Privacy Policy
1. Who we are
This Privacy Policy describes how Cerberus Media (Pty) Ltd (“Cerberus”, “we”, “us”), a company registered in the Republic of South Africa, processes personal information in connection with the Finn platform at hello-finn.com (the “Service”).
Cerberus is the responsible party (Protection of Personal Information Act, 2013 — “POPIA”) and, where applicable, the data controller (UK GDPR / EU GDPR) in respect of personal information processed through the Service.
2. What we collect
We aim to collect only what we need. The categories of personal information we process are:
| Category | Examples | Source |
|---|---|---|
| Account information | Your name, email address, Google account ID, and profile picture URL. | Provided by Google when you sign in via Google OAuth. |
| Authentication & session data | Laravel session cookie, CSRF token, sign-in timestamps. | Generated automatically when you use the Service. |
| Technical & log data | IP address, browser user agent, request paths, timestamps, referrer headers. | Captured automatically by our web server and application logs. |
| Error & diagnostic data | Stack traces, error context, environment metadata, user identifiers attached to error events. | Generated automatically by Sentry when something breaks. |
We do not collect: payment information (the Service is currently free), exchange API keys, wallet addresses, trading account credentials, special-category / sensitive data (health, biometrics, religion, etc.), or marketing/analytics tracking data beyond what is described above.
3. Why we process it & the legal basis
| Purpose | Lawful basis (POPIA / GDPR) |
|---|---|
| Authenticate you and operate your account. | Performance of a contract with you / conclusion of a contract. |
| Provide, maintain, secure, and improve the Service. | Our legitimate interests in operating a functional, secure platform. |
| Diagnose errors, prevent abuse, and protect against fraud and unauthorised access. | Our legitimate interests in protecting the Service and our users. |
| Comply with legal obligations and respond to lawful requests. | Compliance with a legal obligation. |
| Enforce our Terms of Service and exercise or defend legal claims. | Our legitimate interests / establishment, exercise or defence of legal claims. |
4. Cookies
We use only the cookies strictly necessary for the Service to function:
- Session cookie (Laravel) — keeps you signed in.
- XSRF-TOKEN cookie — protects against cross-site request forgery.
We do not use advertising, analytics, or third-party tracking cookies. If that changes, we will update this Policy and, where required, ask for your consent first.
5. Sub-processors and third-party services
We share personal information only with the following service providers, and only as necessary to operate the Service:
| Provider | What it does | Where |
|---|---|---|
| Google LLC | OAuth authentication. We receive your name, email, Google account ID, and avatar URL. | United States (with appropriate safeguards). |
| Functional Software, Inc. (Sentry) | Application error tracking and diagnostics. | United States (with appropriate safeguards). |
| Hosting / infrastructure | Operating the servers that run the Service. | As specified by our hosting provider; we will update this Policy with specifics if you ask. |
OKX provides public market data that the Service consumes. We do not send your personal information to OKX. The Service does not connect to your exchange accounts.
6. International transfers
Some of our sub-processors are located outside the Republic of South Africa, the United Kingdom, and the European Economic Area. Where personal information is transferred internationally, we rely on lawful transfer mechanisms (such as the recipient being subject to laws providing a substantially similar level of protection, your consent where appropriate, or contractual safeguards including Standard Contractual Clauses).
7. How long we keep your data
- Account information — for as long as your account is active, and for up to 12 months after deletion or last activity, after which it is deleted or anonymised.
- Logs and technical data — typically up to 90 days, longer where required to investigate abuse or comply with a legal obligation.
- Error data (Sentry) — in line with Sentry’s default retention (typically 30 to 90 days).
- Records we are legally required to keep — for the period prescribed by the applicable law.
8. How we protect your data
We use industry-standard measures appropriate to the sensitivity of the data, including TLS encryption in transit, restricted access on a need-to-know basis, secure authentication via Google OAuth (we never see or store your Google password), and monitoring for unauthorised access. No system is perfectly secure; we cannot guarantee absolute security and you use the Service at your own risk.
If we become aware of a security compromise affecting your personal information, we will notify you and the relevant authority where required by law (including section 22 of POPIA).
9. Your rights
Subject to applicable law, you have the right to:
- Access the personal information we hold about you, and request a copy of it;
- Correct personal information that is inaccurate or out of date;
- Delete your account and the personal information associated with it;
- Object to, or request that we restrict, certain processing;
- Withdraw any consent you have given, without affecting the lawfulness of processing carried out before withdrawal;
- Port your information to another service, where applicable;
- Lodge a complaint with the Information Regulator of South Africa (inforegulator.org.za) or, if you are in the UK or EU, with your local supervisory authority.
To exercise any of these rights, email hello@hello-finn.com. We may need to verify your identity before acting on a request, and we will respond within the time required by applicable law.
10. Children
The Service is not directed to, and we do not knowingly collect personal information from, anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it.
11. Automated decision-making
We do not use your personal information to make decisions that produce legal or similarly significant effects on you through automated means. Any market-related score or label produced by the Service is a generic analytical output, not a personal decision about you.
12. Changes to this Policy
We may update this Privacy Policy from time to time. The current version is always available at this URL with a “last updated” date. Material changes will be communicated by reasonable means.
13. Contact us
Cerberus Media (Pty) Ltd
Email: hello@hello-finn.com
© 2026 Cerberus Media (Pty) Ltd. All rights reserved.