Records of Processing Activities (ROPA)

Version 1.2 | Last reviewed: 2026-04-23 | Next review: 2027-04-23

Document owner: Data Protection Officer / Privacy Contact (info@fintower.se)

Important notice

This ROPA is a living document and must be reviewed at least annually or upon material changes to processing activities. Any updates must be reflected within 30 days of implementation.

Introduction

This Records of Processing Activities document is maintained in accordance with Article 30 of the General Data Protection Regulation (GDPR) and represents the accountability framework for Fintower AB's personal data processing activities.

Fintower AB (organisation number 559468-3913) is established as both a Data Controller and a Data Processor.

This document covers:

  • Part A: Processing activities where Fintower AB acts as the Data Controller
  • Part B: Processing activities where Fintower AB acts as the Data Processor on behalf of Customers
  • Appendix: Comprehensive Sub-processor Register

Company details

Controller nameFintower AB
Organisation number559468-3913
Address
AddressMasthamnsgatan 21, 413 29 Göteborg, Sweden
DPO / Privacy contactinfo@fintower.se
CountrySweden (EU)

Part A: Fintower AB as data controller

A-01: User account management

Purpose: Creating and maintaining user accounts to enable access to the Fintower platform; managing user profiles, permissions, and account lifecycle.

Legal basis: Contract performance (Art. 6(1)(b) GDPR)

Data categories: Full name, work email address, company name, job title, account credentials (hashed/encrypted), account status, two-factor authentication settings, last login timestamp, account creation date.

Data subjects: Employees and representatives of Customer companies subscribed to Fintower platform.

Sub-processors:

Sub-processors: Supabase Inc. (authentication and identity management).

Retention: Duration of subscription plus 12 months following contract termination or account deletion.

International transfers: EU only.

A-02: SSO authentication (Google OAuth / Microsoft Entra ID)

Purpose: Enable users to authenticate using federated identity providers.

Legal basis: Contract performance (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)).

Data categories: Name from identity provider, email address, identity provider token/assertion, authentication timestamp, device identifier, authentication events.

Retention: Session tokens cleared on logout or timeout (24h max). Authentication audit logs retained for 90 days.

International transfers: Google LLC: EU/US transfer under DPF and SCCs. Microsoft Entra ID: EU data residency.

A-03: Service usage analytics

Purpose: Understanding how users interact with the Fintower platform to improve feature effectiveness and user experience.

Legal basis: Legitimate interests (Art. 6(1)(f)).

Data categories: Pseudonymised usage events, session duration, browser type, device type, country-level location, truncated IP address.

Sub-processors: Mixpanel Inc. (product analytics), PostHog Inc. (product analytics and experimentation, EU).

Retention: 90 days; aggregated analytics retained indefinitely after anonymisation.

International transfers: Mixpanel Inc.: EU data residency, no transfer required. PostHog Inc.: EU data residency (eu.i.posthog.com), no transfer required.

A-04: Customer billing & invoicing

Purpose: Processing subscription payments, issuing invoices, maintaining financial records.

Legal basis: Contract performance (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)), Swedish Bookkeeping Act and tax law.

Data categories: Company name, billing address, contact person name, email, VAT number, payment method details, invoice amounts, subscription tier.

Retention: 7 years as required by Swedish Bookkeeping Act.

International transfers: EU only.

A-05: Marketing & lead generation (marketing site only)

Purpose: Understanding marketing campaign effectiveness, tracking prospect engagement, nurturing potential customers.

Legal basis: Consent (Art. 6(1)(a)) for non-essential cookies; Legitimate interests (Art. 6(1)(f)) for existing customer communications.

Data categories: Email address, company name, full name, website visit data, LinkedIn profile identifier, UTM parameters.

Sub-processors: Google LLC (Analytics), LinkedIn Ireland Limited (Insight Tag), Mixpanel Inc. (product analytics), PostHog Inc. (product analytics and experimentation, EU), Microsoft Corporation (Clarity session replay, US under DPF/SCCs).

Retention: Marketing cookies per consent duration (12–24 months).

International transfers: Google, LinkedIn, Microsoft (Clarity): EU/US transfer under DPF and SCCs. Mixpanel, PostHog: EU data residency.

A-06: Customer support communications

Purpose: Responding to support requests, investigating bug reports, maintaining knowledge base.

Legal basis: Contract performance (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)).

