Privacy Notice

This Privacy Notice explains how Finchoro OÜ (“Finchoro”, “we”, “us”, or “our”) collects and processes personal data when you visit or use the website available at https://finchoro.com and any related subdomains (the “Website”), and when you use any web-based or API-based applications, dashboards, portals or tools made available through the Website (collectively, the “Service”).

We process personal data in accordance with applicable EU and Estonian data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

This Privacy Notice forms an integral part of our Terms of Service. Capitalised terms not defined in this Privacy Notice have the meaning given to them in the Terms of Service.

001 – Data Controller and Contact Details

The data controller under this Privacy Notice is:

Finchoro OÜ

• Registry code: 17382218
• Registered office: Harju maakond, Tallinn, Kesklinna linnaosa, F. R. Faehlmanni tn 5, 10125, Estonia
• Email: privacy@finchoro.com or the contact email published on the Website.

If you have any questions about this Privacy Notice or our data protection practices, or if you wish to exercise your rights, you may contact us using the contact details published on the Website.

002 – Scope and Who This Notice Applies To

This Privacy Notice applies to:

• visitors to the publicly available parts of the Website;
• representatives, employees, contractors, and other contact persons of our existing or prospective business clients, suppliers, and partners who interact with us via the Website or the Service; and
• users of any non-public parts of the Service (including the Application) who access such areas using a Client ID or other credentials issued by us.

Our Website and Service are intended exclusively for business users. We do not knowingly target or provide services to consumers as defined under applicable EU and Estonian law, and we do not knowingly collect personal data from children under 18 years of age.

003 – Categories of Personal Data We Process

The personal data we process depends on how you interact with us and the Service. We may process the following categories of personal data:

3.1 Data You Provide to Us

• Contact and identification data: name, job title, role, organisation, business email address, business phone number, country, and other contact details you provide.
• Account and authentication data (for contracted clients and authorised users): username, password, API keys, Client ID, and related access credentials.
• Communication data: content of emails, messages sent via contact forms, support requests, feedback, and other communications with us.
• Contract and billing data (for contracted clients’ representatives): information relating to the conclusion and performance of contracts, such as signatory details, billing contact details, and related correspondence.

3.2 Data Collected Automatically

When you access or use the Website or Service, we may automatically collect:

• Technical data: IP address, browser type and version, device type, operating system, language settings, time zone, and other technical identifiers.
• Usage data: pages visited, features used, access times and dates, referring URLs, clickstream data, and interaction logs with the Website or Service.
• Log data: system logs, security logs, and audit trails relating to access, authentication, and use of the Service.

3.3 Data from Third Parties

We may receive personal data about you from:

• your employer or the organisation you represent (e.g. when you are designated as a contact person or authorised user);
• our service providers and partners (e.g. hosting, analytics, communication, or integration providers);
• publicly available sources (e.g. company websites, professional networking sites, public registers) where permitted by law.

004 – Purposes and Legal Bases for Processing

We process personal data only where we have a valid legal basis under the GDPR. Depending on the context, we may process your personal data for the following purposes and on the following legal bases:

4.1 Operation of the Website and Service

• To provide, operate, maintain, and secure the Website and Service, including enabling you to browse the Website and access available features.
• To create and manage user accounts, Client IDs, and access credentials for authorised users of the Service.
• To monitor and ensure the proper functioning, performance, and security of the Website and Service.

Data types: Contact and identification data; Account and authentication data; Communication data; Contract and billing data (where relevant); Technical data; Usage data; Log data.

Legal bases:

• Performance of a contract or taking steps at your request prior to entering into a contract (Article 6(1)(b) GDPR);
• Our legitimate interests in operating, securing, and improving the Website and Service (Article 6(1)(f) GDPR).

4.2 Communication and Relationship Management

• To respond to your enquiries, requests for information, or support tickets submitted via the Website, email, or other channels.
• To manage our relationship with existing and prospective business clients, suppliers, and partners, including sending service-related communications.
• To organise and participate in meetings, calls, and other interactions with you or the organisation you represent.

Data types: Contact and identification data; Communication data; Contract and billing data (where relevant).

Legal bases:

• Performance of a contract or taking steps at your request prior to entering into a contract (Article 6(1)(b) GDPR);
• Our legitimate interests in communicating with business contacts and managing business relationships (Article 6(1)(f) GDPR).

