Privacy Policy

Contact details

Our role vs your organization’s role (B2B context)

When you use our Services through your company:Your organization is typically the data controller for the personal data you input into the Services (e.g., user accounts, operational data, tickets/logs, contacts).We typically act as a data processor for that customer content, processing it on your organization’s instructions.Separately, we act as a data controller for our own business operations (e.g., billing, account administration, security logs for our Service, marketing to prospects where permitted).
(If you publish content to the public website, you may be a controller for that content too.)

Personal data we collect

A) Data you provideAccount & profile data: name, work email, password (hashed), role, organization name, authentication settingsBilling data: billing contact name/email, billing address, VAT ID (if applicable), invoices, payment status and transaction metadata (payments are handled by Stripe; we do not store full card details)Communications: messages you send us (support requests, emails), attachments and feedbackCustomer content (in-app): data your organization (or you) uploads/configures in the SaaS (e.g., configurations, operational metadata, logs, identifiers). Exact categories depend on your use of the product.
‍
B) Data collected automaticallyWebsite data: IP address, device/browser information, pages viewed, approximate location (derived from IP), timestamps, referrerApp telemetry & security logs: login events, audit logs, error logs, performance metrics (to keep the Service secure and reliable)
‍
C) Data from third partiesPayment confirmation data from Stripe (e.g., payment success/failure, charge/refund status)  Analytics events from Mixpanel (depending on your cookie/consent settings)

Purposes and legal bases (GDPR)

We process personal data only where we have a lawful basis under GDPR.  
A) Provide the Services (account creation, authentication, core features)Purpose: deliver the SaaS, maintain user accounts, enable key functionalityLegal basis: contract (GDPR Art. 6(1)(b))
‍
B) Customer support and service communicationsPurpose: answer questions, troubleshoot issues, send service noticesLegal basis: contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f))
‍
C) Billing, subscriptions, taxes, and accountingPurpose: invoices, subscription administration, accounting recordsLegal basis: contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
‍
D) Security and fraud preventionPurpose: secure authentication, detect abuse, maintain audit trails, prevent fraudLegal basis: legitimate interests (Art. 6(1)(f)) and sometimes legal obligation (Art. 6(1)(c))
‍
E) Analytics and product improvementPurpose: understand usage, improve UX, debug performanceLegal basis: legitimate interests (Art. 6(1)(f)) and/or consent (Art. 6(1)(a)) where required for cookies/tracking (see Cookies section)
‍
F) Marketing (B2B)Purpose: newsletters, product updates, event invitations, sales outreachLegal basis: consent (Art. 6(1)(a)) and/or legitimate interests (Art. 6(1)(f)), depending on context and local rulesYou can opt out at any time.

How We Use Cookies and Tracking Tools

Cookies help personalize your experience and track feature performance. We use only essential and analytics cookies. You can control your preferences through browser settings or our cookie banner.

Security Practices to Keep Your Data Safe

We implement strict security measures including data encryption, secure authentication, and regular system audits to protect your information from unauthorized access or misuse.

Service providers (processors) and sharing

We share personal data only with trusted service providers as needed to run the Services:
Core vendors you useWebflow (website hosting) – processes website data as a processor; offers a DPA including EU SCCs  Microsoft Azure (application hosting/infrastructure) – processes customer data and service data under Microsoft’s DPA terms  Stripe (payments) – processes billing and payment-related personal data under its DPA and transfer terms

International data transfers (outside the EEA)

Some of our providers may process data outside the EEA (often including the United States). Where required, we rely on lawful transfer mechanisms such as:EU Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision (EU) 2021/914)  Where applicable, providers’ participation in recognized frameworks (e.g., Data Privacy Framework) and/or additional safeguards depending on the service arrangement (example: Stripe notes transfer mechanisms in its legal terms).  For Schrems II–related transfer risk assessment and supplementary measures where needed, we follow EDPB recommendations.  
You may request more information about our safeguards by contacting legal@finkyagents.ai

Data retention

We keep personal data only as long as needed for the purposes described above:
‍Account data: for the duration of the customer contract and a limited period after termination/closure to handle disputes, restore accounts (if requested), and meet security needs: 24 months
‍Security/audit logs: retained for 90 days depending on sensitivity and operational needs
‍Support tickets: 12 months
‍Billing & accounting records: typically at least 5 years in line with common Polish tax/accounting retention practices (exact periods can vary by document type).  
Where Article 13 GDPR requires it, we either state retention periods or the criteria used to determine them.

Your GDPR rights

Subject to legal conditions and exceptions, you may have the right to:access your datacorrect inaccurate datadelete your datarestrict processingdata portabilityobject to processing based on legitimate interests (including certain analytics/marketing)withdraw consent at any time (where consent is the basis)
To exercise rights, email legal@finkyagents.ai. We may verify identity before responding.
Right to complain: You may lodge a complaint with the Polish supervisory authority (UODO).  (If you’re in another EU/EEA country, you can typically complain to your local authority as well.)

Automated decision-making

We do not use automated decision-making (including profiling) that produces legal or similarly significant effects on you.
If this changes (e.g., fraud scoring with significant impact), we will update this policy with the required information.

Children

Our Services are intended for business users and are not directed to children. We do not knowingly collect personal data from children.