Do I need accounting knowledge to use Finctra?

Not at all. Finctra is designed as a financial co-pilot for entrepreneurs, not accountants. We automate the complex parts—like categorizing expenses and calculating VAT—so you can simply focus on running your business.

Is Finctra compliant with local tax regulations?

Yes. Our platform is built to handle local compliance standards. We generate audit-ready VAT reports, profit & loss statements, and compliant e-invoices automatically.

Does Finctra support Inventory and CRM?

Yes. Finctra is an all-in-one operating system. It includes a Product Hub for real-time inventory tracking and a Client Hub (CRM) for managing customer details.

How much does Finctra cost?

Finctra offers three simple plans: Starter (€29/mo) for freelancers, Growth (€49/mo) for small businesses, and Scale (€99/mo) for larger teams. All plans include full feature access, differing mainly by user capacity and invoice volume.

Finctra - Send invoices, Track expenses, Generate Tax and Financial reports, Customers Reviews, and inventory Management.

Finctra Data Processing Agreement

This Data Processing Agreement (“DPA”) forms an integral part of the Finctra Terms of Service (“Terms”) between the party named as “Customer” in the Terms (“Customer” or “Controller”) and Finctra, Inc. (“Company” or “Processor”) and sets out the parties’ respective obligations when Customer personal data is processed by Company in relation to the Services performed by Company on Customer’s behalf pursuant to the Terms. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose personal data is processed. This DPA will be effective from the date on which the authorized signatories of the parties sign the Order Form.

This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between the Customer and

Finctra Inc
Y-Tunnus: 3577369-5
(the "Data Processor")

(together as the "Parties")

WHEREAS

(A) The Company acts as a Data Controller and wishes to engage Service Provider for AI-powered Financial Services Software, white glove onboarding, knowledge base creation, and Finctra customization services.

(B) The Company wishes to subcontract certain Services, which may involve the processing of personal data and confidential business information, to the Service Provider.

(C) The Parties seek to implement comprehensive data protection, confidentiality, and intellectual property provisions that comply with applicable laws including GDPR, U.S. state privacy laws, and other relevant data protection regulations.

(D) The Parties wish to establish clear ownership rights regarding deliverables created during paid pilot programs and ongoing services.

IT IS AGREED AS FOLLOWS:

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 "Agreement" means this Data Processing and Services Agreement and all Schedules;
1.1.2 "Company Personal Data" means any Personal Data Processed by Service Provider on behalf of Company pursuant to or in connection with the Principal Agreement;
1.1.3 "Company Confidential Information" means all non-public, proprietary, or confidential information disclosed by Company to Service Provider, including but not limited to business processes, customer data, financial information, technical specifications, and strategic plans;
1.1.4 "Data Protection Laws" means EU Data Protection Laws, U.S. Privacy Laws, and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 "U.S. Privacy Laws" means applicable U.S. federal and state privacy laws including but not limited to the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and any other applicable state privacy laws;
1.1.6 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.8 "Data Transfer" means:
- a transfer of Company Personal Data from the Company to Service Provider; or
- an onward transfer of Company Personal Data from Service Provider to a Subprocessor, or between two establishments of Service Provider, in each case, where such transfer would be prohibited by Data Protection Laws;
  1.1.9 "Services" means the AI-powered financial services software, white glove onboarding, knowledge base creation, Finctra customization, sales coaching, and assistance that Finctra provides;
  1.1.10 "Deliverables" means all work products, documents, designs, configurations, customizations, prompt designs, knowledge bases, and other materials created by Service Provider specifically for Company during the performance of Services, particularly during paid pilot programs;
  1.1.11 "Subprocessor" means any person appointed by or on behalf of Service Provider to process Personal Data on behalf of the Company in connection with the Agreement;
  1.1.12 "White Glove Onboarding" means the customized setup and configuration services provided by Service Provider to optimize the software for Company's specific use cases and requirements.
1.2 GDPR Terms
The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. CONFIDENTIALITY AND DATA PROTECTION

2.1 Comprehensive Confidentiality

2.1.1 Service Provider acknowledges that it may receive Company Confidential Information and Company Personal Data in connection with the Services.