4.3 Compliance, Security, and Risk Management

• To comply with applicable legal obligations, including those relating to accounting, tax, sanctions, export control, anti-money laundering and counter-terrorist financing (AML/CFT), and other regulatory requirements.
• To prevent, detect, and investigate fraud, abuse, security incidents, and other unlawful or unauthorised activities.
• To enforce our Terms of Service and other applicable agreements, and to protect our rights, property, and the rights and safety of our users and third parties.

Data types: Contact and identification data; Account and authentication data; Technical data; Usage data; Log data; Contract and billing data.

Legal bases:

• Compliance with legal obligations (Article 6(1)(c) GDPR);
• Our legitimate interests in ensuring compliance, security, and risk management (Article 6(1)(f) GDPR).

4.4 Analytics and Service Improvement

• To analyse usage of the Website and Service, including generating aggregated or anonymised statistics, in order to understand how they are used and to improve their content, functionality, and user experience.
• To develop and test new features, tools, and services.

Data types: Technical data; Usage data; Log data; Communication data (e.g. feedback).

Legal bases:

• Our legitimate interests in analysing and improving our Website and Service (Article 6(1)(f) GDPR);
• Where required by law for certain cookies or similar technologies, your consent (Article 6(1)(a) GDPR).

4.5 Marketing and Business Development

• To send you information about our services, events, or updates that may be relevant to you in your professional capacity, where permitted by applicable law.
• To manage subscriptions to our newsletters or similar communications, where offered.

Data types: Contact and identification data; Communication data; Technical data; Usage data.

Legal bases:

• Our legitimate interests in promoting and developing our business (Article 6(1)(f) GDPR);
• Your consent where required by applicable law (Article 6(1)(a) GDPR).

You may opt out of marketing communications at any time by following the unsubscribe instructions in the communication or by contacting us.

005 - Cookies and Similar Technologies

We may use cookies and similar technologies (such as pixels, tags, or local storage) on the Website and Service to:

• enable essential functionality and security;
• remember your preferences and settings;
• perform analytics and usage measurement; and
• support, where applicable, limited marketing or business development activities.

Where required by applicable law, we will obtain your consent before placing non-essential cookies or similar technologies on your device. You can manage your cookie preferences through your browser settings and, where implemented, through a cookie banner or preference centre on the Website. Disabling certain cookies may affect the functionality or performance of the Website or Service.

Further details about the specific cookies used (if any) may be provided in a separate cookie notice or within the cookie banner.

006 – How We Share Personal Data

We do not sell your personal data. We may share your personal data with the following categories of recipients, strictly on a need-to-know basis and subject to appropriate safeguards:

6.1 Service Providers (Processors)

We may engage third-party service providers to process personal data on our behalf and under our instructions, for example:

• cloud hosting and infrastructure providers;
• IT, security, and maintenance providers;
• analytics and monitoring providers;
• communication and collaboration tools;
• professional advisers (e.g. legal, accounting, consulting) acting as processors where applicable.

These service providers are bound by contractual obligations to process personal data only in accordance with our instructions and to implement appropriate technical and organisational measures to protect the data.

6.2 Business Partners and Third-Party Services

To the extent necessary for the operation of the Service or the performance of a SaaS Agreement or other contract, we may share personal data with:

• integration partners and Third-Party Service providers (e.g. open banking providers, data aggregators, card schemes, payment or messaging infrastructure providers), where such sharing is necessary for the relevant integration or service;
• other business partners involved in the provision of services to you or the organisation you represent.

In such cases, these third parties may act as independent controllers or joint controllers, and their own privacy notices and terms may apply. We recommend that you review the applicable terms and privacy policies of any Third-Party Services you use.

6.3 Group Companies and Corporate Transactions

We may share personal data with our affiliates (if any) for internal administrative purposes, service provision, or business management, in accordance with applicable law.

In the event of a merger, acquisition, corporate reorganisation, sale of assets, or similar transaction, personal data may be transferred to the relevant acquiring or successor entity, subject to appropriate safeguards and, where required, notice to you.

6.4 Legal and Regulatory Disclosures

We may disclose personal data where required to do so by law or by a competent authority, or where we reasonably believe such disclosure is necessary to:

• comply with applicable laws, regulations, or legal processes;
• respond to lawful requests from public authorities;
• protect our rights, property, or safety, or those of our users or third parties;
• detect, prevent, or otherwise address fraud, security, or technical issues.

