Privacy Policy
Last updated: 2026-04-23
Fintower AB
Organisation Number: 559468-3913
Address: Masthamnsgatan 21, 413 29 Göteborg, Sweden
Email: info@fintower.se
1. About us
Fintower AB ("we", "us", "our", or "Fintower") operates an AI-powered financial planning and analysis (FP&A) SaaS platform that helps businesses streamline their financial operations and gain actionable insights.
This Privacy Policy explains how we collect, use, process, and protect personal data in accordance with the General Data Protection Regulation (GDPR) and Swedish data protection legislation.
1.1 Our roles
Data Controller: When you visit our website or create a user account to access our services, Fintower acts as the data controller for personal data we collect directly from you (such as your name, email address, and account information).
Data Processor: When you use our platform to upload, integrate, or process financial data (such as accounting transactions, invoices, or payroll information), we act as a data processor on your behalf. You, as the customer, remain the data controller for this "Tenant Data," and we process it in accordance with a Data Processing Agreement (DPA) that forms part of our Service Terms.
2. Definitions
| Term | Definition |
|---|---|
| Controller | The natural or legal person that determines the purposes and means of processing personal data. |
| Processor | The natural or legal person that processes personal data on behalf of the controller. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Data Subject | The individual to whom personal data relates. |
| Sub-processor | A processor engaged by another processor to process personal data on its behalf. |
| Tenant Data | Financial data (accounting transactions, invoices, payroll, sales records, etc.) uploaded or integrated by our customers and processed on their behalf by Fintower. |
| Processing | Any operation performed on personal data, such as collection, recording, organization, retrieval, use, disclosure, or deletion. |
3. What personal data we collect
3.1 Account and identity data
When you create an account or subscribe to Fintower, we collect:
- Full name
- Email address
- Company name
- Job title or role
- Password (hashed and encrypted)
- Phone number (optional)
- Profile information you voluntarily provide
Purpose: Account creation, authentication, service delivery, and communication.
3.2 Usage data
We automatically collect information about how you interact with our platform:
- Log data (timestamps, actions performed, pages accessed)
- IP address and geographical location (approximate)
- Browser type, operating system, and device information
- Session duration and frequency of use
- Features accessed and functionality used
- Error reports and performance metrics
- Analytics data (via analytics tools)
Purpose: Improving our service, detecting technical issues, ensuring security, and understanding user behavior.
3.3 Communication data
We collect data when you communicate with us:
- Support emails and inquiries
- Chat messages with our support team
- Feedback, survey responses, and product suggestions
- Content of communications you initiate
Purpose: Providing customer support, resolving issues, and improving our services based on your feedback.
3.4 Billing and commercial data
To process payments and manage your subscription, we collect:
- Billing address and contact information
- Invoice and transaction history
- Subscription tier and renewal dates
- Payment method information (card type, last four digits, expiration date)
Note: Payment card details are processed and securely stored by Stripe, Inc. (our payment processor). Fintower does not store full credit card numbers.
Purpose: Billing, invoicing, payment processing, and subscription management.
3.5 Tenant data (financial data processed as processor)
When you integrate our platform with your accounting systems or upload financial records, we process the following on your behalf as a data processor:
- Accounting transactions and ledger entries
- Invoices (inbound and outbound)
- Payroll data (salaries, deductions, benefits)
- Sales transactions and revenue records
- Cost and expense data
- Customer and supplier information (names, addresses, contact details)
- Bank account information
- Tax and compliance records
Source: Data is sourced through direct uploads from you and integrations with your existing financial systems.
Our role: For Tenant Data, Fintower is a data processor. You (the customer) remain the data controller. Processing is governed by a Data Processing Agreement as part of our Service Terms. We process Tenant Data solely for the purposes of:
- Providing AI-powered financial analysis and insights
- Enabling financial forecasting and scenario modeling
- Supporting budget planning and variance analysis
- Generating reports and dashboards for your use
Exclusion: Tenant Data is explicitly excluded from use in training our AI models or for developing new services without your separate, explicit written consent.