2.1.2 Service Provider shall:

Hold all Company Confidential Information in strict confidence;
Use Company Confidential Information solely for the purpose of providing the Services;
Not disclose Company Confidential Information to any third party without Company's prior written consent;
Implement and maintain appropriate safeguards to protect the confidentiality of such information.

2.1.3 The confidentiality obligations shall survive termination of this Agreement for a period of five (5) years.

2.2 Processing Obligations

Service Provider shall:

2.2.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data;

2.2.2 not Process Company Personal Data other than on the Company's documented instructions;

2.2.3 ensure all employees handling Personal Data or Confidential Information are bound by legally enforceable confidentiality agreements;

2.2.4 provide adequate training to all employees handling Personal Data on data protection requirements and procedures;

2.2.5 be held liable for any processing activities conducted outside the scope of documented instructions.

Service Provider shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual's duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

3. INTELLECTUAL PROPERTY AND DELIVERABLES OWNERSHIP

3.1 Deliverables Ownership for Paid Pilots

3.1.1 For paid pilot programs, all Deliverables created specifically for Company, including but not limited to:

Custom prompt designs
Knowledge base configurations
Customized AI model configurations
Integration specifications
Custom workflows and processes shall be owned by Company upon full payment of applicable fees.

3.1.2 Service Provider hereby assigns to Company all right, title, and interest in and to such Deliverables, including all intellectual property rights therein.

3.2 Service Provider Retained Rights

3.2.1 Service Provider retains ownership of:

Its core platform, software, and underlying technology
General methodologies, processes, and know-how
Aggregated and anonymized insights that cannot identify Company

3.2.2 Service Provider may use general knowledge, skills, and experience gained from providing Services, provided such use does not violate confidentiality obligations or disclose Company Confidential Information.

3.3 License Grant

3.3.1 Company grants Service Provider a limited, non-exclusive license to use Company Confidential Information solely for the purpose of providing the Services during the term of this Agreement.

3.3.2 Service Provider grants Company a perpetual, irrevocable, royalty-free license to use Deliverables for Company's business purposes, including the right to modify and create derivative works.

4. SUBPROCESSING

4.1 Authorized Subprocessors

Service Provider is authorized to engage the following Subprocessors:

Google Cloud EMEA Ltd. - Core cloud infrastructure, Hosting, database, authentication, file storage, AI-powered data analysis, and security services.
Twilio, Inc. - Transactional email delivery services for sending invoices, account notifications, and password resets.

4.2 Subprocessor Requirements

Service Provider shall ensure that all Subprocessors:

Are bound by data protection and confidentiality obligations substantially equivalent to those in this Agreement
Maintain compliance with applicable Data Protection Laws
Process Personal Data only for the specific purposes authorized by Company
Implement appropriate technical and organizational measures

4.3 Subprocessor Changes

Service Provider shall inform Company of any intended changes to Subprocessors with at least 30 days' prior written notice. Company may object to such changes within 14 days if the changes do not meet required data protection standards.

5. DATA SUBJECT RIGHTS

5.1 Assistance to Company

Service Provider shall assist Company in fulfilling its obligations to respond to requests to exercise Data Subject rights under applicable Data Protection Laws, including both GDPR and U.S. Privacy Laws.

5.2 Data Subject Request Handling

Service Provider shall:

5.2.1 promptly notify Company within 5 days if it receives a request from a Data Subject;

5.2.2 not respond to that request except on the documented instructions of Company or as required by applicable laws.

6. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

Service Provider shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by Service Provider, taking into account the nature of the Processing and information available to Service Provider.

7. PERSONAL DATA BREACH

7.1 Breach Notification

Service Provider shall notify Company privacy team without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data or Confidential Information, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 Breach Response

Service Provider shall cooperate with Company and take reasonable commercial steps as directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. DATA RETENTION AND DELETION

9.1 Data Deletion

Service Provider shall delete Company Personal Data and Confidential Information within 30 days of the cessation of Services, except for:

Data required to be retained by law
Deliverables owned by Company
Aggregated, anonymized data that cannot identify Company

9.3 Certification

Service Provider shall provide written certification to Company that it has fully complied with this section 9 within 30 days of the Cessation Date.

