Last updated: March 2026
The controller responsible for the processing of personal data on this website within the meaning of the General Data Protection Regulation (GDPR) is: NoCFO Oy Otakaari 7 02150 Espoo Finland Finnish Business ID (Y-tunnus): 3149769-7 Email: info@nocfo.io Website: www.nocfo.de
The controller responsible for the processing of personal data on this website within the meaning of the General Data Protection Regulation (GDPR) is: NoCFO Oy Otakaari 7 02150 Espoo Finland Finnish Business ID (Y-tunnus): 3149769-7 Email: info@nocfo.io Website: www.nocfo.de
For all data protection enquiries, you may contact us directly: Responsible person: Teemu Karuluoto Email: info@nocfo.io Data Protection Officer (DPO): [DPO NAME OR EXTERNAL DPO SERVICE] Email: [DPO EMAIL ADDRESS] If you have questions about how your personal data is processed, or wish to exercise your rights under the GDPR, please contact us using the details above.
We collect and process the following categories of personal data depending on your use of our services: Account data: name, email address, company name, role, and login credentials. Billing and payment data: invoicing address, VAT number, and payment transaction references. We do not store full payment card details. Financial and accounting data: bank transactions, receipts, invoices, bookkeeping entries, and related business documents that you upload or connect to the Service. Usage data: IP address, browser type, operating system, pages visited, session duration, and interaction logs collected via cookies and analytics tools. Communication data: messages, support tickets, and correspondence you send to us. Onboarding and configuration data: preferences, settings, and data entered during account setup.
We process personal data for the following purposes and on the following legal bases under Article 6 GDPR: Provision of the Service (Art. 6(1)(b) GDPR): Processing necessary for the performance of our contract with you, including account management, service delivery, and customer support. Legal obligations (Art. 6(1)(c) GDPR): Processing required to comply with applicable law, including tax, accounting, and regulatory obligations. Legitimate interests (Art. 6(1)(f) GDPR): Processing necessary for our legitimate interests, including fraud prevention, service security, product improvement, and internal analytics, provided such interests are not overridden by your fundamental rights. Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, for example for marketing communications or optional analytics. You may withdraw consent at any time without affecting the lawfulness of prior processing.
When you use NoCFO to store and process your business data — including financial records, customer invoices, transaction data, or employee-related documents — you act as the data controller for that data and NoCFO acts as your data processor under Article 28 GDPR. In this capacity, NoCFO processes such data exclusively on your documented instructions and for the purpose of providing, maintaining, and securing the Service. NoCFO does not use your business data for its own independent commercial purposes beyond what is strictly necessary for service delivery. A Data Processing Agreement (DPA) is available and forms part of our Terms of Service. By using the Service, you acknowledge and accept the terms of our DPA.
NoCFO uses artificial intelligence and machine learning to provide certain features, such as automated bookkeeping suggestions, transaction categorisation, and document analysis. These features are designed to assist you and do not replace your final decision-making. Your business data may be processed by AI systems solely for the purpose of delivering and improving the Service under strict technical and organisational safeguards. We do not use your personal data or business data for unrestricted AI model training or for purposes unrelated to the provision of the Service. Any use of data to improve or refine AI functionality is carried out in a manner consistent with applicable data protection law, our contractual obligations, and the principle of data minimisation. Where such processing occurs, it is based on our legitimate interest in maintaining and improving service quality, subject always to appropriate safeguards. No automated decision-making with significant legal or similarly significant effects on you is performed without your knowledge and, where required by law, your explicit consent.
To provide the Service, we engage trusted third-party subprocessors who may process personal data on our behalf. All subprocessors are bound by data processing agreements and are required to implement appropriate technical and organisational security measures. Our subprocessors include, but may not be limited to, the following categories: Cloud infrastructure and hosting providers (e.g. for data storage and compute) Payment processing providers Open banking and bank connectivity providers (e.g. Salt Edge) Business banking partners (e.g. Holvi) Analytics and product monitoring tools Customer support and communication platforms Error tracking and logging services We maintain an up-to-date list of subprocessors. You may request a copy by contacting us at info@nocfo.io. We will notify you of any material changes to our subprocessor list in advance where required.
NoCFO stores and processes data primarily within the European Economic Area (EEA). Where personal data is transferred to countries outside the EEA by our subprocessors or service partners, we ensure that such transfers are subject to appropriate safeguards in accordance with Chapter V GDPR, including: Standard Contractual Clauses (SCCs) approved by the European Commission The EU-US Data Privacy Framework (DPF), where applicable Adequacy decisions by the European Commission You may request further information on the specific safeguards applied to international transfers by contacting us at info@nocfo.io.
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law: Account and service data: retained for the duration of your subscription and deleted within 90 days of account termination, unless you request earlier deletion or extended retention is required by law. Financial and accounting records: retained for up to 10 years where required by Finnish or EU accounting and tax legislation. Communication and support data: retained for up to 3 years from the date of last contact. Usage and analytics data: retained in identifiable form for up to 24 months, after which it is anonymised or deleted. Consent records: retained for as long as the consent remains active, and for a reasonable period thereafter as evidence of consent. Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in a manner that prevents reconstruction.
Under the GDPR, you have the following rights with respect to your personal data. These rights may be subject to certain conditions and exceptions under applicable law: Right of access (Art. 15 GDPR): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of the data we hold about you. Right to rectification (Art. 16 GDPR): You have the right to request correction of inaccurate or incomplete personal data. Right to erasure (Art. 17 GDPR): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you have withdrawn consent. Right to restriction of processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your personal data in certain circumstances. Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. Right to object (Art. 21 GDPR): You have the right to object to processing based on legitimate interests or for direct marketing purposes, at any time. Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. To exercise any of the above rights, please contact us at info@nocfo.io. We will respond within 30 days in accordance with GDPR requirements. We may request proof of identity before fulfilling your request.
You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR. As NoCFO Oy is established in Finland, the lead supervisory authority is: Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman) Website: tietosuoja.fi Email: tietosuoja@om.fi Address: PO Box 800, FI-00521 Helsinki, Finland You may also lodge a complaint with the supervisory authority in the EU member state where you habitually reside or work, or where the alleged infringement took place. For Germany, the relevant authority is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) or the respective state authority (Landesbeauftragter für Datenschutz).
NoCFO implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include: Encryption of personal data in transit (TLS) and at rest. Access controls and role-based permissions to restrict data access to authorised personnel only. Regular security assessments, vulnerability scanning, and penetration testing. Incident response procedures and data breach notification processes in compliance with Art. 33–34 GDPR. Employee training on data protection and information security. Data minimisation and pseudonymisation where technically feasible. Regular backups and business continuity measures. While we take all reasonable precautions, no system is completely secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with GDPR obligations.
Our website uses cookies and similar tracking technologies to ensure the functionality of the site, analyse usage patterns, and improve user experience. Cookies that are not strictly necessary are only set with your prior consent. For detailed information on the cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy at www.nocfo.de/cookies.
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. Where changes are material, we will notify you by email or by a prominent notice on our website prior to the changes taking effect. The date of the most recent revision is indicated at the top of this page. We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acknowledgement of the updated policy.
Last updated: March 2026