The data controller — the person responsible for deciding how and why your personal data is processed — is:
FinLitPath
Operated by: Godwin Saiju Dominic
Email: enquiriesFLP@outlook.com
Response time: within 5 business days
FinLitPath is currently operated as an individual project. A formal Data Protection Officer (DPO) has not been appointed, as the scale of processing does not require one under Article 37 UK GDPR. All data protection queries should be directed to the email address above.
We are registered with and subject to the oversight of the Information Commissioner's Office (ICO), the UK's independent authority for data protection law. You can contact the ICO at ico.org.uk or on 0303 123 1113.
Based on a full audit of the FinLitPath codebase, we collect and process the following categories of personal data:
| Data Element | Source | Required? |
|---|---|---|
| Email address | Registration form | Yes |
| Username | Registration form (chosen by you) | Yes |
| Date of birth (month & year) | Registration form | Yes — for age verification |
| Password | Registration form — hashed by Supabase using bcrypt; we never see or store your plain-text password | Yes |
| Full name | Optional profile setting | No |
| Data Element | Purpose |
|---|---|
| Monthly / annual income | Budget plan calculation; financial health scoring |
| Monthly expenses and savings amounts | Financial health scoring |
| Budget method selection (e.g. 50/30/20) | Budget plan display |
| Financial goal titles, target amounts, current amounts, deadline year | Goal tracking and progress display |
| Investment watchlist symbols (e.g. AAPL, MSFT) | Market quote display |
| Data Element | Purpose |
|---|---|
| Quiz scores (points scored, total questions) | Literacy score calculation |
| Glossary accuracy and time taken | Literacy score calculation |
| Daily task completion counts and streak | Progress tracking and gamification |
| Leaderboard display name, points, level, streak, personality type | Leaderboard feature |
| Financial personality quiz result | Personalised tips; stored locally in your browser |
| Data Element | Purpose |
|---|---|
| Your unique referral code | Referral programme — auto-generated on account creation |
| Record of who referred you (referrer's user ID) | Awarding referral bonus points |
| Data Element | How Collected |
|---|---|
| IP address | Automatically by Supabase (auth), Neon (database), and Netlify (web hosting) as part of standard server operation |
| Authentication tokens (access token, refresh token) | Issued by Supabase on login; stored in your browser's localStorage |
| Browser / device type (user-agent) | Standard HTTP headers received by our servers |
| Feature usage patterns | Derived from API calls (e.g. which tools you use, when) |
| Theme preference (light/dark) | Stored in your browser's localStorage — never sent to our servers |
We collect data that you actively provide to us when you:
When you use the Platform, certain data is collected automatically:
finlitpath-auth;?ref= parameter), we record the referral code to associate you with the referring user if you register.UK GDPR requires us to have a lawful basis for every type of processing. The table below sets out the basis for each category of data we process.
| Data / Processing Activity | Legal Basis | Explanation |
|---|---|---|
| Account creation (email, username, DOB, password) | Contract — Art. 6(1)(b) | Necessary to perform the contract with you (creating and operating your account) |
| Budget, goal, and scoring tools (income, expenses, savings) | Contract — Art. 6(1)(b) | Necessary to deliver the core Services you signed up for |
| Financial goal tracking | Contract — Art. 6(1)(b) | Necessary to provide goal tracking features you have requested |
| Investment watchlist | Contract — Art. 6(1)(b) | Necessary to display market quotes for symbols you have selected |
| Literacy scoring, quiz data, daily tasks | Contract — Art. 6(1)(b) | Necessary to provide learning progress tracking and gamification features |
| Leaderboard (display name, points, level, streak) | Legitimate Interests — Art. 6(1)(f) | We have a legitimate interest in facilitating community engagement features. Balancing test: you can choose your display name; participation is voluntary; data is pseudonymous |
| Referral programme | Legitimate Interests — Art. 6(1)(f) | We have a legitimate interest in growing the user base. Balancing test: no monetary value is at stake; referral codes are pseudonymous; the programme is fully opt-in |
| Transactional welcome email (via Resend) | Contract — Art. 6(1)(b) | Sending account confirmation / onboarding information is part of service delivery |
| Authentication tokens in localStorage | Contract — Art. 6(1)(b) | Strictly necessary to maintain your authenticated session |
| IP address / server logs (infrastructure) | Legitimate Interests — Art. 6(1)(f) | Security, fraud prevention, and abuse detection. Logs are retained only as long as operationally necessary |
| Account deletion cascade | Legal Obligation — Art. 6(1)(c) & Contract — Art. 6(1)(b) | Responding to your right to erasure; fulfilling our contractual obligation to delete your data on request |
We will not sell your personal data to third parties. We will not use your Financial Information for credit scoring, underwriting, or any purpose other than delivering the educational tools you requested.
We do not sell your data. We share personal data only with the sub-processors listed below, each of whom processes data strictly on our behalf and under a Data Processing Agreement (DPA).
Processes your email, password hash, username, and date of birth for account creation and login. Data is stored on EU-region infrastructure.
Privacy Policy ↗Stores all application data (budgets, goals, scores, watchlists, leaderboard). Our database instance is located in eu-west-2 (AWS EU West — Ireland/London region).
Privacy Policy ↗Hosts and serves the FinLitPath web application. Netlify may process your IP address and browser user-agent in access logs.
Privacy Policy ↗Used to send your welcome email on registration. Receives your email address for this purpose only. No marketing emails are sent.
Privacy Policy ↗Provides financial news headlines and article links. No personal data about you is shared with The Guardian.
Privacy Policy ↗Provides financial news content. No personal data about you is shared with this provider.