9.4 Data Retention and Deletion Policy

Finctra is committed to practicing data minimisation and retaining user data only for as long as is necessary to provide our services, and to comply with our legal and regulatory obligations. Our retention policies are designed in accordance with the EU General Data Protection Regulation (GDPR) and the Finnish Accounting Act (Kirjanpitolaki).

Retention Periods by Data Category

9.4.1. Core Business & Financial Records

Description: This category includes all financial data you create within Finctra, such as invoices, expenses, uploaded receipt images and other source documents, bank reconciliation data, and generated financial reports (e.g., VAT analysis, balance sheets).
Retention Period: This data, including the accessible copy of your uploaded documents, is retained for the duration of your active service agreement. Upon account termination, this data will be archived and retained for a minimum of six (6) years following the end of the financial year in which it was created.
Rationale: To comply with the mandatory record-keeping obligations set forth in the Finnish Accounting Act (Kirjanpitolaki). The receipt image is a primary source document and must be retained for the same period as the financial entry it supports.

9.4.2. User Account & Profile Data

Description: Information required to maintain your account, including your name, email address, company details, subscription status, and user settings.
Retention Period: Retained for the duration of your active service agreement. Data will be permanently deleted within 90 days following the termination of your account, unless required for legal or billing purposes.
Rationale: Necessary for providing and maintaining the Finctra service, managing subscriptions, and communicating with you.

9.4.3. Customer & Product Data (CRM & Inventory)

Description: Information you store regarding your clients (names, contact details) and products/services (descriptions, pricing, stock levels).
Retention Period: Retained for the duration of your active service agreement. This data is deleted upon account termination, except where it is directly associated with a financial record (e.g., a client listed on an invoice) that is subject to the legal retention period outlined in point 9.4.1.
Rationale: This data is integral to your business operations within the platform. Its retention is tied to its connection with legally mandated financial records.

9.4.4. Temporary Processing Data

Description: This refers only to the temporary copy of a document that is sent to our subprocessor for the sole purpose of data extraction (OCR). This does not affect the permanent record copy of the document that is stored securely in your workspace.
Retention Period: The temporary copy is immediately and permanently deleted from the processing service as soon as the structured data has been successfully extracted and returned to your workspace.
Rationale: Adherence to the principle of data minimisation under GDPR. This temporary copy is no longer required by the subprocessor after the analysis is complete, and deleting it enhances data privacy and security.

9.4.5. Anonymized Analytics & System Logs

Description: Usage data collected by services like Google Analytics and internal system logs used for security and debugging.
Retention Period: Anonymized or aggregated data used for service improvement may be retained indefinitely. User-identifiable system logs are retained for a limited period (typically 180 days) for security auditing and performance monitoring before being deleted.
Rationale: To monitor the health of our service, improve the user experience, and investigate security incidents.

You may request the deletion of your account and associated data at any time by contacting our support at security@finctra.io. Upon receiving a deletion request, we will permanently delete all data not subject to a mandatory legal retention period, as outlined above. Data that must be retained for legal compliance (i.e., Core Business & Financial Records) will be securely archived and will be permanently deleted once the legal retention period has expired.

10. AUDIT RIGHTS

10.1 Audit Access

Subject to this section 10, Service Provider shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of Company Personal Data.

10.2 Annual Audit Rights

Company may conduct at least one audit per year of Service Provider's data processing activities upon reasonable notice.

10.3 Audit Limitations

Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

10.4 Compliance Documentation

Service Provider shall maintain and provide documentation demonstrating compliance with this Agreement and applicable Data Protection Laws.

11. LIABILITY AND INDEMNIFICATION

11.1 GDPR and Privacy Law Liability

Service Provider shall be liable for damages caused by:

Non-compliance with applicable Data Protection Laws
Processing Personal Data outside the scope of lawful instructions
Failure to implement appropriate security measures

11.2 Confidentiality Breach

Service Provider shall indemnify Company for damages resulting from unauthorized disclosure of Company Confidential Information.

11.3 Commercial Liability

All other liability matters, including commercial liability, limitation of damages, and general indemnification, shall be governed by the Principal Agreement between the parties.

9. Contact Us

If you have any questions about the Data Processing Agreement Policy, please contact us at security@finctra.io

Data Processing Agreement

Data Processing Agreement

Last updated on 14 October 2025