Privacy policy

1. Legal Notice

Controller: Finoditax Spółka z ograniczoną odpowiedzialnością, ul. Kawia 23, 42-202 Częstochowa, Poland · NIP: 9492250781 · REGON: 520205981 · KRS: 0000927391 · e-mail: info@finoditax.com.

Legal basis: Regulation (EU) No 2016/679 (“GDPR”); Act of 10 May 2018 on the Protection of Personal Data; Accounting Act; Tax Ordinance; Telecommunications Law (art. 173–174); Labour Code; Civil Code.

Applicability: The Policy is binding for finoditax.com and subdomains: my.finoditax.com, billing.finoditax.com, support.finoditax.com, help.finoditax.com. In case of conflicts, the provision offering greater protection to the data subject prevails.

2. Preamble and Legal Bases

This Policy sets the rules for processing personal data at Finoditax, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure and destruction (art. 4(2) GDPR). Processing is carried out on lawful bases (art. 6), in line with principles (art. 5), with implementation of security measures (art. 32), records (art. 30), DPIA (art. 35–36), notifications (art. 33–34), transfer restrictions (Ch. V), as well as accountability (art. 5(2), 24).

3. Definitions (art. 4 GDPR)

Term	Definition
Personal data	Information relating to an identified or identifiable natural person (art. 4(1)).
Processing	Any operation performed on data (art. 4(2)).
Controller	Determines the purposes and means of processing (art. 4(7)).
Processor	Processes on behalf of the controller (art. 4(8), 28).
Joint controllers	Jointly determine purposes/means (art. 26).
Data breach	An event causing loss of confidentiality/integrity/availability (art. 4(12)).
DPIA	Data Protection Impact Assessment (art. 35).
ROPA	Record of Processing Activities (art. 30).
TOMs	Technical and organisational measures (art. 32).

4. Principles and Lawfulness (art. 5–6)

lawfulness, fairness, transparency;
purpose limitation and data minimisation;
accuracy and currency;
storage limitation;
integrity and confidentiality;
controller accountability.

Bases: art. 6(1)(a–f); special categories — art. 9(2); automation — art. 22.

5. Scope and Subdomains

finoditax.com — corporate website (content, forms, marketing, cookies).
my.finoditax.com — client panel (accounts, reporting, document workflow).
billing.finoditax.com — billing and payments (invoices, transactions).
support.finoditax.com — support tickets, SLA, correspondence.
help.finoditax.com — knowledge base, behavioural metrics.

Data flows between subdomains

Mutual transfer is on a need-to-know basis; cross-domain SSO is limited; TLS 1.3 encryption and logging are used. For cross-domain scenarios, a DPIA is performed and datasets are minimised.

6. Roles of Controller and Processor

Finoditax acts as controller of personal data of website users and clients; as processor when performing accounting/HR services on behalf of clients. In the latter case, a processing agreement (art. 28) applies, covering purposes, duration, data categories, TOMs, subprocessing, audit, and data return/erasure.

7. Data Categories and Classification

Identification: first name, last name, company, NIP, REGON, KRS, PESEL, signature.
Contact: address, e-mail, phone, correspondence address.
Financial/Accounting: details, invoices, VAT/PIT/CIT, ZUS, reports.
HR (clients’): contracts, salary, leave, sick leave, employee’s bank account.
Technical: IP, cookies, user-agent, logs, tokens, connection parameters.
Correspondence/Support: tickets, letters, call recordings (with notice).
Marketing/Analytics: subscriptions, events, responses, identifiers.

8. Purpose–Legal Basis Matrix

Purpose	Data categories	Legal basis (GDPR)	Comment
Contract performance	identification, contact, accounting	art. 6(1)(b)	account creation, service delivery, client panel
Legal obligations	accounting, tax, HR	art. 6(1)(c)	Accounting Act; Tax Ordinance; ZUS
Legitimate interests	technical, correspondence	art. 6(1)(f)	security, support, evidence of communications
Marketing	contact, analytics	art. 6(1)(a)/(f)	consent for cookies/newsletters
Security	log data, IP, tokens	art. 6(1)(f), 32	logging, IDS/IPS, incident investigations

9. Data Sources and Legal Information (art. 13–14)

directly from the data subject (forms, contracts, client panel);
from Finoditax clients (under art. 28 processing for HR/accounting processes);
public registers (KRS, CEIDG, GUS);
government systems (ePUAP, PUE ZUS, KAS, e-Deklaracje);
automatically — cookies, logs, SDKs, e-mail tags.

