Fintech Lab

Privacy Policy

Effective 2026-05-18. Last updated 2026-05-18.

What this is

Fintech Lab is a free educational platform that teaches double-entry accounting and engineering patterns for fintech engineers. This policy explains what data we collect when you use the site, why, who else processes it on our behalf, how long we keep it, and what your rights are.

The platform is a global service. UK GDPR and the UK Data Protection Act 2018 apply by default to all users. If you use the platform from the European Economic Area, EU GDPR additionally applies; if you use it from another jurisdiction with stronger local data-protection rights, those rights apply too. We honour the rights granted by whichever framework gives you more protection.

What we collect directly from you

  • Account data. Your email address, your display name, and (if you sign up with email + password) a salted password hash. We do not store your password in plain text.
  • Learning data. Which lessons and incidents you have completed, the journal entries you have posted into your personal sandbox, your daily-drill attempts, and your activity streak. This data is yours and is deleted in full when you delete your account.
  • Discussion comments. Anything you post in the comment thread on a lesson or incident page is stored in our database and shown to other signed-in users. Deletions are soft (your text is removed but the thread structure remains so replies don't orphan); a hard delete happens when you delete your account.

What we receive from third parties

  • GitHub (if you sign in with GitHub). When you click "Continue with GitHub" we receive your primary verified email address, your display name, and your GitHub account ID. We store these to identify your account and to let you sign back in. We do not receive your repositories, organizations, or any other GitHub data. You can revoke our access at any time from your GitHub account settings.

What our subprocessors collect

We use a small number of operational services to run the platform. Each of them processes a narrow slice of data on our behalf.

  • Hosting and database. Our application and Postgres database run on cloud infrastructure that holds the account, learning, and discussion data described above.
  • Upstash (rate limiting). A short-lived counter keyed on your user ID and (where applicable) IP-derived identifier that prevents abusive request rates. Counters expire automatically within minutes.
  • Transactional email provider. Sends you account verification and password-reset emails via SMTP. They receive your email address and the message body of those specific emails.
  • Sentry (error monitoring). When a server or client error occurs, an error message and stack trace are sent to Sentry to help us debug. We strip identifiers from these reports before they leave our servers; Sentry sees the error, not the user.
  • Google Analytics 4 (web analytics). If GA is enabled in your region, anonymised page views, referrer URLs, approximate geographic region, and device/browser type are recorded. IP addresses are anonymised on collection.

What we don't do

We do not sell your data, share it with advertisers, run third-party tracking pixels other than Google Analytics, or collect payment information. The platform is free to use and we have no commercial relationship with you.

Cookies and analytics consent

We set a session cookie when you sign in so you stay logged in between visits. Google Analytics only loads if you accepted the consent banner on your first visit; it sets its own cookies for analytics purposes when it loads. No advertising cookies are set, ever.

Changed your mind about analytics? or .

Data retention

We keep your account data, learning progress, and discussion comments for as long as your account is active. When you delete your account from the Account settings page, all of the above is removed permanently within 30 days (the window lets us recover from a misclick on your end and lets us complete in-flight backups). Anonymised analytics data has a separate retention policy set by Google Analytics (default 14 months).

Your rights

Under UK GDPR (and EU GDPR or other local laws where applicable), you can request access to your data, correction of inaccuracies, deletion, restriction of processing, portability (a JSON export of your sandbox and learning data is available from the Account page), and you can withdraw consent at any time. Most of these you can do yourself directly from the Account page. For anything else, contact hello@fintechlab.uncu.me. We respond within 30 days.

If you believe we have mishandled your data, you may complain to the Information Commissioner's Office (the UK supervisory authority) at ico.org.uk. If you are based in the EEA, your local data-protection authority is the right place to raise it.

International transfers

Our hosting infrastructure and subprocessors may process your data outside your country of residence. Where transfers happen we rely on the UK International Data Transfer Agreement (or the IDTA Addendum to the EU Standard Contractual Clauses) where the destination is outside the UK / EEA, and on any equivalent mechanism your local data-protection law requires.

Changes

We will update this policy if our data practices change. The "last updated" date at the top reflects the most recent revision. Material changes will be highlighted on the site for at least 14 days before they take effect.

Search lessons

Type to find any of the 85 lessons. Press Enter to open.