Privacy Policy

FinnAccountings Pvt Ltd(“FinnAccountings”, “we”, “us”, or “our”), which operates the FinnAccountings brand and is registered under Laxmi Consultings Pvt Ltd, respects your privacy and is committed to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and the Data Protection Act 2018.

This Privacy Policy explains how we collect, use, store, share, and protect personal data when you visit our website, request a free trial, create an Account, or use the FinnAccountingsplatform (the “Service”).

By using the Service, you acknowledge that you have read this Privacy Policy. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

The data controller responsible for your personal data is:

• Operating company: FinnAccountings Pvt Ltd (trades as FinnAccountings)
• Registered under: Laxmi Consultings Pvt Ltd
• Email: privacy@finnaccounts.com
• Data Protection Officer: dpo@finnaccounts.com

If you are located in the UK, we may appoint a UK representative where required by UK GDPR. Contact details will be published on this page when appointed.

This policy applies to:

• Visitors to our website and marketing pages;
• Prospective customers who submit trial or contact forms;
• Account holders and authorised users of the Service;
• Employees and contractors of customer organisations whose data is processed in payroll features.

When you upload financial and business data to the Service, you are typically the data controller of that Customer Data and we act as a data processor on your instructions. A Data Processing Agreement (DPA) is available to business customers on request.

We may collect the following categories of personal data:

• Identity & contact — name, email address, phone number, business name, job title;
• Account credentials — login identifiers managed via our authentication provider (e.g. Google or Microsoft SSO);
• Business profile — business type, region (IE/GB), VAT number, company registration details;
• Financial data — bank transactions, invoices, receipts, payroll records, tax estimates, and related metadata you connect or upload;
• Communications — support messages, contact form submissions, and email correspondence;
• Usage & technical data — IP address, browser type, device identifiers, pages viewed, feature usage, logs, and cookies;
• AI interaction data — prompts, chat history, and AI outputs generated within the Service;
• Payment data — billing address and subscription status. Card details are processed directly by Stripe and are not stored on our servers.

• Directly from you — registration, forms, uploads, and in-app inputs;
• Open Banking partners — with your explicit consent via regulated aggregation services;
• Automatically — cookies, analytics, and server logs when you use the website or Service;
• Third parties — authentication providers, payment processors, and integration partners you authorise.

We use personal data to:

• Provide, operate, and maintain the Service;
• Process trial requests and respond to enquiries with next steps;
• Create and manage Accounts and authenticate users;
• Import and categorise transactions, generate reports, and power AI features;
• Process subscriptions and send billing communications;
• Send service notifications, security alerts, and product updates;
• Provide customer support and improve the Service;
• Detect fraud, abuse, and security incidents;
• Comply with legal obligations and respond to lawful requests;
• Send marketing communications where permitted (you may opt out at any time).

We process personal data on the following legal bases:

• Contract (Art. 6(1)(b)) — to perform our agreement with you and deliver the Service;
• Legitimate interests (Art. 6(1)(f)) — to improve the Service, ensure security, prevent fraud, and conduct limited analytics, balanced against your rights;
• Consent (Art. 6(1)(a)) — for optional marketing, non-essential cookies, and Open Banking connections;
• Legal obligation (Art. 6(1)(c)) — for tax, accounting, and regulatory record-keeping where applicable.

Where we process special category data (rare in our Service), we rely on explicit consent or another permitted basis under Art. 9 GDPR.

Our AI Features analyse Customer Data to categorise transactions, estimate tax, generate recommendations, and respond to chat queries. This involves automated processing but does not typically produce legal or similarly significant effects without human review.

AI processing may involve third-party model providers under strict data processing terms. Prompts and relevant context may be transmitted to these providers solely to generate responses for your Account.

We do not use your confidential Customer Data to train publicly available AI models without your explicit opt-in consent.

You have the right to request human review of significant automated decisions where applicable under GDPR Art. 22.

We share personal data only as necessary with:

• Infrastructure providers — AWS (hosting, storage, email);
• Authentication — Clerk (identity and SSO);
• Payments — Stripe (subscription billing);
• Open Banking — regulated account information service providers;
• AI providers — OpenAI, Anthropic, and related observability tools under DPAs;
• Analytics & monitoring — Datadog, OpenTelemetry-compatible services;
• Professional advisers — lawyers, accountants, and insurers under confidentiality;
• Authorities — where required by law or to protect rights and safety.

All processors are bound by written agreements requiring appropriate security and GDPR-compliant processing. We do not sell personal data.

Data may be processed in the European Economic Area (EEA), the United Kingdom, and the United States. Where personal data is transferred outside the EEA or UK to countries without an adequacy decision, we implement appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• The UK International Data Transfer Addendum where applicable;
• Supplementary measures including encryption and access controls.

You may request a copy of relevant transfer safeguards by contacting privacy@finnaccounts.com.

We retain personal data only as long as necessary for the purposes described:

• Account data — for the duration of your subscription plus up to 90 days to allow export;
• Trial & contact enquiries — up to 24 months unless you become a customer;
• Financial records — as directed by you or as required by tax and company law (typically 6–7 years for IE/GB business records);
• Logs & security data — typically 12 months;
• Marketing preferences — until you unsubscribe or object.

After retention periods expire, data is securely deleted or anonymised.

We implement technical and organisational measures including encryption in transit (TLS) and at rest, role-based access controls, multi-factor authentication for staff, audit logging, regular backups, vulnerability management, and SOC 2 readiness practices.

No method of transmission or storage is 100% secure. If we become aware of a personal data breach likely to pose a risk to your rights, we will notify you and the relevant supervisory authority as required by GDPR Arts. 33–34.

See our Security page for further detail.

We use cookies and similar technologies to:

• Strictly necessary — authentication, security, and session management (no consent required);
• Functional — remember preferences such as theme and locale;
• Analytics — understand usage patterns to improve the Service (consent where required);
• Marketing — measure campaign effectiveness (consent required).

You can manage cookies through your browser settings and, where provided, our cookie preference centre. Blocking strictly necessary cookies may affect Service functionality.

Under GDPR and UK GDPR, you have the following rights in relation to your personal data:

• Access — obtain a copy of personal data we hold about you;
• Rectification — correct inaccurate or incomplete data;
• Erasure — request deletion in certain circumstances;
• Restriction — limit processing in certain circumstances;
• Portability — receive data in a structured, machine-readable format;
• Objection — object to processing based on legitimate interests or for direct marketing;
• Withdraw consent — where processing is consent-based;
• Complaint — lodge a complaint with a supervisory authority.

Supervisory authorities include:

• Ireland: Data Protection Commission — dataprotection.ie
• United Kingdom: Information Commissioner's Office — ico.org.uk

To exercise your rights, email privacy@finnaccounts.com. We respond within one month, extendable by two months for complex requests.

The Service is not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will delete it promptly.

We may update this Privacy Policy to reflect changes in law, technology, or our practices. Material changes will be communicated by email or prominent in-app notice at least 30 days before they take effect. The “Last updated” date at the top indicates the latest revision.

For privacy-related questions, data subject requests, or DPA enquiries:

• Privacy: privacy@finnaccounts.com
• Data Protection Officer: dpo@finnaccounts.com
• Operating company: FinnAccountings Pvt Ltd
• Registered under: Laxmi Consultings Pvt Ltd
• Web: finnaccounts.com/contact