1. Who this policy is for
FinFlo Junior is designed for children to use with the supervision and consent of a parent or legal guardian. A child can only sign in to FinFlo Junior if their parent has explicitly created an account for them inside the parent's own FinFlo app. There is no self-signup path for children in this product.
This policy describes what data we collect from the child account and how it is used. The parent's data is governed by the main FinFlo Privacy Policy at https://finflo.net/policies/privacy.
2. What we collect from the child
When a parent creates a child account, they provide the following on the child's behalf:
Display name (e.g. "Lily")
Username (chosen or auto-generated; used to sign in)
PIN (stored only as a bcrypt hash; we never store the raw PIN)
Birth date (optional — used only for age-appropriate UI presentation)
Avatar / nickname (optional)
We do not collect from the child:
Phone number, email address, home address, or national ID
Real-time location, IP-based geolocation, or precise GPS
Contacts, photos, or files (except a chore-proof photo the child explicitly chooses to attach)
Health, biometric, or sensitive personal data
Advertising identifiers (IDFA, AAID) — FinFlo Junior contains no adverts
The child's wallet activity is collected as a normal part of operating a payment account — see §3.
3. What we collect from device + use
Device identifier for push notifications (Firebase Cloud Messaging token). Used solely to deliver in-app alerts (allowance arrived, chore paid, spend approved, etc.). Rotated by the operating system; cleared on uninstall.
App version, OS version, and device model — sent on each API request so we can debug issues and enforce minimum-version policies. Not used to build a marketing profile.
Crash logs — collected only if the device sends them via the OS-level reporter that you can disable in iOS / Android settings.
Wallet transactions — every spend, allowance, chore reward and savings movement is recorded against the child's wallet (this is a financial-product necessity).
4. Camera + photos
Camera is used only inside the spend wizard to scan a FinFlo agent or merchant QR code. Frames are processed entirely on-device by Apple Vision (iOS) or Android's native barcode reader and discarded immediately. No camera frames leave the phone.
Photo proof for chores is optional. If the child attaches a photo to a chore claim, that image is uploaded to the parent's view inside the FinFlo parent app and stored on FinFlo's encrypted storage. The parent can delete the photo at any time by deleting the chore.
5. SOS button
The SOS button on the child's login screen, when tapped:
Sends a push notification to the child's own parent identifying the child by their username
Sends a WhatsApp message to the parent's phone number
Sends an email to the parent's email address
Opens the device dialer with the parent's number pre-filled
The SOS button is rate-limited (one alert per minute per username, one per 30 seconds per IP) to prevent abuse. SOS triggers are written to an audit log retained for the lifetime of the parent's account.
6. Notifications to the parent
For every child wallet event we surface the following data to the child's parent through push notification, email, and the in-app activity feed:
Amount and currency
Counterparty (agent business name / merchant business name / parent)
Reason and / or transaction note
Date and time
Decision (auto-approved, parent-approved, declined)
This visibility is the core safety feature of the product. We do not share any child data with anyone other than the verified parent account that created the child.
7. Who else sees the data
No third-party advertising networks. Ever.
No data brokers.
Service providers we use:
Google Firebase (Cloud Messaging) — push notification delivery only
SendGrid or SMTP relay — email delivery only
WhatsApp Business API provider — outbound SOS / approval messages only
Cloud-infrastructure host — encrypted storage and compute Each of these processes only the minimum payload required for their single function (e.g. an FCM token + the notification body, not the full transaction history).
Law enforcement — we comply with lawful Uganda Communications Commission, Bank of Uganda, and court orders, narrowly tailored.
8. How long we keep data
Active account data: retained while the parent's account is active.
Financial transaction records: retained for seven years after the parent closes the child account, per Ugandan financial-services record-keeping requirements.
Push tokens, device identifiers, FCM logs: rotated continuously; retained at most 30 days.
Audit logs (SOS events, parent approvals, PIN failures): retained three years.
Photo proofs for chores: deletable on demand by the parent; otherwise retained for the lifetime of the chore record.
9. Parent + child rights
The parent, acting on the child's behalf, can at any time from within the FinFlo parent app:
Access every piece of data held about the child (wallet, transactions, approvals, chores, goals).
