Back to FinPM
Privacy PolicyTerms of ServiceCookie PolicyData Processing Agreement

GDPR Article 28 Compliant

Data Processing Agreement

This Data Processing Agreement ("DPA") establishes the terms under which FinPM processes personal data on behalf of its users in compliance with Article 28 of the General Data Protection Regulation (GDPR).

Effective Date: January 11, 2026

Legal Notice

This DPA is automatically incorporated by reference when you accept our Terms of Service. It governs our processing of your personal data as a data processor on your behalf. You, as the user, are the data controller for personal data you upload to FinPM.

Contents

  1. 1. Definitions
  2. 2. Scope and Purpose
  3. 3. Data Subjects and Data Types
  4. 4. Controller Obligations
  5. 5. Processor Obligations
  6. 6. Sub-Processors
  7. 7. Security Measures
  8. 8. Data Subject Rights
  9. 9. Data Breach Notification
  10. 10. Audit Rights
  11. 11. Data Deletion and Return
  12. 12. Contact Information

1. Definitions

For the purposes of this DPA:

  • "Controller" means you, the user who determines the purposes and means of processing personal data through the Service.
  • "Processor" means FinPM, which processes personal data on behalf of the Controller.
  • "Sub-processor" means any third party engaged by FinPM to process personal data.
  • "Personal Data" has the meaning given in GDPR Article 4(1).
  • "Processing" has the meaning given in GDPR Article 4(2).
  • "Data Subject" means an identified or identifiable natural person.
  • "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

2. Scope and Purpose

2.1 Scope

This DPA applies to all processing of personal data by FinPM on behalf of users in connection with the provision of our personal finance management service.

2.2 Purpose of Processing

FinPM processes personal data for the following purposes only:

  • Importing and storing financial account information
  • Parsing and categorizing financial transactions
  • Providing budget management and financial insights
  • Enabling household sharing features (with consent)
  • AI-powered transaction analysis and categorization
  • Generating financial reports and analytics

2.3 Duration

This DPA remains in effect for as long as the Processor processes personal data on behalf of the Controller, and terminates upon deletion of all personal data as described in Section 11.

3. Data Subjects and Data Types

3.1 Categories of Data Subjects

  • Users of the FinPM service
  • Household members (when household sharing is enabled)

3.2 Categories of Personal Data

CategoryExamples
Account DataEmail address, name, preferences, authentication credentials (hashed)
Financial DataAccount balances, transaction history, merchant information, categories
Usage DataFeature usage patterns, access logs, device information
AI Processing DataTransaction descriptions (for categorization purposes only)

3.3 Special Categories of Data

We do not intentionally collect special categories of personal data (Article 9 GDPR). However, financial transaction data may incidentally reveal information about health, religion, or other sensitive matters. We implement appropriate safeguards as described in Section 7.

4. Controller Obligations

As the Controller, you agree to:

  • Ensure you have a lawful basis for all personal data processing under Article 6 GDPR
  • Provide clear and complete information about processing purposes
  • Respond to data subject requests with our assistance
  • Notify us promptly of any changes to processing instructions
  • Ensure all household members provide informed consent to data sharing
  • Maintain appropriate security measures under your control
  • Ensure compliance with applicable data protection laws in your jurisdiction

5. Processor Obligations

FinPM, as Processor, commits to the following obligations in accordance with GDPR Article 28(3):

  • Documented Instructions: Process personal data only on your documented instructions, including transfers to third countries, unless required by EU or Member State law
  • Confidentiality: Ensure that all persons authorized to process personal data have committed themselves to confidentiality
  • Security: Implement appropriate technical and organizational measures as specified in Section 7
  • Sub-processing: Engage sub-processors only with your prior authorization and under written contracts imposing equivalent obligations
  • Assistance: Assist you in responding to data subject requests and in ensuring compliance with Articles 32-36 GDPR
  • Deletion: Delete or return all personal data upon termination, as specified in Section 11
  • Audit: Make available all information necessary to demonstrate compliance and allow for audits as specified in Section 10

6. Sub-Processors

The Controller authorizes the Processor to engage the following sub-processors for the processing of personal data:

Sub-ProcessorPurposeLocationSafeguards
RailwayBackend infrastructure and database hostingAmsterdam, Netherlands (EU)DPA, EU hosting
Google Cloud (Vertex AI — Gemini)AI transaction categorizationBelgium, EU (europe-west1)Google Cloud DPA, EU data residency
VercelFrontend hosting and edge functionsFrankfurt, Germany (EU)DPA, EU hosting
ResendTransactional email deliveryEuropean Union regionDPA, SCCs
SentryError tracking and performance monitoringEuropean Union regionDPA, EU hosting

6.1 Sub-Processor Changes

We will notify you of any intended changes to sub-processors at least 30 days in advance. You may object to new sub-processors within 14 days of notification. If we cannot reasonably accommodate your objection, you may terminate the service.

7. Security Measures

FinPM implements appropriate technical and organizational security measures in accordance with GDPR Article 32:

7.1 Technical Measures

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Encrypted database backups
  • Network segmentation and firewalls
  • Automated security patching
  • Real-time intrusion detection

7.2 Organizational Measures

  • Role-based access control
  • Principle of least privilege
  • Employee confidentiality agreements
  • Regular security awareness training
  • Documented incident response procedures
  • Regular security audits and assessments

7.3 Authentication

  • Secure password hashing (bcrypt)
  • Two-factor authentication support
  • Session management and timeout controls
  • Brute-force protection

8. Data Subject Rights Assistance

FinPM provides the following technical capabilities to assist Controllers in responding to data subject requests:

GDPR RightHow We Support
Access (Article 15)Data export feature providing complete data in JSON/CSV format
Rectification (Article 16)Edit controls available for all personal data fields
Erasure (Article 17)Account deletion with cascade removal of all associated data
Portability (Article 20)Machine-readable data export in structured JSON format
Restriction (Article 18)Manual processing halt available upon request

9. Data Breach Notification

In the event of a personal data breach affecting your data, FinPM will:

  • Notify you without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide the following information as required by GDPR Article 33(3):
    • Nature of the breach, including categories and approximate number of data subjects affected
    • Name and contact details of our privacy contact
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach
  • Cooperate with your investigation and assist with any regulatory notifications you are required to make
  • Document the breach in our internal breach register

Breach notifications will be sent to the email address associated with your account and through in-application notifications.

10. Audit Rights

The Controller has the right to verify FinPM's compliance with this DPA:

  • Documentation: We will provide documentation demonstrating compliance upon reasonable request (typically within 30 days)
  • Third-party audits: We may satisfy audit requests by providing relevant third-party audit reports or certifications
  • Scope: Audits shall be limited to processing activities and security measures related to personal data
  • Confidentiality: All audit activities are subject to confidentiality obligations

11. Data Deletion and Return

Upon termination of the service or upon your request:

  • Data Export: You may export all your personal data at any time through your account settings before termination
  • Deletion Timeline: Upon account deletion request, all personal data will be permanently deleted within 30 days, including from backup systems
  • Confirmation: We will provide confirmation of deletion upon request
  • Exceptions: Data may be retained where required by applicable law or to establish, exercise, or defend legal claims. We will notify you of any such retention.

12. Contact Information

For questions about this DPA or data protection matters:

Privacy and DPA Inquiries:
Email: privacy@finpm.eu
Response time: Within 30 days as required by GDPR

Data Breach Reports:
Email: security@finpm.eu
Response time: Within 72 hours

FinPM

© 2026 All rights reserved.

Last updated: January 2026

Contact: legal@finpm.eu