4. Legal basis for processing
We only process personal data on one or more of the following legal bases:
4.1 Contract performance
Processing necessary to provide our services, including account management, service delivery, and billing.
4.2 Legitimate interests
Processing to:
- Detect, prevent, and address fraud and security threats
- Enforce our terms of service
- Protect the rights, privacy, safety, and property of Fintower, our users, and the public
- Monitor and improve service performance and reliability
4.3 Legal obligation
Processing required by Swedish and EU law, including:
- Tax and accounting record requirements (Swedish accounting law, 7-year retention)
- Response to lawful requests from authorities
- Data breach notification obligations
4.4 Consent
Processing based on your explicit consent, including:
- Marketing communications (email, newsletters)
- Use of certain cookies and tracking technologies
- Surveys and optional data collection
Note: For Tenant Data, the legal basis is the Data Processing Agreement with you, as you are the data controller and Fintower is the processor.
5. How we use your personal data
5.1 Service delivery
We use your data to:
- Create and maintain your account
- Deliver and improve the Fintower platform
- Provide AI-powered financial analysis and forecasting
- Enable integrations with your accounting systems
- Generate reports, dashboards, and insights
5.2 Authentication and security
We use your data to:
- Authenticate your identity and verify your access rights
- Prevent unauthorized access
- Monitor for suspicious or malicious activity
- Comply with security standards and regulations
5.3 Communication and support
We use your data to:
- Respond to your inquiries and provide customer support
- Send service-related notifications (updates, outages, security alerts)
- Share product announcements and feature updates
- Conduct surveys or request feedback
5.4 Billing and payment processing
We use billing data to:
- Process subscription payments
- Generate invoices
- Manage refunds and disputes
- Maintain records for accounting and tax purposes
5.5 Compliance and legal obligations
We use data to:
- Comply with applicable laws and regulations
- Respond to lawful requests from authorities
- Enforce our terms of service
- Protect against legal liability
5.6 Product improvement and analytics
We use usage and communication data to:
- Analyze user behavior and service performance
- Identify areas for improvement
- Develop new features based on user needs
- Conduct anonymized analytics
Important: Tenant Data (your financial records) is explicitly excluded from being used to train or improve our AI models, develop new services, or for any purpose beyond delivering the Fintower service to you, unless you provide separate written consent.
6. Cookies and tracking technologies
We use cookies and similar technologies (pixels, local storage) to:
- Maintain your session and remember your preferences
- Track usage analytics and improve our website
- Deliver personalized content
- Enable our AI analysis features
For detailed information about the types of cookies we use, your choices, and how to opt out, please refer to our Cookie Policy.
7. Sharing your personal data
7.1 Sub-processors
We share personal data with carefully selected sub-processors who assist us in delivering our services. All sub-processors are subject to contractual agreements requiring them to process data securely and in accordance with GDPR. A comprehensive list of approved sub-processors is maintained in Schedule 1 of our Data Processing Agreement.
7.2 Sharing with legal authorities
We may disclose personal data when legally required, including:
- Lawful requests from courts or law enforcement
- Tax authorities and regulatory bodies
- Public authorities responding to legal proceedings
- Protection of public health and safety
7.3 Mergers and acquisitions
If Fintower is involved in a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.
7.4 No unauthorized sharing
We do not sell, rent, lease, or otherwise distribute your personal data to third parties for marketing purposes without your explicit consent.
8. International data transfers
8.1 Primary infrastructure
Our primary infrastructure is based in the European Union, ensuring your data benefits from GDPR protections within EU boundaries.
8.2 EU data residency
- Supabase: EU
- Amazon Web Services: EU
8.3 Google OAuth and potential US transfers
Our use of Google OAuth 2.0 for single sign-on may involve limited data transfers to the United States. These transfers are safeguarded under:
- EU–US Data Privacy Framework (DPF): Google is certified under the DPF, providing an adequacy mechanism for transatlantic data transfers
- Standard Contractual Clauses (SCCs): Supplementary transfer mechanism as required by EU law
You have the right to request details about these transfer mechanisms by contacting us.