Correct the child's display name, birth date, avatar, or PIN.
Restrict the child wallet (freeze, set caps, block categories).
Delete the child account. Deletion soft-deletes the user row and freezes the wallet pending manual balance return; financial-record retention (§8) still applies to historical transactions.
Export the child's transaction history as a CSV from the activity view.
Withdraw consent for FinFlo Junior at any time by deleting the child account.
If you believe we are mishandling your child's data, email privacy@finflo.net. We respond within 7 working days. You may also complain to the Personal Data Protection Office of Uganda (https://pdpo.go.ug).
10. Children's privacy laws
FinFlo Junior is operated in compliance with:
The Data Protection and Privacy Act, 2019 (Uganda) and its 2021 Regulations.
COPPA (US Children's Online Privacy Protection Act) principles — even though we do not target the US market, we treat verifiable parental consent as mandatory and we never use children's data for marketing.
Google Play Families Policy and Apple App Store Kids Category guidelines — no behavioural ads, no in-app purchases visible to children, no third-party SDKs that profile children.
11. Security
All traffic between the child's app and FinFlo is encrypted with TLS 1.2+.
PINs are stored as bcrypt hashes; raw PINs are never logged.
Every parent-side state-changing action (approve spend, send allowance, reset child PIN, remove child) requires the parent to re-enter their PIN inside the app — verified server-side, with a 5-strike lockout.
A child's session token expires automatically. After expiry, the child must re-enter their PIN; the username is remembered on-device.
12. International transfers
Data is processed and stored in data centres operated by FinFlo's cloud provider within East Africa and the European Union, with appropriate contractual safeguards in place for any inter-region transfer (Standard Contractual Clauses or equivalent).
13. Changes to this policy
If we make a material change we will:
Post the new policy at https://finflo.net/policies/privacy-junior with a fresh "Last updated" date.
Send a push notification to every parent who currently has at least one child account, summarising the change.
Show an in-app banner that must be acknowledged before the parent can approve any further spends.
14. Contact
Email: privacy@finflo.net
Post: FinFlo Privacy Officer, Kampala, Uganda
In-app: open the FinFlo parent app → Settings → Help & Support
FinFlo Junior is designed for children to use with the supervision and consent of a parent or legal guardian. A child can only sign in to FinFlo Junior if their parent has explicitly created an account for them inside the parent's own FinFlo app. There is no self-signup path for children in this product.
This policy describes what data we collect from the child account and how it is used. The parent's data is governed by the main FinFlo Privacy Policy at https://finflo.net/policies/privacy.
2. What we collect from the child
When a parent creates a child account, they provide the following on the child's behalf:
Display name (e.g. "Lily")
Username (chosen or auto-generated; used to sign in)
PIN (stored only as a bcrypt hash; we never store the raw PIN)
Birth date (optional — used only for age-appropriate UI presentation)
Avatar / nickname (optional)
We do not collect from the child:
Phone number, email address, home address, or national ID
Real-time location, IP-based geolocation, or precise GPS
Contacts, photos, or files (except a chore-proof photo the child explicitly chooses to attach)
Health, biometric, or sensitive personal data
Advertising identifiers (IDFA, AAID) — FinFlo Junior contains no adverts
The child's wallet activity is collected as a normal part of operating a payment account — see §3.
3. What we collect from device + use
Device identifier for push notifications (Firebase Cloud Messaging token). Used solely to deliver in-app alerts (allowance arrived, chore paid, spend approved, etc.). Rotated by the operating system; cleared on uninstall.
App version, OS version, and device model — sent on each API request so we can debug issues and enforce minimum-version policies. Not used to build a marketing profile.
Crash logs — collected only if the device sends them via the OS-level reporter that you can disable in iOS / Android settings.
Wallet transactions — every spend, allowance, chore reward and savings movement is recorded against the child's wallet (this is a financial-product necessity).
4. Camera + photos
Camera is used only inside the spend wizard to scan a FinFlo agent or merchant QR code. Frames are processed entirely on-device by Apple Vision (iOS) or Android's native barcode reader and discarded immediately. No camera frames leave the phone.
Photo proof for chores is optional. If the child attaches a photo to a chore claim, that image is uploaded to the parent's view inside the FinFlo parent app and stored on FinFlo's encrypted storage. The parent can delete the photo at any time by deleting the chore.
