Back

Privacy Policy

Version 1.0 Published at: 11.04.2026

1. Who We Are

Fyntoo ("Service") is operated by Nadiia Linyvenko, a sole trader registered in Portugal (NIF: 333364600) ("we", "us", "our").

For privacy-related questions, contact us at: privacy@fyntoo.com

2. Roles Under This Policy

Fyntoo acts in two distinct roles depending on the data in question:

  • Data Controller — for personal data you provide when registering and managing your account (name, email, billing information).
  • Data Processor — for personal data contained in the documents you upload to the Service (e.g. supplier names, tax identification numbers extracted from invoices). In this role, we process such data on your behalf and under your instructions. The Data Processing Agreement incorporated into our Terms of Service governs this relationship.

3. What Data We Collect

Account data: email address, full name or company name, password (stored as a one-way hash).

Business data you provide: tax identification numbers (TIN/VAT) and names of counterparties (suppliers, clients) that you enter or that are automatically extracted from documents you upload.

Technical data: IP address, browser type, device identifiers, session tokens, and service log files.

Usage data: features accessed, pages visited, and timestamps of activity within the Service.

We do not collect special categories of personal data (Article 9 GDPR) and do not knowingly provide the Service to persons under 18.

4. How We Use Your Data

Purpose Legal basis
Providing the Service and managing your account Art. 6(1)(b) — performance of contract
Processing documents and data you upload Art. 6(1)(b) — performance of contract
Sending transactional emails (receipts, alerts, account notifications) Art. 6(1)(b) — performance of contract
Security monitoring and fraud prevention Art. 6(1)(f) — legitimate interests
Improving the Service through aggregated, anonymised analytics Art. 6(1)(f) — legitimate interests
Complying with legal and regulatory obligations Art. 6(1)(c) — legal obligation

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.

5. Who We Share Your Data With

We do not sell your personal data. We may share it only with:

  • Hosting and infrastructure providers — to operate and maintain the Service;
  • Payment processor (e.g. Stripe) — to handle subscription billing; they operate under their own privacy policy and are PCI-DSS certified;
  • Transactional email service — to deliver account notifications;
  • Legal and regulatory authorities — where required by applicable law.

All third-party processors are bound by data processing agreements and provide adequate safeguards for personal data.

6. International Data Transfers

Our infrastructure may involve transfers of personal data outside the European Economic Area (EEA). Where this occurs, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate transfer mechanisms under Chapter V of the GDPR, to ensure your data remains protected.

7. Data Retention

Data category Retention period
Account data (name, email) Duration of account + 3 years after closure
Uploaded documents and extracted data Duration of account; deleted within 30 days of account closure
Technical and log data Up to 12 months
Billing records 10 years (Portuguese legal/accounting requirement)

After the applicable retention period, data is securely deleted or anonymised.

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15) — obtain a copy of your data;
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data;
  • Right to erasure (Art. 17) — request deletion of your data where the conditions apply;
  • Right to restriction (Art. 18) — limit processing in certain circumstances;
  • Right to data portability (Art. 20) — receive your data in a machine-readable format;
  • Right to object (Art. 21) — object to processing based on legitimate interests;
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@fyntoo.com. We will respond within 30 calendar days. If your request is complex or numerous, we may extend this by a further two months and will inform you accordingly.

You also have the right to lodge a complaint with the Portuguese supervisory authority:

CNPD — Comissão Nacional de Proteção de Dados Rua de São Bento, 148–3.º, 1200-821 Lisbon, Portugal www.cnpd.pt

9. Data Security

We implement technical and organisational measures appropriate to the level of risk, including:

  • passwords stored as irreversible cryptographic hashes;
  • HTTPS encryption for all data in transit;
  • access controls limiting staff access to personal data on a need-to-know basis;
  • regular review of security practices.

No system is entirely secure. If you believe your account has been compromised, contact us immediately at privacy@fyntoo.com.

10. Business Succession

In the event of a business restructuring, incorporation, merger, or transfer of assets — including a conversion of the operating entity from a sole trader to a registered company — personal data held by Fyntoo may be transferred to the successor entity. Any such transfer will be conducted in compliance with applicable data protection law. Where required, you will be notified in advance.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email or via an in-app notice at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the current version was published.

12. Contact

For any privacy-related questions, data subject requests, or concerns:

Email: privacy@fyntoo.com Website: fyntoo.com

© 2026 Fyntoo. All rights reserved.