Records of Processing Activities (ROPA)
Version 1.2 | Last reviewed: 2026-04-23 | Next review: 2027-04-23
Document owner: Data Protection Officer / Privacy Contact (info@fintower.se)
Important notice
This ROPA is a living document and must be reviewed at least annually or upon material changes to processing activities. Any updates must be reflected within 30 days of implementation.
Introduction
This Records of Processing Activities document is maintained in accordance with Article 30 of the General Data Protection Regulation (GDPR) and represents the accountability framework for Fintower AB's personal data processing activities.
Fintower AB (organisation number 559468-3913) is established as both a Data Controller and a Data Processor.
This document covers:
- Part A: Processing activities where Fintower AB acts as the Data Controller
- Part B: Processing activities where Fintower AB acts as the Data Processor on behalf of Customers
- Appendix: Comprehensive Sub-processor Register
Company details
| Controller name | Fintower AB |
| Organisation number | 559468-3913 |
| Address | |
| Address | Masthamnsgatan 21, 413 29 Göteborg, Sweden |
| DPO / Privacy contact | info@fintower.se |
| Country | Sweden (EU) |
Part A: Fintower AB as data controller
A-01: User account management
Purpose: Creating and maintaining user accounts to enable access to the Fintower platform; managing user profiles, permissions, and account lifecycle.
Legal basis: Contract performance (Art. 6(1)(b) GDPR)
Data categories: Full name, work email address, company name, job title, account credentials (hashed/encrypted), account status, two-factor authentication settings, last login timestamp, account creation date.
Data subjects: Employees and representatives of Customer companies subscribed to Fintower platform.
Sub-processors:
Sub-processors: Supabase Inc. (authentication and identity management).
Retention: Duration of subscription plus 12 months following contract termination or account deletion.
International transfers: EU only.
A-02: SSO authentication (Google OAuth / Microsoft Entra ID)
Purpose: Enable users to authenticate using federated identity providers.
Legal basis: Contract performance (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)).
Data categories: Name from identity provider, email address, identity provider token/assertion, authentication timestamp, device identifier, authentication events.
Retention: Session tokens cleared on logout or timeout (24h max). Authentication audit logs retained for 90 days.
International transfers: Google LLC: EU/US transfer under DPF and SCCs. Microsoft Entra ID: EU data residency.
A-03: Service usage analytics
Purpose: Understanding how users interact with the Fintower platform to improve feature effectiveness and user experience.
Legal basis: Legitimate interests (Art. 6(1)(f)).
Data categories: Pseudonymised usage events, session duration, browser type, device type, country-level location, truncated IP address.
Sub-processors: Mixpanel Inc. (product analytics), PostHog Inc. (product analytics and experimentation, EU).
Retention: 90 days; aggregated analytics retained indefinitely after anonymisation.
International transfers: Mixpanel Inc.: EU data residency, no transfer required. PostHog Inc.: EU data residency (eu.i.posthog.com), no transfer required.
A-04: Customer billing & invoicing
Purpose: Processing subscription payments, issuing invoices, maintaining financial records.
Legal basis: Contract performance (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)), Swedish Bookkeeping Act and tax law.
Data categories: Company name, billing address, contact person name, email, VAT number, payment method details, invoice amounts, subscription tier.
Retention: 7 years as required by Swedish Bookkeeping Act.
International transfers: EU only.
A-05: Marketing & lead generation (marketing site only)
Purpose: Understanding marketing campaign effectiveness, tracking prospect engagement, nurturing potential customers.
Legal basis: Consent (Art. 6(1)(a)) for non-essential cookies; Legitimate interests (Art. 6(1)(f)) for existing customer communications.
Data categories: Email address, company name, full name, website visit data, LinkedIn profile identifier, UTM parameters.
Sub-processors: Google LLC (Analytics), LinkedIn Ireland Limited (Insight Tag), Mixpanel Inc. (product analytics), PostHog Inc. (product analytics and experimentation, EU), Microsoft Corporation (Clarity session replay, US under DPF/SCCs).
Retention: Marketing cookies per consent duration (12–24 months).
International transfers: Google, LinkedIn, Microsoft (Clarity): EU/US transfer under DPF and SCCs. Mixpanel, PostHog: EU data residency.
A-06: Customer support communications
Purpose: Responding to support requests, investigating bug reports, maintaining knowledge base.
Legal basis: Contract performance (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)).