5. SOS button
The SOS button on the child's login screen, when tapped:
Sends a push notification to the child's own parent identifying the child by their username
Sends a WhatsApp message to the parent's phone number
Sends an email to the parent's email address
Opens the device dialer with the parent's number pre-filled
The SOS button is rate-limited (one alert per minute per username, one per 30 seconds per IP) to prevent abuse. SOS triggers are written to an audit log retained for the lifetime of the parent's account.
6. Notifications to the parent
For every child wallet event we surface the following data to the child's parent through push notification, email, and the in-app activity feed:
Amount and currency
Counterparty (agent business name / merchant business name / parent)
Reason and / or transaction note
Date and time
Decision (auto-approved, parent-approved, declined)
This visibility is the core safety feature of the product. We do not share any child data with anyone other than the verified parent account that created the child.
7. Who else sees the data
No third-party advertising networks. Ever.
No data brokers.
Service providers we use:
Google Firebase (Cloud Messaging) — push notification delivery only
SendGrid or SMTP relay — email delivery only
WhatsApp Business API provider — outbound SOS / approval messages only
Cloud-infrastructure host — encrypted storage and compute Each of these processes only the minimum payload required for their single function (e.g. an FCM token + the notification body, not the full transaction history).
Law enforcement — we comply with lawful Uganda Communications Commission, Bank of Uganda, and court orders, narrowly tailored.
8. How long we keep data
Active account data: retained while the parent's account is active.
Financial transaction records: retained for seven years after the parent closes the child account, per Ugandan financial-services record-keeping requirements.
Push tokens, device identifiers, FCM logs: rotated continuously; retained at most 30 days.
Audit logs (SOS events, parent approvals, PIN failures): retained three years.
Photo proofs for chores: deletable on demand by the parent; otherwise retained for the lifetime of the chore record.
9. Parent + child rights
The parent, acting on the child's behalf, can at any time from within the FinFlo parent app:
Access every piece of data held about the child (wallet, transactions, approvals, chores, goals).
Correct the child's display name, birth date, avatar, or PIN.
Restrict the child wallet (freeze, set caps, block categories).
Delete the child account. Deletion soft-deletes the user row and freezes the wallet pending manual balance return; financial-record retention (§8) still applies to historical transactions.
Export the child's transaction history as a CSV from the activity view.
Withdraw consent for FinFlo Junior at any time by deleting the child account.
If you believe we are mishandling your child's data, email privacy@finflo.net. We respond within 7 working days. You may also complain to the Personal Data Protection Office of Uganda (https://pdpo.go.ug).
10. Children's privacy laws
FinFlo Junior is operated in compliance with:
The Data Protection and Privacy Act, 2019 (Uganda) and its 2021 Regulations.
COPPA (US Children's Online Privacy Protection Act) principles — even though we do not target the US market, we treat verifiable parental consent as mandatory and we never use children's data for marketing.
Google Play Families Policy and Apple App Store Kids Category guidelines — no behavioural ads, no in-app purchases visible to children, no third-party SDKs that profile children.
11. Security
All traffic between the child's app and FinFlo is encrypted with TLS 1.2+.
PINs are stored as bcrypt hashes; raw PINs are never logged.
Every parent-side state-changing action (approve spend, send allowance, reset child PIN, remove child) requires the parent to re-enter their PIN inside the app — verified server-side, with a 5-strike lockout.
A child's session token expires automatically. After expiry, the child must re-enter their PIN; the username is remembered on-device.
12. International transfers
Data is processed and stored in data centres operated by FinFlo's cloud provider within East Africa and the European Union, with appropriate contractual safeguards in place for any inter-region transfer (Standard Contractual Clauses or equivalent).
13. Changes to this policy
If we make a material change we will:
Post the new policy at https://finflo.net/policies/privacy-junior with a fresh "Last updated" date.
Send a push notification to every parent who currently has at least one child account, summarising the change.
Show an in-app banner that must be acknowledged before the parent can approve any further spends.
14. Contact
Email: privacy@finflo.net
Post: FinFlo Privacy Officer, Kampala, Uganda
In-app: open the FinFlo parent app → Settings → Help & Support