Privacy Policy

1. Introduction

This Privacy Policy describes how Biz Analytics Systems LLC, a Connecticut limited liability company doing business as finsay.ai ("finsay," "we," "our," or "us"), collects, uses, discloses, and safeguards your information when you visit our websites (finsay.ai, ailearn101.com), create an account, or use our AI-powered learning platform built for financial advisors, registered investment advisors, and similar professionals (collectively, the "Service").

The Service is currently offered to users in the United States and Canada only. We do not target the European Union, the United Kingdom, or any other jurisdiction outside North America. If you access the Service from outside the United States or Canada, you do so at your own risk and on your own initiative.

By creating an account or otherwise using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please do not use the Service.

2. Information We Collect

a. Information you provide directly

• Account identifiers: name, email address, password (hashed), authentication tokens
• Professional information: firm name, role, certifications (e.g., CFP, IAR), industry focus
• Billing information: name, billing address, payment instrument details (processed and stored by Stripe — we never see full card numbers)
• Communications: support requests, feedback, survey responses
• Learning preferences: skill assessments, primary focus area, content preferences

b. Information collected automatically

• Device and browser data: user agent, operating system, screen resolution, language
• Network data: IP address, approximate geolocation derived from IP (city/region level)
• Usage data: pages viewed, lessons completed, features used, session timestamps, click events
• Cookies and similar technologies (see Section 9)

c. AI interaction data

When you use AI-powered features such as Aria, the prompt builder, or end-of-lesson reflections, we collect the prompts you submit and the responses generated. Important: these features are educational. You are responsible for ensuring that you do not submit client-identifying personal information (names, Social Security numbers, account numbers, etc.) in your prompts. The Service displays a persistent banner and a real-time warning to remind you of this; however, the obligation not to submit client PII rests with you.

d. Information we do NOT knowingly collect

• Social Security numbers or government identifiers (the Service does not request these)
• Health information (HIPAA-protected data)
• Information from individuals under the age of 18
• End-client (i.e., your firm's clients') personal information — the Service is for advisor education and is not designed to store or process client records

3. How We Use Your Information

We use the information described above for the following purposes (and the corresponding lawful basis under applicable U.S. and Canadian privacy law, where required):

• Provide the Service — authenticate you, deliver lessons, generate AI responses, sync progress
• Process payments — invoice you, manage subscriptions, prevent fraud (via Stripe)
• Customer support — respond to your questions, troubleshoot issues
• Service improvement — measure feature engagement, identify bugs, improve curriculum (always on aggregated or anonymized data where feasible)
• Communications — send service announcements, security alerts, billing notices, and (with separate opt-in) product newsletters
• Legal and security — comply with legal obligations, enforce our Terms, protect our rights and the safety of users, detect and prevent unauthorized access

We do not use your AI prompts or responses to train large language models. Prompts you submit to Aria and other AI features are processed by Google's Vertex AI / Gemini API under contractual terms that prohibit the use of customer data to train Google's foundation models. We also do not sell or rent your personal information to third parties for monetary consideration.

4. How We Share Information (Subprocessors)

We share personal information only with the following categories of recipients, under written agreements that bind them to use your data only as instructed by us:

We may also disclose information when (a) required by law, court order, or government request, (b) necessary to enforce our Terms or protect our rights, property, or the safety of others, or (c) in connection with a merger, acquisition, or sale of substantially all of our assets, in which case we will provide notice on this page and (where required by law) notify you by email.

The list above is current as of the "last updated" date. We will update this list before adding any new subprocessor that has material access to your personal information.

5. How Long We Keep Your Information

We retain personal information for as long as your account is active and as needed to provide the Service. After you close your account or request deletion, we will delete or anonymize your personal information within thirty (30) days, except that we may retain:

• Billing records for the period required by tax law (typically 7 years in the U.S.)
• Information necessary to comply with legal obligations, resolve disputes, or enforce our agreements
• De-identified, aggregated data that cannot reasonably be used to identify you
• Backups for up to ninety (90) days, after which they are overwritten

For the avoidance of doubt, we may retain billing records — including aggregate fees paid by your firm and the periods to which they relate — for the period required by tax law and to enforce the limitation of liability provisions of any applicable agreement, even after personal information associated with your individual account has been deleted.

AI prompts and responses are retained on your account for your own review and progress tracking. You can delete individual conversations at any time from the Service.

6. Data Security

We use industry-standard administrative, technical, and physical safeguards to protect your information, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Single-tenant logical data isolation per user account
• Multi-factor authentication available for all accounts
• Least-privilege access controls and audit logging for our internal systems
• Vendor security review before onboarding any subprocessor

Breach notification. If we become aware of a security incident that compromises the confidentiality, integrity, or availability of your personal information, we will notify affected users without undue delay and in any event within seventy-two (72) hours of confirming the incident, by email and via in-app notice. Where required by law, we will also notify the appropriate state attorney general or regulatory body.

No system is perfectly secure. While we work hard to protect your information, we cannot guarantee absolute security and you use the Service at your own risk.

7. Your U.S. State Privacy Rights

Depending on the U.S. state in which you reside, you may have one or more of the following rights with respect to your personal information. We extend these rights to all U.S. residents regardless of whether the law applies to us in their state, as a matter of policy.

