest, OAuth-token isolation per tenant, row-level security on the database, and minimum-privilege access for engineers. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.
9. Children
The Service is not intended for children under 13 (or 16 in the EU/UK). We do not knowingly collect personal information from minors. If you believe a minor has provided us with information, contact privacy@finchlabs.ai and we will delete it.
10. Changes to this policy
We may update this policy from time to time. We will post the new version at this URL with an updated “Last updated” date. Material changes will be notified by email to active account holders at least 30 days before they take effect.
11. Contact
Privacy and data-protection inquiries: privacy@finchlabs.ai
General contact: support@finchlabs.ai
Mailing address: Finch Labs, Inc., 1908 Thomes Ave STE 44233, Cheyenne, WY 82001, USA