Legal Center

Privacy Policy of Finotor

We invite you to read carefully this Privacy Policy (“the Policy”), which contains important information on how we collect, use, and communicate certain of your Personal Data to meet your needs and also to improve the quality of services we offer. This Policy concerns all types of Personal Data, in any form (e.g., electronic, paper) and all types of processing, manual or automated. Its scope includes the Personal Data of our accounting partners, subcontractors, consultants, clients, users, prospects, and suppliers, and more generally of any third party whose Personal Data we process in the course of our activity. If you are a candidate, please read the privacy policy intended for recruitment.

Definitions The terms with capital letters used in this Policy and not defined below are defined in our General Terms and Conditions of Service and Use and Partnership Conditions of Use (“the General Terms”) available here.

Informed Consent means any freely given, specific, and informed indication of the Data Subject’s agreement to the processing of their Personal Data.

Sensitive Data or Special Categories of Data include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data intended to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data Subject means an identified or identifiable natural person.

Processing (“to process” or “processing”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including, without limitation, collection, recording, organization, storage, access, adaptation, modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Third Party means a third party or a business partner who, in the context of your current or potential use of the Solution, communicates Personal Data to us on your behalf or receives or accesses Personal Data on our behalf, for example, suppliers, subcontractors, and other service providers.

You, your, yours, or User refers to the natural person whose Personal Data is collected to be processed under the present terms, and having the status of Data Subject under the Current Legislation.

Article 1 – Who are we? 1.1. The Solution and the Website are provided by FINOTOR INNOVATION LIMITED (“we”, “our” or “us”),
FINOTOR INNOVATION LIMITED (or Finotor) is a Private Limited Company, registered in the Republic of Ireland with this CRO Number :745787
POD 2 – The Old Station House
15a Main Street
Blackrock – Co. DUBLIN, Ireland

1.2. You can contact our data protection officer at the following email address: [email protected].

Article 2 – How and why do we collect your Personal Data?

2.1. In the course of our activity, we collect Personal Data:

  • When you visit the Website;
  • When you contact us (for example, via contact forms available on the Website or provided during external events) to inquire about the Solution, among others, or when a Third Party puts us in contact with you so that we may contact you;
  • When we wish to contact you to provide information about the Solution and present our activity (including by email that may contain trackers, video conference, call, etc.);
  • When you create a Customer Account or User Account;
  • When you use the Solution (and Related Services), or more generally when your Personal Data is processed as part of the use of the Solution by a Client.

2.2. The Personal Data we collect are as follows:

  • When you are our prospect or a Client or a Partner: Identification data of your business contacts and/or legal representatives (name, first name, email address, possibly recorded image/voice during a demonstration of the Solution);
  • When you are a User of the Solution: identification data (name, first name, email address), economic and financial data if you are a self-employed entrepreneur (bank details, financial situation, tax situation, etc.), connection data (IP address, logs), profile picture;
  • When you are a Third Party, Data Subject whose Personal Data is processed by our Clients, Partners, and their Users through the Solution: Identification data (name, first name, email address).

2.3. Information provided by Third Parties. We may receive Personal Data from Third Parties that you have previously authorized to communicate these Personal Data to us, including your accountant, payment service providers, bank data aggregators, payroll providers, billing providers, cash register, document management providers, or other connectors connected to the Solution. We may also receive Personal Data from Third Parties that we have specifically mandated to collect your publicly available Personal Data.

2.3. Data Controller. When you visit the Website or when we make contact, for example, to inform you about the Solution, we act as the data controller of your Personal Data under Current Legislation, meaning we determine the means and purposes of the Processing. These purposes are detailed below. When you create a Customer Account or User Account and use your login credentials (login and password) to use the Solution, we act as the data controller.

2.4. Processor, Initial Processing. When your Personal Data is processed as part of the operation of the Solution and the provision of Related Services, the data controller is the Client or the Partner whose use of the Solution involves the processing of your Personal Data, and we act as a processor on behalf of this data controller (the Initial Processing). In this context, we only follow the instructions of the data controller, as collected in the Terms (Annex Personal Data Processing Agreement).