• Right to know / access — request a copy of the personal information we hold about you
• Right to correction — request that we correct inaccurate information
• Right to deletion — request that we delete your personal information (subject to limited exceptions described in Section 5)
• Right to portability — receive your data in a portable, machine-readable format
• Right to opt out of sale or sharing for cross-context behavioral advertising — see Section 8
• Right to opt out of profiling — we do not engage in automated decision-making that produces legal or similarly significant effects about you
• Right to non-discrimination — we will not deny service, charge a different price, or provide a different level of quality because you exercised a privacy right

These rights are recognized by the comprehensive privacy laws of, among others, California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Iowa (ICDPA), Nebraska (NDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Delaware (DPDPA), Tennessee (TIPA), Minnesota (MCDPA), Maryland (MODPA), Indiana (ICDPA), Kentucky (KCDPA), Rhode Island (RIDTPPA), and Florida (FDBR). Some of these laws apply only to controllers above specified revenue or data-volume thresholds; we extend the substantive rights described above to all U.S. residents as a matter of policy regardless of whether the underlying statute applies to us.

How to exercise your rights: Send an email to privacy@bizanalyticsystems.com with the subject line "Privacy Rights Request," describe the right you wish to exercise, and include the email address associated with your account so we can verify your identity. We will respond within forty-five (45) days; if we need more time, we will let you know within that period and may extend by another forty-five days as permitted by law.

Authorized agents. You may use an authorized agent to submit a request on your behalf. The agent must provide proof of your written authorization (such as a signed power of attorney or a signed letter), and we may still ask you to verify your identity directly and confirm to us that you have authorized the agent to make the request.

c. Appeals

If we deny your request in whole or in part, you may appeal that decision by replying to our denial email or by sending a new email to privacy@bizanalyticsystems.com with the subject line "Privacy Rights Appeal." We will review the appeal and respond in writing within forty-five (45) days, including, if we maintain the denial, a written explanation of our reasons. If your appeal is denied, you may contact your state attorney general or applicable regulator to submit a complaint.

d. Sensitive personal information

We do not knowingly collect, use, or disclose sensitive personal information as defined under California, Colorado, Connecticut, Virginia, Texas, Oregon, Maryland, or any other applicable state law. The Service does not request, and you should not submit, Social Security numbers, government identifiers, financial-account numbers, precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, citizenship status, biometric or genetic data, mental or physical health information, or information about end-clients of your firm. If you believe sensitive personal information has been submitted in error, please contact us at privacy@bizanalyticsystems.com and we will delete it.

For clarity, payment-card information is processed by Stripe, Inc., a PCI-DSS-compliant payment processor, on finsay's behalf; finsay does not directly collect, store, or have access to full payment card numbers, security codes (CVV), or other credentials that would constitute sensitive personal information under applicable U.S. state privacy law. finsay receives only a tokenized reference and limited descriptive data (last four digits, expiration month/year, card brand) needed for billing administration.

9. Cookies and Similar Technologies

We use cookies and similar technologies (collectively, "cookies") for the following categories of purposes:

• Strictly necessary — authentication, session management, security. Cannot be disabled.
• Functional — remember your preferences (e.g., dark mode, language). Disabling may degrade your experience.
• Analytics — measure feature usage and improve the product. Disabled by default until you accept the cookie banner.

You can control cookies via the cookie banner that appears on your first visit, via the "Cookie preferences" link in the footer, or via your browser settings. Disabling strictly necessary cookies will prevent the Service from functioning.

10. Canadian Residents

We comply with the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (including Quebec Law 25, Alberta PIPA, and British Columbia PIPA). As a Canadian resident, you have the right to access, correct, and request deletion of your personal information and to withdraw consent. To exercise these rights, contact privacy@bizanalyticsystems.com.

Cross-border transfers. Personal information of Canadian residents is transferred to and processed in the United States. By using the Service from Canada, you acknowledge this transfer. We use written agreements and (where applicable) standard contractual measures with our subprocessors to maintain a comparable level of protection.

Marketing emails (CASL). We send commercial electronic messages only to recipients who have given express or implied consent under the Canadian Anti-Spam Legislation (CASL). You may unsubscribe at any time using the link in any commercial email.

11. Children's Privacy

The Service is intended for adult financial professionals and is not directed to anyone under the age of eighteen (18). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately at privacy@bizanalyticsystems.com and we will delete it.

12. International Users

The Service is hosted in the United States. We do not target or solicit users outside the United States and Canada. If you access the Service from any other country, you do so on your own initiative and are responsible for compliance with local laws. Your information will be processed in the United States and will be subject to U.S. law, which may not provide the same level of data protection as the laws of your country.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and by posting a prominent notice on the Service at least thirty (30) days before the change takes effect (unless a shorter period is required by law). Non-material changes (such as clarifications or corrections of typos) will be reflected by updating the "last updated" date above.

14. Contact Us

For privacy questions, requests, or complaints, contact us at:

If we are unable to resolve your concern, you may also lodge a complaint with your state attorney general (in the United States) or the Office of the Privacy Commissioner of Canada.