FinalApproval

Legal

Privacy Policy

Last updated April 14, 2026

FinalApproval ("we", "us") provides a human-in-the-loop approval service for software agents. This policy explains what we collect, why, and how long we keep it. If you have questions, email privacy@finalapproval.ai.

What we collect

  • Account data. Email, name, hashed password, and organization membership. Used to authenticate you and associate activity with your account.
  • Approval content. The HTML body, structured data, title, and resolution your agent submits to a channel. Stored so reviewers can make decisions and you can audit them later.
  • Channel configuration. Channel name, description, webhook URL, and the cryptographic secret we use to sign deliveries back to your application.
  • Operational metadata. Timestamps, IP address of the requesting host, request identifiers, webhook-delivery attempts and outcomes, and error logs — used to run the service and debug issues.

What we do not collect

  • Payment card numbers — billing is handled by our payment processor; we see only the last four digits and the billing country.
  • Browser fingerprints, advertising identifiers, or cross-site tracking cookies.

How we use it

We use the data above to run the service you asked for: authenticate sessions, route submitted approvals to the right reviewers, sign and deliver webhooks, enforce rate limits, detect abuse, and investigate incidents. We do not sell personal data. We do not use approval content to train machine-learning models.

How long we keep it

  • Account data is kept for the lifetime of your account and for up to 30 days after deletion so we can recover from accidental deletions.
  • Approval records are kept for the retention window configured on your plan (Hobby: 30 days; Team: 90 days; Enterprise: configurable).
  • Operational logs are kept for 30 days.

Who we share it with

We use a small set of sub-processors to run the service: our infrastructure provider (Railway), our database host (managed PostgreSQL), our email provider (transactional only), and our payment processor. Each receives only the data strictly required for the service they perform. We do not share personal data with advertisers.

Your rights

You can access, export, correct, or delete your account data from the Account settings page, or by emailing us. We respond to verified requests within 30 days. If you are in the EU or UK, GDPR applies; if you are in California, CCPA applies; the same rights are available to all users regardless of jurisdiction.

Security

Passwords are hashed with a modern algorithm, webhooks are HMAC-SHA256 signed with a per-channel secret, API keys are stored as SHA-256 hashes, and all traffic is served over TLS. No system is perfectly secure; if you discover a vulnerability, email security@finalapproval.ai.

Changes to this policy

We will update this page when our practices change and, for material changes, notify active users by email at least 14 days in advance.