2.5. Data Controller, Subsequent Processing. In some cases also concerning your Personal Data processed in the context of the operation of the Solution and the provision of Related Services, we act as a data controller, for example, when we process data for the purposes of prevention and detection of fraud and malware, security incident management, creation of statistics, and improvement of the Solution (Subsequent Processing). This Subsequent Processing is compatible with the Initial Processing given (among others) the link that exists between these two processings (use and improvement of the Solution), the nature of the Personal Data involved (absence of Sensitive Data), the limited consequences of Subsequent Processing for the Data Subjects, and the existence of appropriate safeguards that we implement in the context of this processing.

2.6. Scope of Application. This Policy governs only the processings we perform as a data controller. The processings we perform as a processor are governed by the Data Processing Agreement annexed to the Terms.

Article 3 – Legality, fairness, and transparency of the processing of your Personal Data

3.1. Legal Basis. We only process Personal Data based on a legal foundation:

  • If necessary to perform a contract with the Data Subject or the initial data controller (for example, our subcontractors, Clients, Partners, suppliers);
  • If necessary to comply with a legal obligation or when we have a legitimate business need or a legitimate commercial reason to use Personal Data as part of our activities (for example, when we process data to better understand our clients and send them promotional offers).
  • When we have obtained the informed consent of the Data Subject or the data controller when expressly required by law or applicable policy. This may particularly be the case when none of the other legal grounds described above applies and to the extent permitted by applicable law. This is the case for Subsequent Processing for which the consent of the data controller is collected in the Terms.

3.2. Purposes of the Processings. The processings implemented by Finotor have the following purposes and legal bases:

The Personal Data will not be processed further in a way that is incompatible with these purposes.

3.3. Impact Assessments. Before collecting, using, storing, or disclosing Personal Data in a new system or as part of a new project, we carefully define the purposes of this processing and assess the privacy risks. Where the processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects, we will carry out an impact assessment on privacy before its implementation and will refrain from processing if this analysis reveals an incompatibility with the principles of Current Legislation.

3.4. We do not make entirely automated decisions that have a legal effect or similarly significant impact on a data subject based on profiling that person, unless the applicable law, the execution of a contract, or the consent of the Data Subject requires or authorizes it, and if appropriate safeguards are in place to protect the rights of the Data Subject.

3.5. We use cookie technologies on the Website to enable us to evaluate and improve the functionality of the site and the Solution. We may also use cookies for advertising or analytical purposes, subject to your consent and according to your choice, using our cookie setting tool. For more information on how we use cookies, please consult our cookie policy below.

Article 4 – Respect for the principles of minimization and accuracy

4.1. We ensure that the Personal Data we collect is relevant, adequate, and not excessive in relation to the purpose of the processing and its possible use. This means that only necessary and relevant information for the sought purposes can be collected and processed.

Article 5 – Security and confidentiality measures

5.1. We protect the Personal Data collected, used, stored, and disclosed by respecting the necessary technical and organizational measures to ensure its security, integrity, and utmost confidentiality. Technical and organizational measures in accordance with industry standards are implemented to prevent any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, or any other form of unlawful or unauthorized processing. We implement these measures from the early stages of the design of the processing operations, so as to protect privacy and data protection principles from the outset (“Privacy by design”). By default, we ensure that Personal Data is processed to ensure privacy protection (for example, by limiting their accessibility only to those who need to have access), so that Personal Data are not accessible to an undetermined or excessively large number of persons (“Privacy by default”).

5.2. We select service providers and partners offering sufficient guarantees to implement technical and organizational measures that are at least as protective.

5.3. We set up and maintain the necessary documentation to demonstrate compliance with all our obligations arising from Current Legislation.

5.4. Where Current Legislation provides, we notify the User and any Data Subject as well as the competent supervisory authority of any Personal Data breach within the legal deadlines required after becoming aware of it. We commit to implementing technical and organizational security measures to limit the impact of any Personal Data breach and ensure that they do not recur.

Article 6 – How long do we keep your Personal Data?

