Last updated: March 2026
This Privacy Policy explains how NoCFO Oy processes personal data when acting as a data controller in connection with its own business operations, customer relationships, and service maintenance. It also describes how we process personal data stored in the Service by our customers when we act as a data processor on their behalf.
When NoCFO processes personal data in connection with its own business operations, customer communications, service maintenance, or marketing, NoCFO acts as the data controller for that data. The data processed in this capacity relates to NoCFO's customers, service users, potential customers, and visitors to the service's websites and applications. This data is separate from personal data that customers store in the Service for bookkeeping or other purposes of their own, which is addressed separately in sections 3 and the Data Processing Annex.
As controller, NoCFO collects and processes basic information about customers and users, such as name and contact details, organisation information, billing and payment data, customer relationship communications, and contract documentation. We also process technical data related to the use of the Service, such as IP addresses, log data, session identifiers, device information, error messages, and other technical event data generated during use of the Service. We also use cookies on our websites and applications, which are described in more detail in our separate Cookie Policy.
Processing as controller is necessary for providing the Service, managing customer communications, maintaining customer relationships, developing the Service and our business, and for marketing purposes. The legal bases for processing are: the contractual relationship between the customer and NoCFO (Art. 6(1)(b) GDPR); NoCFO's legitimate interests in developing the Service and maintaining customer relationships (Art. 6(1)(f) GDPR); legal obligations such as retention requirements under accounting legislation (Art. 6(1)(c) GDPR); and in some cases, the data subject's consent (Art. 6(1)(a) GDPR), which may be withdrawn at any time.
Personal data processed as controller is retained for as long as necessary for the purposes for which it was collected. Data related to the customer relationship is deleted within three months of the end of the relationship, unless retention is required by law or NoCFO's legitimate interests. Consent-based data is deleted upon withdrawal of consent. NoCFO's own accounting records are retained for the period required by law.
NoCFO processes personal data in a technically and organisationally secure manner, and only to the extent necessary for delivering, maintaining, and developing the Service. This section does not apply to personal data stored in the Service by customers, which is processed under separate principles in accordance with section 3 and the Data Processing Annex.
When a customer uses the NoCFO Service to store personal data arising from financial management, bookkeeping, customer records, or other business activities, the customer acts as the data controller and NoCFO acts as the data processor (Art. 28 GDPR). The processing of such data is governed by the contractual relationship between the customer and NoCFO, including the Data Processing Annex, which applies to all processing carried out on the customer's behalf. NoCFO processes such data solely in accordance with the customer's documented instructions and to the extent necessary for delivering, maintaining, and securing the Service.
Personal data stored in the Service may include, for example, receipts, invoices, sales and purchase records, bank statements, and transaction data, as well as data originating from the customer's own customer register. Ownership of this data remains with the customer, and NoCFO does not use it for its own independent purposes without a contractual basis to do so.
As part of service development and automation improvement, NoCFO may process data stored in the Service for the purpose of analysing and improving the Service. This may include classification, modelling, or other development activities applied to receipts, documents, and transaction data. Such processing is based on NoCFO's legitimate interest in developing, maintaining, and improving the quality, automation, and reliability of the Service. It is always carried out in accordance with the contract and the Data Processing Annex, and NoCFO never uses data in a manner inconsistent with the customer's role as controller or with applicable legal obligations.
Processing carried out for service development purposes does not restrict the customer's rights over their own data, nor does it change the roles of controller and processor. NoCFO carries out such processing with technical and organisational measures ensuring a high standard of data protection and security.
NoCFO stores personal data primarily within the European Economic Area. Where personal data is transferred outside the EU or EEA through service providers, such transfers are always carried out at a level of data protection required by law, using measures such as Standard Contractual Clauses approved by the European Commission and the EU–US Data Privacy Framework where the recipient has joined that framework.
NoCFO uses trusted and authorised service providers to deliver and maintain the Service. These providers may include cloud infrastructure and hosting providers, customer support systems, payment services, open banking and bank connectivity providers (e.g. Salt Edge), business banking partners (e.g. Holvi), and technical infrastructure suppliers. Service providers may process personal data only to the extent necessary to perform the services they provide, and are subject to appropriate data protection obligations.