Retention: 2 years following ticket closure. Chatwoot live chat conversations: 30 days.
Sub-processors: Resend Inc. (transactional email delivery), Chatwoot Inc. (live chat support, US under SCCs, 30-day retention).
International transfers: Resend Inc.: EU, no transfer required. Chatwoot Inc.: US transfer under SCCs.
A-07: Security monitoring & incident management
Purpose: Detecting, investigating, and responding to security incidents; maintaining audit logs.
Legal basis: Legitimate interests (Art. 6(1)(f)); Legal obligation.
Data categories: IP addresses, access logs, authentication events, API request logs, error logs, security alert events.
Retention: Operational logs: 90 days. Security incident records: 1 year. Audit logs for data breaches: 3 years.
International transfers: EU only.
A-08: Employee & contractor HR processing
Purpose: Managing employment relationships, processing payroll, tax and social security reporting.
Legal basis: Contract performance (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)), Swedish employment law, Skatteverket.
Data categories: Full legal name, personnummer, home address, bank account details, salary information, employment contract terms.
Retention: 7 years following end of employment as required by Swedish law.
International transfers: EU only, Sweden.
Part B: Fintower AB as data processor
B-01: FP&A platform, processing Customer financial data
Purpose: Enabling Customers to upload, store, process, and analyse their financial data within the secure Fintower platform.
Role: Data Processor. Controller: The Customer (B2B company).
Legal basis: Data Processing Agreement (DPA) per GDPR Art. 28.
Data categories: Accounting transaction data, invoices, payroll data, revenue data, cost allocations, budget data, forecast models, balance sheet items, cash flow data.
Sub-processors: Supabase Inc. (EU, Irland), Amazon (EU, Irland), Trigger.dev Inc. (EU, Germany).
Retention: Per Customer instruction; upon termination, deleted within 30 days with 30-day export window.
AI processing: No Customer data is used for training, fine-tuning, or improving any AI models. Each AI request is processed in isolation.
B-02: AI-powered financial analysis
Purpose: Running machine learning and large language models on Customer's financial data to generate insights, scenario analyses, and forecasts.
Role: Data Processor. Controller: The Customer.
Sub-processors: Amazon (EU, Irland).
AI model training: Customer data is NEVER used for training, fine-tuning, or improving any model. Data is processed in isolation for each request and is not retained by any sub-processor for model improvement.
Data flows: Customer financial data → Fintower platform → encrypted transmission → Amazon (EU, Irland) → processed output → returned to Customer. No data stored by AI sub-processors beyond the individual API call.
International transfers: EU only.
Appendix: Sub-processor register
| Sub-processor | Country | Purpose | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | EU | Database backend, authentication, data storage, API infrastructure | EU data residency; SCCs |
| Amazon Web Services | EU | LLM inference for AI-powered financial analysis + data storage | EU data residency; SCCs |
| Microsoft Entra ID | EU | SSO authentication, identity federation | EU data residency |
| Google LLC (OAuth) | EU / US | SSO authentication via Google OAuth | EU-US DPF and SCCs |
| Google LLC (Ads) | EU / US | Internal marketing campaign management | EU-US DPF and SCCs |
| Stripe, Inc. | EU / US | Payment processing, subscription billing | EU data residency; SCCs |
| Resend Inc. | EU | Transactional system email delivery | EU data residency; SOC 2 Type II |
| Trigger.dev Inc. | EU, Germany | Background job orchestration and task scheduling | EU data residency |
| Mixpanel Inc. | EU | Product analytics and conversion tracking | EU data residency; SOC 2 Type II |
| PostHog Inc. | EU | Product analytics, feature flags, experimentation (eu.i.posthog.com) | EU data residency; SCCs |
| Microsoft Corporation (Clarity) | US | Session replay and heatmap analytics on fintower.ai only | EU-US DPF and SCCs |
| Chatwoot Inc. | US | Live chat support widget on fintower.ai only (30-day retention) | SCCs |
| Google LLC (Analytics) | EU / US | Marketing analytics on fintower.ai only | EU-US DPF and SCCs |
| LinkedIn Ireland Limited | EU / US | LinkedIn Insight Tag on fintower.ai only | EU-US DPF and SCCs |
Contact information
Data Protection Officer / Privacy contact:
Email: info@fintower.se
Data Protection Officer / Privacy contact:
Email: info@fintower.se
Address: Masthamnsgatan 21, 413 29 Göteborg, Sweden