8.4 Resend, Trigger.dev, and Mixpanel (EU data residency)
Resend Inc. (transactional system email delivery), Trigger.dev Inc. (background jobs), and Mixpanel Inc. (product analytics) are configured with EU data residency, ensuring data remains within the European Union.
8.5 Chatwoot (live chat support, US)
Chatwoot Inc. (United States) provides our live chat widget. When you opt in to live chat, message content and basic session metadata are processed in the US under Standard Contractual Clauses (SCCs). Conversations are retained for 30 days on the Chatwoot Hacker plan and then deleted. See Chatwoot's privacy policy for details.
8.6 PostHog (EU data residency)
PostHog Inc. provides our product analytics, feature flag, and experimentation platform. PostHog is configured to use the EU instance (eu.i.posthog.com) hosted in the European Union; no event data is transferred to the United States. Legal basis: consent (loaded only after acceptance of the "Statistics" cookie category in our Cookiebot consent banner). See PostHog's privacy policy for details.
8.7 Microsoft Clarity (US, SCCs)
Microsoft Corporation provides Microsoft Clarity, a session replay and heatmap analytics tool used on our marketing site. Clarity processes data in the United States; transfers are safeguarded under the EU–US Data Privacy Framework and Standard Contractual Clauses (SCCs). Sensitive input fields are masked by default and passwords or form values are not recorded. Legal basis: consent (loaded via Google Tag Manager only after acceptance of the "Statistics" cookie category in our Cookiebot consent banner). See the Microsoft privacy statement for details.
8.8 Google API Services User Data Policy
Fintower's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.
9. Data retention
We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by law.
| Data category | Retention period | After retention |
|---|---|---|
| Account and identity data | Duration of subscription + 12 months | Deleted or anonymized |
| Usage and log data | 90 days | Automatically deleted or aggregated |
| Billing and commercial data | 7 years (Swedish accounting law) | Deleted per legal requirements |
| Tenant data (financial records) | Duration of contract + 30-day export window | Permanently deleted |
| Communication data | Until no longer necessary | Deleted or anonymized |
| Marketing and consent-based data | Until consent withdrawn | Immediately removed from marketing |
10. Your rights under GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right to access, obtain confirmation of whether your personal data is being processed and receive a copy
- Right to rectification, correct inaccurate or incomplete personal data
- Right to erasure, request deletion of your personal data, subject to legal limitations
- Right to restrict processing, limit processing while you contest its accuracy or legality
- Right to data portability, receive your data in a structured, machine-readable format
- Right to object, object to processing for direct marketing, legitimate interests, or research
- Right to withdraw consent, withdraw consent at any time without affecting prior lawfulness
- Right to lodge a complaint, file a complaint with Integritetsskyddsmyndigheten (IMY), Box 2300, 171 02 Stockholm, Sweden, www.imy.se
To exercise any of these rights, contact us at info@fintower.se. We will respond within 30 days (or up to 90 days for complex requests).
11. Data security
Protecting your personal data is a priority. We implement technical, organizational, and administrative measures including:
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Tenant isolation: Logical separation of customer data in our multi-tenant architecture
- Access controls: RBAC, least privilege, MFA for administrative access
- Security standards: Practices aligned with ISO 27001 principles
While we employ industry-standard security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials. A detailed Data Security Whitepaper is available upon request.
12. Children's privacy
Our service is not directed to individuals under 18. We do not knowingly collect personal data from children. If we become aware of such collection, we will delete the data and terminate the account.
13. Changes to this Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated by posting an updated policy, sending email notification, or displaying a notice on our platform. Continued use constitutes acceptance of the updated policy.
14. Contact information
If you have questions or requests regarding this Privacy Policy, please contact us:
Fintower AB
Masthamnsgatan 21
413 29 Göteborg
Sweden
Email: info@fintower.se
Phone: Available upon request
Data Protection Officer: For data protection-specific inquiries, please email info@fintower.se with "GDPR" or "Data Protection" in the subject line.
This Privacy Policy is effective as of 30 March 2026.