007 – International Transfers of Personal Data

We are based in Estonia, and your personal data may be processed in the European Economic Area (“EEA”). However, some of our service providers, partners, or group companies may be located outside the EEA, or may process personal data in countries outside the EEA.

Where we transfer personal data to a country that is not subject to an adequacy decision by the European Commission, we will ensure that appropriate safeguards are in place, such as:

• entering into standard contractual clauses approved by the European Commission; and/or
• implementing additional technical and organisational measures to protect the data.

You may contact us for more information about the safeguards we use for international data transfers and, where applicable, to obtain a copy of the relevant contractual protections (subject to redactions for confidentiality).

008 – Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws and regulations.

Retention periods may vary depending on the type of data and the context of processing, for example:

Website and Service usage data: retained for a period necessary for security, analytics, and service improvement, typically not longer than [12–24] months in identifiable form, unless a longer period is required for security or legal reasons.

Account and authentication data: retained for the duration of your account or the relevant contract, and for a reasonable period thereafter to manage deactivation, disputes, or legal claims.

Contract and billing data: retained for the duration of the contractual relationship and for the period required by applicable accounting, tax, and statutory limitation rules.

Communication data: retained for as long as necessary to handle your request and for a reasonable period thereafter for record-keeping and to manage potential disputes.

When personal data is no longer needed for the purposes for which it was collected and no longer required by law, we will delete it or anonymise it so that it can no longer be associated with an identified or identifiable individual.

009 – Your Rights as a Data Subject

Subject to the conditions and limitations set out in the GDPR and other applicable laws, you have the following rights in relation to your personal data:

• Right of access: to obtain confirmation as to whether we process your personal data and, if so, to receive a copy of such data and certain related information.
• Right to rectification: to request the correction of inaccurate personal data and the completion of incomplete data.
• Right to erasure (“right to be forgotten”): to request the deletion of your personal data in certain circumstances, for example where the data is no longer necessary for the purposes for which it was collected or where you withdraw consent (where consent is the legal basis).
• Right to restriction of processing: to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of the data or assess an objection.
• Right to data portability: to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format, and to transmit it to another controller where technically feasible and where the processing is based on consent or contract and carried out by automated means.
• Right to object: to object, on grounds relating to your particular situation, to processing based on our legitimate interests, in which case we will stop such processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms or the processing is necessary for the establishment, exercise, or defence of legal claims; to object at any time to the processing of your personal data for direct marketing purposes, in which case we will stop such processing.
• Right to withdraw consent: where processing is based on your consent, you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us using the contact details published on the Website or via email support@finchoro.com. We may need to verify your identity before responding to your request. We will respond within the time limits set by applicable law.

010 – Complaints

If you believe that our processing of your personal data infringes applicable data protection laws, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

In Estonia, the competent supervisory authority is:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: https://www.aki.ee 

We encourage you to contact us first so that we can try to resolve your concerns amicably.

011 – Security of Personal Data

We implement appropriate technical and organisational measures to protect personal data and other information processed via the Service against unauthorised access, loss, alteration, or destruction, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

While we strive to protect your personal data, no system or transmission over the internet can be guaranteed to be completely secure. You are responsible for keeping your Credentials (such as passwords and API keys) confidential and for following any security instructions we provide.

012 – Data Relating to Others

If you provide us with personal data relating to other individuals (for example, your colleagues or other representatives of your organisation), you are responsible for ensuring that such disclosure is lawful and, where required, that you have informed the individuals concerned about the processing of their personal data in accordance with this Privacy Notice.

013 – Changes to This Privacy Notice

We may update this Privacy Notice from time to time, for example to reflect changes in our processing activities, legal requirements, or business practices. When we make material changes, we will update the “Last updated” date at the top of this Privacy Notice and may provide additional notice (e.g. via the Website or by email to contracted clients).

Your continued use of the Website or Service after the updated Privacy Notice has been published constitutes your acknowledgement of the revised Notice. If you do not agree to the changes, you should stop using the Website and Service.

014 – Contacting Us

If you have any questions, requests, or complaints regarding this Privacy Notice or our processing of personal data, or if you wish to exercise any of your rights, you may contact us using the contact details published on the Website (including our general contact email address and, where applicable, postal address and contact form) or via email support@finchoro.com.

When contacting us, please provide sufficient information to enable us to identify you and understand your request (including, where relevant, your name, organisation, and Client ID). We may request additional information where reasonably necessary to verify your identity or to respond to your enquiry in a complete and timely manner.