Retention: 2 years following ticket closure. Chatwoot live chat conversations: 30 days.

Sub-processors: Resend Inc. (transactional email delivery), Chatwoot Inc. (live chat support, US under SCCs, 30-day retention).

International transfers: Resend Inc.: EU, no transfer required. Chatwoot Inc.: US transfer under SCCs.

A-07: Security monitoring & incident management

Purpose: Detecting, investigating, and responding to security incidents; maintaining audit logs.

Legal basis: Legitimate interests (Art. 6(1)(f)); Legal obligation.

Data categories: IP addresses, access logs, authentication events, API request logs, error logs, security alert events.

Retention: Operational logs: 90 days. Security incident records: 1 year. Audit logs for data breaches: 3 years.

International transfers: EU only.

A-08: Employee & contractor HR processing

Purpose: Managing employment relationships, processing payroll, tax and social security reporting.

Legal basis: Contract performance (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)), Swedish employment law, Skatteverket.

Data categories: Full legal name, personnummer, home address, bank account details, salary information, employment contract terms.

Retention: 7 years following end of employment as required by Swedish law.

International transfers: EU only, Sweden.

Part B: Fintower AB as data processor

B-01: FP&A platform, processing Customer financial data

Purpose: Enabling Customers to upload, store, process, and analyse their financial data within the secure Fintower platform.

Role: Data Processor. Controller: The Customer (B2B company).

Legal basis: Data Processing Agreement (DPA) per GDPR Art. 28.

Data categories: Accounting transaction data, invoices, payroll data, revenue data, cost allocations, budget data, forecast models, balance sheet items, cash flow data.

Sub-processors: Supabase Inc. (EU, Irland), Amazon (EU, Irland), Trigger.dev Inc. (EU, Germany).

Retention: Per Customer instruction; upon termination, deleted within 30 days with 30-day export window.

AI processing: No Customer data is used for training, fine-tuning, or improving any AI models. Each AI request is processed in isolation.

B-02: AI-powered financial analysis

Purpose: Running machine learning and large language models on Customer's financial data to generate insights, scenario analyses, and forecasts.

Role: Data Processor. Controller: The Customer.

Sub-processors: Amazon (EU, Irland).

AI model training: Customer data is NEVER used for training, fine-tuning, or improving any model. Data is processed in isolation for each request and is not retained by any sub-processor for model improvement.

Data flows: Customer financial data → Fintower platform → encrypted transmission → Amazon (EU, Irland) → processed output → returned to Customer. No data stored by AI sub-processors beyond the individual API call.

International transfers: EU only.

Appendix: Sub-processor register

Sub-processorCountryPurposeTransfer mechanism
Supabase Inc.EUDatabase backend, authentication, data storage, API infrastructureEU data residency; SCCs
Amazon Web ServicesEULLM inference for AI-powered financial analysis + data storageEU data residency; SCCs
Microsoft Entra IDEUSSO authentication, identity federationEU data residency
Google LLC (OAuth)EU / USSSO authentication via Google OAuthEU-US DPF and SCCs
Google LLC (Ads)EU / USInternal marketing campaign managementEU-US DPF and SCCs
Stripe, Inc.EU / USPayment processing, subscription billingEU data residency; SCCs
Resend Inc.EUTransactional system email deliveryEU data residency; SOC 2 Type II
Trigger.dev Inc.EU, GermanyBackground job orchestration and task schedulingEU data residency
Mixpanel Inc.EUProduct analytics and conversion trackingEU data residency; SOC 2 Type II
PostHog Inc.EUProduct analytics, feature flags, experimentation (eu.i.posthog.com)EU data residency; SCCs
Microsoft Corporation (Clarity)USSession replay and heatmap analytics on fintower.ai onlyEU-US DPF and SCCs
Chatwoot Inc.USLive chat support widget on fintower.ai only (30-day retention)SCCs
Google LLC (Analytics)EU / USMarketing analytics on fintower.ai onlyEU-US DPF and SCCs
LinkedIn Ireland LimitedEU / USLinkedIn Insight Tag on fintower.ai onlyEU-US DPF and SCCs

Contact information

Data Protection Officer / Privacy contact:
Email: info@fintower.se

Data Protection Officer / Privacy contact:
Email: info@fintower.se
Address: Masthamnsgatan 21, 413 29 Göteborg, Sweden