Privacy Policy

Last updated: February 2025

This Privacy Policy describes how Aronis ("Finovia", "we", "us", or "our") collects, uses, and shares your personal data when you use the Finovia platform (the "Service"). We are committed to protecting your privacy and processing your data in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

  • Company: Aronis
  • Address: 92 place des cistes 13400 Aubagne
  • Registration: 10177659 RCS Marseille
  • Email: [email protected]

2. Data We Collect

2.1 Account Data

When you create an account, we collect your name, email address, password (hashed), preferred language, and profile information. If you sign up via Google or Microsoft, we receive your name and email from the identity provider.

2.2 Business Data

To provide our invoicing services, we process the data you enter: company information (name, address, tax ID, bank details), client data (name, email, address), invoices, quotes, credit notes, articles, and payment records.

2.3 Payment Data

Subscription payments are processed by Stripe. We do not store your full credit card number. Stripe processes and stores payment data in accordance with PCI-DSS standards. We only receive a truncated card number, expiry date, and transaction identifiers.

2.4 Usage & Technical Data

We automatically collect: IP address, browser type and version, device type, operating system, pages visited, time spent, referring URL, and cookies/session identifiers. This data helps us improve the Service and ensure security.

3. How We Use Your Data

  • Service delivery: To provide and maintain the invoicing platform, generate documents, process payments, and send reminders.
  • Account management: To manage your account, authenticate your identity, and handle company switching.
  • Communication: To send transactional emails (invoices, reminders, payment confirmations) and, with your consent, marketing communications.
  • Improvement: To analyze usage patterns, fix bugs, and improve the Service.
  • Legal compliance: To comply with legal obligations, including tax reporting and e-invoicing regulations.
  • Security: To detect and prevent fraud, abuse, and security incidents.

4. Legal Basis for Processing (GDPR Art. 6)

PurposeLegal Basis
Providing the invoicing servicePerformance of contract (Art. 6(1)(b))
Processing payments via StripePerformance of contract (Art. 6(1)(b))
Sending transactional emailsPerformance of contract (Art. 6(1)(b))
Analytics & improvementLegitimate interest (Art. 6(1)(f))
Marketing emailsConsent (Art. 6(1)(a))
Tax & legal complianceLegal obligation (Art. 6(1)(c))

5. Data Sharing & Third Parties

We do not sell your personal data. We share data only with the following categories of service providers, under strict contractual obligations:

  • Stripe: Payment processing (PCI-DSS compliant). Stripe's privacy policy applies to payment data.
  • Hosting provider: Infrastructure hosted in the European Union (France). Your data never leaves the EU.
  • Email service: Transactional email delivery (Resend). Only email addresses and message content are shared.
  • Analytics: Google Analytics 4, with anonymized IP addresses and consent-based activation.

6. International Data Transfers

Your data is stored on servers located in the European Union (France). When third-party services process data outside the EU (e.g., Stripe, Google Analytics), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

7. Data Retention

  • Account data: Retained for the duration of your account, plus 30 days after deletion request.
  • Business documents: Invoices and related documents are retained for 10 years as required by tax legislation.
  • Payment records: Retained for 10 years as required by financial regulations.
  • Usage logs: Retained for 12 months, then anonymized or deleted.
  • Marketing consent: Retained until you withdraw consent.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: Obtain a copy of your personal data we hold.
  • Right to rectification: Correct inaccurate or incomplete data.
  • Right to erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to restriction: Request restriction of processing in certain circumstances.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Withdraw consent at any time for consent-based processing.

To exercise your rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Cookies

We use strictly necessary cookies for authentication and session management. Analytics cookies (Google Analytics) are only activated with your explicit consent via our cookie banner. You can change your cookie preferences at any time. For more details, refer to our cookie banner settings.

10. Security Measures

We implement appropriate technical and organizational measures to protect your data, including: encryption in transit (TLS 1.2+) and at rest, secure password hashing, role-based access control, regular security audits, and automated health monitoring of our infrastructure.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through the Service. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

For any questions regarding this Privacy Policy or your personal data, contact us at [email protected].