Privacy Policy – Finrizon

Last updated: 2025-12-05

This Privacy Policy explains how Finrizon collects, uses, stores and protects personal data and business data of Users.

1. Definitions

  • "Finrizon / Service" means the SaaS platform available at finrizon.ai, supporting financial analysis, budgeting and forecasting using AI agents.
  • "Controller" means 12B sp. z o.o..
  • "Client" means the entity (company) that has entered into an agreement to use Finrizon.
  • "User" means an individual using the Service (e.g. CFO, controller, analyst).
  • "Personal Data" means information about an identified or identifiable natural person within the meaning of GDPR.
  • "Business Data" means the Client's financial and operational data (e.g. Trial Balance, P&L, budgets, forecasts).
  • "GDPR" means Regulation (EU) 2016/679.
  • "Processor" means Finrizon acting on behalf of the Client with respect to entrusted data.

2. Data Controller and Contact

The controller of personal data of users of the Finrizon website and application is:

12B sp. z o.o.
ul. Strzegomska 54A
53-611 Wrocław, Polska
REGON: 367408610
VAT ID: 894-310-64-43

Privacy contact: privacy@finrizon.ai

3. Roles of the Parties (Controller vs Processor)

3.1. In relation to website visitors, marketing and User accounts, 12B sp. z o.o. acts as Controller.

3.2. With respect to Client Business Data transmitted to Finrizon or synchronized with ERP/BI systems, 12B sp. z o.o. typically acts as a Processor. Details are governed by the agreement and the Data Processing Agreement (DPA).

3.3. The Client is responsible for fulfilling legal obligations towards individuals whose personal data may appear in Business Data.

4. Data We Collect

4.1. Data provided by the User

  • full name,
  • business email address,
  • job title, department,
  • company name and country,
  • authentication credentials (password, SSO token).

4.2. Technical and operational data

  • IP address, device identifiers, browser/OS type,
  • session identifiers, security logs,
  • application usage metadata (modules used, time, clicks).

4.3. Business/financial data (from ERP/BI integrations or imports)

Finrizon may process Business Data such as:

  • Trial Balance, P&L entries, budgets, forecasts, KPIs,
  • financial dimensions (entity, cost center, project, client),
  • transactional data associated with financial positions.

Business Data is in principle non-personal. If personal data appears incidentally (e.g. names in descriptions), it is treated as data entrusted by the Client and processed on its instructions.

4.4. External macroeconomic data

Depending on configuration, Finrizon may retrieve indicators (inflation, FX rates, wage indices, GDP) from public or commercial sources (e.g. Eurostat, ECB, Bloomberg or others agreed with the Client).

5. Purposes and Legal Bases for Processing

We process data for the purpose of:

  • 5.1. Providing the Service and performing the contract (Art. 6(1)(b) GDPR).
  • 5.2. Ensuring security, accountability and continuity of the Service (Art. 6(1)(f) GDPR).
  • 5.3. Improving the product and usage analytics (Art. 6(1)(f) GDPR).
  • 5.4. User/Client support and onboarding (Art. 6(1)(b) and (f) GDPR).
  • 5.5. Direct marketing/newsletter upon consent (Art. 6(1)(a) GDPR).

We do not make decisions with legal effects based solely on automated processing.

6. Use of AI / LLM

  • 6.1. Finrizon uses AI/LLM models to generate forecasts, variance analyses and narrative comments.
  • 6.2. Client data is not used to train base AI models without explicit agreement in the contract.
  • 6.3. We apply data minimisation — models receive only the data necessary for the task.
  • 6.4. AI outputs are recommendations; final acceptance rests with the User.

7. Data Retention

  • User account data: for the duration of the contract or until account deletion,
  • technical and security logs: typically 12–24 months,
  • Business Data: per agreement with the Client; deleted or anonymised after end of cooperation,
  • backups: per backup policy (rotation, encryption).

8. Recipients / Subprocessors

Data may be shared with:

  • hosting and cloud infrastructure providers,
  • analytics and monitoring tool providers,
  • support and development partners,
  • public authorities when required by law.

An up-to-date list of subprocessors may be published in the "Subprocessors / Trust Center" section.

9. International Transfers

Data is processed by default within the EU/EEA. Where transfer outside the EEA occurs, we apply appropriate safeguards including Standard Contractual Clauses (SCCs).

10. Security

We apply security measures including:

  • TLS 1.2+ in transit and encryption at rest,
  • RBAC and optional MFA,
  • logical separation of client data,
  • monitoring and alerting,
  • regular security testing and code review,
  • business continuity and disaster recovery procedures.

11. User Rights

Users may exercise rights of access, rectification, erasure, restriction, portability, objection or withdrawal of consent. Requests should be sent to privacy@finrizon.ai.

Users have the right to lodge a complaint with the competent data protection authority.

12. Policy Changes

We may update this policy in response to changes in law or the Service. Users will be notified of material changes by email or in-app notification.