Privacy Policy
Last updated: 10 March 2026
1. General Information
This Privacy Policy describes how the company operating the Finecko service (“we”, “us”, or “the Company”) collects, uses, and protects personal data when you visit finecko.com or use any of our services.
The Company is established in Budapest, Hungary and acts as the data controller for personal data collected through this website. Our contact address for data protection matters is: [email protected].
This Policy is governed by Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”), Hungarian Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, and Hungarian Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.
Key definitions
- Personal data: any information relating to an identified or identifiable natural person (“data subject”).
- Data controller: the entity that determines the purposes and means of processing personal data. For data collected on this website, that is the Company.
- Data processor: an entity that processes personal data on behalf of the controller (e.g. our hosting provider, analytics provider).
- Processing: any operation performed on personal data — collection, storage, use, disclosure, deletion, etc.
- Consent: freely given, specific, informed, and unambiguous agreement to the processing of personal data.
2. Rights of the Data Subject
Under the GDPR you have the following rights in relation to your personal data. To exercise any of them, contact us at [email protected]. We will respond within 30 days.
- Right of access (Art. 15 GDPR): You may request a copy of the personal data we hold about you and information about how we use it.
- Right to rectification (Art. 16 GDPR): You may ask us to correct inaccurate or incomplete personal data.
- Right to erasure (Art. 17 GDPR): You may ask us to delete your personal data where there is no compelling reason for us to continue processing it.
- Right to restriction (Art. 18 GDPR): You may ask us to restrict processing of your data in certain circumstances, for example while we verify its accuracy.
- Right to data portability (Art. 20 GDPR): Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests or for direct marketing purposes at any time.
- Right not to be subject to automated decisions (Art. 22 GDPR): We do not make solely automated decisions that produce legal or similarly significant effects.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
3. Types of Data Processing
3.1 Sign-up and Contact Form
When you submit our sign-up or interest form, we collect the information you provide in order to set up your account and contact you about next steps.
| Attribute | Details |
|---|---|
| Purpose | Processing sign-up requests, setting up customer accounts, and communicating with prospective and existing customers. |
| Data collected | First and last name, email address, company name, company website, selected plan. |
| Legal basis | Performance of a contract or pre-contractual steps (Art. 6(1)(b) GDPR). |
| Retention period | For the duration of the customer relationship plus 5 years to satisfy statutory accounting and record-keeping obligations. |
| Recipients | Company staff. Submission notifications are sent via the Slack API (Slack Technologies, USA) to our internal operations channel. Slack acts as a data processor under a Data Processing Agreement. |
3.2 Customer Banking Platform Data
When a financial institution (“Customer”) uses our managed Apache Fineract service, the Customer uploads and processes data about their own end-users as part of day-to-day banking operations (e.g. loan records, account data, transaction history).
In this context the Customer is the data controller and the Company acts as a data processor on the Customer’s behalf. We process such data solely on documented instructions from the Customer, in accordance with Article 28 GDPR. A Data Processing Agreement (DPA) is included in or available alongside the Customer’s service agreement.
Customers are responsible for ensuring their own end-users are informed about how their personal data is used, and for maintaining an appropriate legal basis for that processing.
3.3 Cookies and Website Analytics
Our website uses cookies and similar tracking technologies to understand how visitors use our site. We use Google Analytics 4 (GA4), loaded via Google Tag Manager, to collect anonymised usage statistics.
| Attribute | Details |
|---|---|
| Purpose | Website analytics: understanding visitor numbers, traffic sources, pages visited, and session behaviour to improve our site. |
| Data collected | Anonymised IP address, browser type and version, operating system, referring URL, pages visited, time on page, and session identifiers. |
| Legal basis | Legitimate interest in understanding and improving our website (Art. 6(1)(f) GDPR). IP addresses are anonymised before storage. |
| Retention period | Up to 14 months within Google Analytics. Cookie files on your device persist for up to 2 years. |
| Provider | Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data transfer is governed by Standard Contractual Clauses (SCCs) adopted by the European Commission. |
You can opt out of Google Analytics at any time by installing the Google Analytics opt-out browser add-on, or by managing cookie preferences in your browser settings.
4. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA). Where we transfer personal data to a country that does not provide an adequate level of data protection, we ensure appropriate safeguards are in place, specifically Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Art. 46(2)(c) GDPR.
| Recipient | Country | Purpose | Safeguard |
|---|---|---|---|
| Google LLC | USA | Website analytics (GA4 / GTM) | Standard Contractual Clauses |
| Slack Technologies LLC | USA | Internal sign-up notifications | Standard Contractual Clauses |
5. Data Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- Encryption of data in transit using TLS.
- Encryption of data at rest on our infrastructure.
- Strict access controls and authentication requirements for staff.
- Regular review of security practices and access rights.
- Hosting on infrastructure within the European Union where possible.
Despite these measures, no system is entirely secure. If you believe your personal data has been compromised, please contact us immediately at [email protected].
6. Supervisory Authority and Enforcement
If you believe we are not processing your personal data lawfully, you have the right to lodge a complaint with the Hungarian supervisory authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa utca 9–11, Hungary
Phone: +36 1 391 1400
Website: www.naih.hu
Email: [email protected]
You may also bring a civil claim before the Budapest Metropolitan Court (Fővárosi Törvényszék) or the competent court in your place of residence or habitual abode.
We encourage you to contact us first at [email protected] — we aim to resolve any data protection concerns quickly and without the need for formal proceedings.
7. Data Breach Notification
In the event of a personal data breach, we will notify the NAIH without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR.
Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Art. 34 GDPR. Notification may be made by email to the address on file, or — if individual notification is not reasonably practicable — by a prominent notice on our website.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page. Where required by law we will provide more prominent notice or seek your consent. We encourage you to review this page periodically.
Questions?
If you have any questions about this Privacy Policy or how we handle your personal data, please reach out to us.
[email protected]