6.1. We retain Personal Data for as long as necessary for the purposes for which they were collected and processed, after which we archive them for the duration of the applicable retention period as defined in our retention policy. The purposes of this archiving and the corresponding retention periods are:

  • Compliance with legal, accounting, and tax retention obligations, i.e., 10 years;
  • Conservation of evidence during the applicable limitation periods, i.e., 5 years beyond the duration of the contract that binds us to our Client or Partner;
  • For commercial prospecting purposes, i.e., 3 years from the end of our business relationship with you or from our last contact with you;
  • For sending our newsletter, until you unsubscribe from our mailing list;
  • For the operation and provision of the Solution, i.e., during the duration of the User Account and Customer Account, plus 90 days;
  • For relationship marketing purposes, i.e., 3 years from the end of our business relationship or from our last contact with you;
  • For processing alerts in the case of our whistleblower system, i.e., one year after the closure of the alert;
  • For managing our client base (billing management, our relationship), i.e., during the duration of the contract that binds us with you;
  • For improving fraud prevention and detection, malware, and security incident management, i.e., during the duration of the contract that binds us with our Client or Partner, plus 5 years from the end of the Contract (except for data related to the financial situation of Data Subjects which are retained for the duration of the User Account plus 90 days);
  • For the creation of statistics and improvement of the Solution within the scope of Subsequent Processing defined above, i.e., during the duration of the contract that binds us with our Client or Partner, plus 5 years from the end of the Contract.

6.2. Any Third Party processing Personal Data on behalf of Finotor will only retain them for the time necessary for the purposes for which they were collected and processed and for other compatible purposes, which may include:

  • Participation in the applicable processing purpose of Finotor as set out above; or
  • The need to comply with a legal or regulatory requirement and the applicable laws on limitations;
  • Defense against legal or contractual actions (in this case, the Personal Data may be kept until the end of the corresponding limitation period or in accordance with applicable retention policies for litigation reasons).

6.3. All reasonable measures are taken to ensure that Personal Data are kept in a form sufficiently accurate and up-to-date at each stage of their processing.

6.4. We encourage Data Subjects to help us keep your Personal Data up to date by exercising your rights, in particular of access and rectification.

Article 7 – What are your rights as a Data Subject?

7.1. We are receptive to requests concerning your Personal Data and, in accordance with Current Legislation, we give you the possibility to access, correct, restrict, and erase your Personal Data. We also allow you to object to the processing of your Personal Data and exercise your right to data portability.

7.2. Right of access. We will provide access to all Personal Data related to a Data Subject in accordance with Current Legislation, the purposes of processing, categories of Personal Data processed, categories of recipients, data retention duration, rights to rectify, delete, or restrict the consulted Personal Data where applicable, etc.

7.3. Right to data portability. We may also provide a copy of all the Personal Data we hold in a compatible and structured format to enable the exercise of the right to data portability where relevant in relation to applicable law.

7.4. Right to rectification. Data Subjects may request us to correct, modify, erase any incomplete, outdated, or inaccurate Personal Data.

7.5. Right to erasure. Data Subjects may request the deletion of their Personal Data (i) if these Personal Data are no longer necessary for the purposes of data processing, (ii) the Data Subject has withdrawn their consent to processing based solely on this consent, (iii) the Data Subject has objected to processing, (iv) the processing of Personal Data is illegal, or (v) the Personal Data must be erased to comply with a legal obligation applicable to Finotor. The erasure of a user’s Personal Data may lead to major malfunctions of the Solution.

7.6. Right to restriction. Data Subjects may request the restriction of their Personal Data (i) in case of contestation of the accuracy of the Personal Data, allowing Finotor to verify this accuracy, (ii) if the Data Subject prefers to restrict the Personal Data rather than deleting them despite the fact that the processing is unlawful, (iii) if the Data Subject requires Finotor to retain the Personal Data because they are needed for the defense in the context of claims (iv) the Data Subject has objected to processing, but Finotor is conducting a verification to examine the legitimate grounds for such processing, which may override the rights of the Data Subject.

7.7. Right to withdraw consent: where the processing of Personal Data is based on the consent of the Data Subject, they may withdraw their consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

7.8. Right to object. The Data Subject may also express their opposition to the processing of their Personal Data at any time when their data is used for marketing purposes to send targeted advertising, or oppose the sharing of their Personal Data with Third Parties, or when processing is based on the legitimate interest of Finotor, unless the latter justifies legitimate grounds for processing that override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims.

