Data Protection Policy (GDPR) – Finrizon

Last updated: 2025-12-05

1. Purpose

This document describes the personal data protection principles at Finrizon and the organisational and technical measures applied by 12B sp. z o.o..

2. Privacy‑by‑design and data minimisation

Finrizon is designed to:

• process only data necessary for the relevant modules,
• logically separate personal data from business data,
• restrict data visibility according to role and scope (entity/cost centre/project).

3. Customer‑entrusted data

When acting as a Data Processor:

• we process data solely on documented instructions from the Customer,
• we support the exercise of data subject rights,
• we enable export/deletion of data at the end of the engagement,
• we provide a Data Processing Agreement (DPA).

4. Access control and audit trail

• Users are assigned roles (owner/manager/viewer),
• access may be restricted per entity/cost centre/project,
• key actions are logged with before/after values.

5. Security and business continuity

We apply measures including:

• encryption in transit and at rest,
• backups and rotation,
• incident response procedures,
• penetration testing and code audits,
• disaster recovery and business continuity plans.

6. Security incidents

In the event of a personal data breach:

• we take remedial action without delay,
• we notify the Customer without undue delay,
• we report the breach to the supervisory authority and/or affected individuals where required by law.

7. Contact

Data protection enquiries: privacy@finrizon.ai.

Controller: 12B sp. z o.o.
ul. Strzegomska 54A
53-611 Wrocław, Polska