Personal data may also be disclosed to authorities where required by mandatory law or an official order. In connection with mergers, acquisitions, or similar arrangements, data may be transferred to the relevant parties while maintaining confidentiality at all times. Personal data may also be disclosed to third parties based on the explicit consent of the data subject.
Under the GDPR, you have the right to access the personal data NoCFO holds about you and to request its correction, deletion, or restriction of processing (Arts. 15–18 GDPR). In certain circumstances you may object to processing, in particular where it concerns direct marketing. You also have the right to receive your data in a structured, commonly used, and machine-readable format (Art. 20 GDPR), and to withdraw consent at any time without affecting the lawfulness of prior processing. Requests should be submitted to the controller with sufficient information to verify your identity. We will respond within 30 days in accordance with GDPR requirements.
NoCFO may send customers service-related notifications and marketing messages. You have the right to opt out of direct marketing at any time by contacting NoCFO or by using the unsubscribe option included in marketing messages.
NoCFO ensures the secure processing of personal data through technical, organisational, and administrative safeguards, including encryption in transit and at rest, access controls, regular security assessments, incident response procedures, and employee training. The goal is to ensure the confidentiality, integrity, and availability of data at all times. Personal data is only accessed by persons who require it for their work duties.
You have the right to lodge a complaint with a supervisory authority if you believe your personal data is being processed contrary to applicable data protection law. As NoCFO Oy is established in Finland, the lead supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), tietosuoja@om.fi, tietosuoja.fi. You may also lodge a complaint with the supervisory authority in your country of residence or where the alleged infringement took place. In Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) or the relevant state authority (Landesbeauftragter für Datenschutz), (www.bfdi.bund.de).
NoCFO uses artificial intelligence and machine learning to provide certain features, such as automated bookkeeping suggestions, transaction categorisation, and document analysis. These features are designed to assist you and do not replace your final decision-making. Your business data may be processed by AI systems solely for the purpose of delivering and improving the Service under strict technical and organisational safeguards. We do not use your personal data or business data for unrestricted AI model training or for purposes unrelated to the provision of the Service. Any use of data to improve or refine AI functionality is carried out in a manner consistent with applicable data protection law, our contractual obligations, and the principle of data minimisation. Where such processing occurs, it is based on our legitimate interest in maintaining and improving service quality (Art. 6(1)(f) GDPR), subject always to appropriate safeguards. No automated decision-making with significant legal or similarly significant effects on you is performed without your knowledge and, where required by law, your explicit consent.
To provide the Service, we engage trusted third-party subprocessors who may process personal data on our behalf. All subprocessors are bound by data processing agreements and are required to implement appropriate technical and organisational security measures. Our subprocessors include, but may not be limited to, the following categories: cloud infrastructure and hosting providers; payment processing providers; open banking and bank connectivity providers (e.g. Salt Edge); business banking partners (e.g. Holvi); analytics and product monitoring tools; customer support and communication platforms; and error tracking and logging services. We maintain an up-to-date list of subprocessors. You may request a copy by contacting us at info@nocfo.io. We will notify you of any material changes to our subprocessor list in advance where required by law.
NoCFO implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include: encryption of personal data in transit (TLS) and at rest; access controls and role-based permissions; regular security assessments and vulnerability scanning; incident response and breach notification procedures in compliance with Arts. 33–34 GDPR; employee training on data protection; data minimisation and pseudonymisation where feasible; and regular backups and business continuity measures. While we take all reasonable precautions, no system is completely secure. In the event of a personal data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with our GDPR obligations.
Our website uses cookies and similar tracking technologies to ensure functionality, analyse usage patterns, and improve user experience. Cookies that are not strictly necessary are only set with your prior consent. For full details on the cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy at www.nocfo.de/cookies.
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. Where changes are material, we will notify you by email or by a prominent notice on our website prior to the changes taking effect. The date of the most recent revision is indicated at the top of this page. Your continued use of the Service after any changes constitutes your acknowledgement of the updated policy.