7.9. Digital legacy. Data Subjects have the right to define directives (general or specific) regarding the use of their Personal Data after their death.

7.10. To exercise these rights, please use the contact details of the Data Protection Commission of Ireland :

Article 8 – Recipients of your Personal Data and cross-border transfers

8.1. Internal use. Your Personal Data may be processed by our employees and our subsidiaries, within the limit of their respective duties and exclusively in order to achieve the purposes set out in this Policy. In this case, our employees and our subsidiaries undertake to respect the confidentiality of Your Personal Data.

8.2. Personal Data is disclosed to Third Parties only to the extent that there is a legal justification for this sharing (e.g., the data subject has given their consent, disclosure is necessary to perform a contract, Finotor pursues a legitimate purpose that does not infringe on the fundamental rights of the data subject, including the right to privacy). The disclosure is made on a strictly limited “need to know” basis relative to the legal basis. If disclosure is necessary to comply with a legal obligation (for example, to a government agency or a police/security service) or in the context of a judicial procedure, Personal Data can generally be provided as long as the disclosure is limited to what is legally required and, if allowed by law, the Data Subject has been informed of the situation.

8.3. Subcontractors. We rely on industry-leading service providers for server management, hosting, and infrastructure (Amazon Web Services). The servers used by these providers are located in Dublin, Ireland. These hosting services offer industry-leading scalability, data availability, security, and performance, with a documented business continuity plan. For the purposes set out in this Policy, we also use the services provided by several companies specializing in customer relationship management (e.g., Salesforce, Ringover, Modjo, Calendly, Europhone), email campaigns (e.g., Hubspot, Outreach), database management (Metabase, Amplitude, Segment, Stitch), internal communication and documentation tools (e.g., Google, Notion, Slack), product improvement tools (e.g., Maze, Screeb), application performance monitoring and analysis tools (e.g., Datadog, Sentry) (non-exhaustive list).

8.4. Cross-border transfer. To ensure the processing purposes described in this Policy, Finotor may use providers located outside the European Union. If the transfer takes place to a third country where legislation has not been recognized as offering an adequate level of protection for Personal Data, Finotor ensures that adequate measures are put in place in accordance with Current Legislation, and in particular, where necessary, that standard contractual clauses or equivalent ad hoc clauses are included in the contract concluded between Finotor and the subsequent processor.

8.5. Finally, Finotor may be required to communicate Personal Data in the context of judicial requisitions to the competent administrative and judicial authorities.

8.6. Hyperlinks. The Solution and the Website may contain hyperlinks to Third Party websites (including social networks and partner merchants). Please note that if you follow these links, the websites and services provided will be governed by their own terms of use and privacy policies. We cannot be held responsible for the non-compliance of their terms of use and privacy policies with Current Legislation. We advise you to read the privacy policies and terms of use applicable to these websites before providing your Personal Data and using these websites.

Article 9 – How do we handle complaints?

9.1. Finotor is committed to resolving legitimate privacy concerns of Data Subjects. We review all complaints related to a potential or actual breach of this Policy or Current Legislation brought to our attention and will take all reasonable steps to mitigate their impact.

9.2. If a Data Subject files a complaint regarding the processing of their Personal Data or that of another person and the complaint is not resolved satisfactorily, Finotor will cooperate with the appropriate data protection supervisory authorities and comply with the advice of these authorities to resolve any outstanding complaint. If Finotor or the data protection supervisory authorities determine that Finotor or one or more of its employees have not complied with this Policy, Finotor will take appropriate measures to remedy the effects of this non-compliance and promote future compliance.

Article 10 – Application and modification of this Policy

10.1. Finotor may modify, supplement, or update this Policy to reflect any legal, regulatory, jurisprudential, and/or technical developments. In the event of significant changes to the terms of this Policy (i.e., related to legal bases, purposes of processing, or the exercise of rights), Finotor commits to informing its Clients by any written means at least thirty (30) days before their effective date. Any access and use of the Solution beyond this period will be subject to the terms of the new Policy. Any Data Subject whose Personal Data is subject to this Policy acknowledges that the only version of the Policy that is authoritative is the one found online.