DSGVO-Konformität
How Finovia complies with the General Data Protection Regulation (EU) 2016/679.
At Finovia, we take data protection seriously. This page explains how we comply with the General Data Protection Regulation (GDPR) and how we protect the personal data of our users. As a platform that processes invoicing and business data, we understand the importance of trust and transparency.
1. Data Controller
Aronis, operating the Finovia platform, is the data controller for personal data collected through the Service. For data entered by our users (invoices, client records, etc.), our users are the data controllers and Finovia acts as a data processor.
- Data Protection Contact: [email protected]
- Address: 92 place des cistes 13400 Aubagne
2. Data Processing Activities
2.1 As Data Controller
We process the following personal data for account management and service delivery:
| Data Category | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Name, email | Account creation & auth | Contract | Account lifetime + 30 days |
| Payment info (via Stripe) | Subscription billing | Contract | 10 years (legal) |
| IP, browser, device | Security & analytics | Legitimate interest | 12 months |
| Email address | Marketing communications | Consent | Until withdrawal |
2.2 As Data Processor
When our users create invoices, quotes, and client records, they enter personal data of their own clients and contacts. In this context, Finovia acts as a data processor on behalf of our users (data controllers). We process this data solely according to our users' instructions and in accordance with our Terms of Service.
3. Sub-Processors
We use the following sub-processors to deliver our Service:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA (SCCs in place) |
| Resend | Transactional emails | USA (SCCs in place) |
| Google Analytics | Website analytics | USA (SCCs, consent-based) |
| Hosting Provider | Infrastructure hosting | France / EU |
4. Data Storage Location
All primary data (databases, files, backups) is stored on servers located in the European Union (France). We do not transfer your data outside the EU except through the sub-processors listed above, who have appropriate safeguards (Standard Contractual Clauses) in place as required by GDPR Chapter V.
5. Technical & Organizational Measures
We implement the following measures to protect personal data (GDPR Art. 32):
- Encryption in transit: All data transmitted over HTTPS with TLS 1.2 or higher.
- Encryption at rest: Database and file storage encrypted at the infrastructure level.
- Authentication: Secure password hashing (bcrypt), OAuth 2.0 support, token-based sessions with automatic expiry.
- Access control: Role-based access control (RBAC) with per-company data isolation through database-level query filters.
- Monitoring: Automated health checks of all infrastructure services (database, cache, API, payment provider) with real-time alerting.
- Backups: Regular automated backups with point-in-time recovery capability.
- Incident response: Documented incident response procedure with 72-hour breach notification to supervisory authorities as required by GDPR Art. 33.
6. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR:
Right of Access (Art. 15)
You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data. You can export your data directly from your Finovia account settings.
Right to Rectification (Art. 16)
You can correct inaccurate data directly in your account or by contacting us.
Right to Erasure (Art. 17)
You can request deletion of your account and personal data. Note that we are legally required to retain certain financial documents (invoices, payment records) for up to 10 years. Account deletion can be initiated from your account settings.
Right to Data Portability (Art. 20)
You can export your data in structured, machine-readable formats (CSV, Excel) from your Finovia account at any time.
Right to Restriction (Art. 18)
You can request restriction of processing in certain circumstances, such as when you contest the accuracy of data or object to processing.
Right to Object (Art. 21)
You can object to processing based on legitimate interests. For direct marketing, you can unsubscribe at any time using the link in our emails.
7. How to Exercise Your Rights
To exercise any of these rights, you can:
- Use the self-service options in your Finovia account settings (data export, account deletion).
- Email us at [email protected] with your request.
- We will verify your identity and respond within 30 days (extendable by 60 days for complex requests, with notification).
8. Cookies & Consent Management
We implement Google Consent Mode v2 for analytics. Strictly necessary cookies (authentication, session management) do not require consent. Analytics and marketing cookies are only activated after you provide explicit consent through our cookie banner. You can withdraw consent at any time.
9. Children's Data
The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
10. Supervisory Authority
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. For users in France, this is the CNIL (Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr.
11. Updates to This Page
We may update this GDPR compliance page as our practices evolve or as regulations change. Material changes will be communicated through the Service or by email.