Privacy Policy ↗We may disclose your personal data to law enforcement, regulators, or courts where we are legally obliged to do so, or where necessary to protect the rights, property, or safety of FinLitPath, its users, or the public.
In the event that FinLitPath is transferred to, or merged with, another entity, your personal data may be transferred as part of that transaction. We will notify you before any such transfer takes effect and give you the opportunity to delete your account.
The UK has left the EU. Under UK GDPR, transfers of personal data outside the UK require an appropriate safeguard.
Several of our sub-processors (Supabase, Neon, Netlify, Resend, Currents API) are incorporated in the United States. The UK Government has not issued an adequacy regulation covering the US in general. We therefore rely on UK International Data Transfer Agreements (IDTAs) or the equivalent EU Standard Contractual Clauses (SCCs) (approved for UK use under the IDTA transitional provision) with each US-based processor.
In practice, however:
You may request a copy of the relevant transfer safeguards by emailing enquiriesFLP@outlook.com.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (email, username, DOB, password hash) | Until you delete your account, then immediately erased | Required to operate your account. On deletion, erased from our database and from Supabase Auth simultaneously. |
| Financial Information (budgets, goals, scores) | Until you delete your account, then immediately erased | Linked to your account. Cascade-deleted on account deletion. |
| Watchlist items | Until you remove them or delete your account | User-controlled. |
| Literacy scores, task completion data | Until you delete your account, then immediately erased | Cascade-deleted on account deletion. |
| Leaderboard entries | Until you delete your account, then immediately erased | Cascade-deleted on account deletion. |
| Referral records | Until you delete your account, then immediately erased | Cascade-deleted on account deletion (both as referrer and referred). |
| Server / infrastructure logs (IP, user-agent) | Up to 30 days, as managed by Netlify / Supabase / Neon default policies | Security, debugging. Controlled by third-party platform default policies. |
| Email delivery records (Resend) | Up to 30 days on Resend's platform | Email delivery confirmation. Controlled by Resend's data retention policy. |
| Browser localStorage data (auth token, theme, quiz state) | Until you clear your browser storage or log out (which clears auth tokens) | Stored client-side in your browser — we cannot delete it remotely. You can clear it yourself via your browser settings. |
We do not retain your data for longer than necessary. Account deletion is permanent and irreversible — we do not operate a "soft delete" or grace period. If you wish to export your data before deleting, see Section 9 (Right to Portability).
Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. To exercise any of these rights, email enquiriesFLP@outlook.com. We will respond within one calendar month (extendable by a further two months for complex requests, with notice).
FinLitPath uses a combination of browser cookies (managed by Supabase) and browser localStorage to deliver its Services. We do not use advertising cookies, third-party tracking cookies, or analytics cookies.
These cookies are essential for the Platform to work. You cannot opt out of these without losing core functionality.
| Name / Key | Type | Purpose | Expiry |
|---|---|---|---|
sb-* (Supabase session cookies) | HTTP Cookie | Maintains your authenticated session so you don't need to log in on every page | Session / up to 1 week |
finlitpath-auth (localStorage) | localStorage | Stores your access token, refresh token, and basic user metadata (ID, email, username) client-side | Until logout or browser storage cleared |
These localStorage entries store your preferences and in-progress state. They do not leave your device.
| Key | Purpose | Stored On Server? |
|---|---|---|
finlitpath-theme | Remembers your light/dark mode preference | No |
finlitpath-todo, finlitpath-todo-date, finlitpath-streak | Caches your daily task list and streak counter between page loads | No |
finlitpath-quiz-date, finlitpath-quiz-answered | Tracks which quiz questions you've answered today to prevent repetition | No |
finlitpath-mastery-score, finlitpath-mastery-complete | Stores your glossary mastery game progress for the current session | No |
finlitpath-personality-result | Stores your financial personality quiz result | No |
You can control and manage cookies and localStorage through your browser settings:
Clearing your localStorage will log you out and reset your locally stored preferences. It will not delete any data stored on our servers — use the Delete Account feature for that.
We do not load any third-party advertising, tracking, or analytics scripts. Google Fonts are self-hosted via Next.js and no font requests are sent to Google's servers.
Under UK GDPR Article 8, the age of consent for information society services in the UK is 13 years. Our Platform requires users to be at least 13 years old to register.
Users aged 13–17: The Platform deals with financial topics aimed at building literacy skills. Users under 18 should be aware that the financial tools, savings rate information, and market news on this Platform relate to adult financial products. We recommend that users under 18 discuss any financial decisions with a parent or guardian.
If you believe a child under 13 has created an account on our Platform, please contact us at enquiriesFLP@outlook.com. We will promptly delete the account and all associated data.
We do not direct targeted marketing at children, and we do not create profiles of children's online behaviour for commercial purposes.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, as required by Article 33 UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
No security system is impenetrable. You also have a role to play: use a strong, unique password; do not share your login credentials; log out when using shared devices; and notify us immediately if you suspect your account has been compromised.
We may update this Privacy Policy from time to time to reflect changes to our data processing practices, legal requirements, or the features of the Platform. When we make changes:
| Version | Date | Summary |
|---|---|---|
| v1.0 | 26 April 2026 | Initial publication following full codebase audit |
For any questions, requests, or complaints about this Privacy Policy or our data practices, please contact:
FinLitPath — Privacy Enquiries
Operated by: Godwin Saiju Dominic
Email: enquiriesFLP@outlook.com
Response time: within 5 business days (for general enquiries); within one calendar month (for formal rights requests)
If you are unhappy with our response, or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk/make-a-complaint/
Telephone: 0303 123 1113
We would always appreciate the opportunity to address your concerns before you approach the ICO, but you are entitled to contact the ICO at any time.