Information under art. 13 is provided at the time of collection; under art. 14 — no later than 30 days or at first contact, or upon first disclosure to the recipient.

10. Retention Periods (extended table)

Category	Period	Basis
Accounting documents	5 years after the reporting year	Accounting Act, art. 74
Tax records	5 years after the tax year	Tax Ordinance, art. 70 §1
HR/payroll	10 years	Labour Code
Contracts and correspondence	3 years after end of service	art. 6(1)(f), Civil Code
Marketing	until withdrawal/max. 3 years	art. 6(1)(a)/(f)
Security logs	up to 12 months	art. 6(1)(f)
Backups	up to 90 days	art. 5(1)(e)

Upon expiry, secure deletion/anonimisation applies; backups are destroyed per the retention policy.

11. Recipients, Processors and Sub-processors

Public authorities: KAS, ZUS, Tax Office, courts (on legal grounds).
IT providers (hosting, CDN, mail services), banks/payment operators, legal/audit firms.
Analytics/marketing platforms — only with valid consent.
Internal Finoditax recipients — on a least-privilege basis.

Art. 28(3) GDPR agreements provide for: subject/duration, purposes and nature, data/subject categories, TOMs, authorised subprocessing, assistance with data subject rights (art. 12–23), return/erasure, audit.

12. International Transfers (Ch. V GDPR, SCC/DPF)

Transfers to third countries are permitted where: an adequacy decision applies (art. 45), appropriate safeguards exist (SCCs — art. 46), or under derogations (art. 49). For the U.S., the provider’s participation in the EU–US Data Privacy Framework and/or SCCs is required, with data minimisation and cryptographic protection.

13. TOMs: Technical and Organisational Measures (art. 32)

TLS 1.3 encryption in transit; AES-256 at rest; key management.
Multi-factor authentication, RBAC, least-privilege principle.
Activity logging (≥ 12 months), log integrity controls.
IDS/IPS, antivirus, CSP; XSS/CSRF/SQLi protection; environment isolation.
Backups (up to 90 days), regular restore tests.
Staff training, NDAs, password policy, phishing simulations.

14. Cookies, Analytics and Marketing — extended table

Consent for cookies is requested via a banner (art. 173–174 Telecommunications Law). Category management is available in “Cookie settings”.

Category	Purpose	Examples	Period	Basis
Necessary	sessions, security, authorisation	session_id, XSRF-TOKEN	session	art. 6(1)(b)/(f)
Functional	UI preferences	ui_theme, locale	up to 12 months	art. 6(1)(f)
Analytics	metrics, conversions	_ga, _ga_*, _gid	up to 24 months	art. 6(1)(a)
Marketing	remarketing, ad effectiveness	_fbp, _gcl_au	up to 180 days	art. 6(1)(a)

15. DSAR Procedures (data subject rights)

Submitting a request: e-mail info@finoditax.com or post (ul. Kawia 23, 42-202 Częstochowa).
Identity verification: clarification of data/contact methods.
Response time: 30 days; extension up to 60 if complex (art. 12(3)).
Form of provision: electronic/written, machine-readable (for portability).
Refusal/limitation: where legal impediments exist, with notice and the right to complain to UODO.

Access: art. 15; rectification: art. 16; erasure: art. 17; restriction: art. 18; portability: art. 20; objection: art. 21; automation: art. 22 (not applied).

16. Incidents, 72-hour Notification, Register

Logging and isolating the incident; assessing risk and scope.
Notification to UODO ≤ 72 hours (art. 33); notifying data subjects where high risk (art. 34).
Root-cause remediation, prevention, training, TOMs updates.
Maintaining a breach register and reporting.

17. DPIA/ROPA and Accountability

Finoditax maintains a ROPA (art. 30), conducts DPIAs (art. 35) for high-risk processes (large-scale processing, cross-domain integrations, clients’ employee data), documents risks, measures and residual risk; consults UODO where necessary (art. 36). Accountability — art. 5(2), 24.

18. Changes, Conflicts, Priorities

A new version takes effect upon publication. In case of conflict, the provision ensuring greater protection of the data subject prevails. The invalidity of any provision does not affect the validity of the remainder (severability).

19. Contacts and Supervisory Authority

Finoditax Sp. z o.o. · ul. Kawia 23, 42-202 Częstochowa, Poland · NIP: 9492250781 · REGON: 520205981 · KRS: 0000927391 · e-mail: info@finoditax.com · finoditax.com

UODO — Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa · +48 22 531 03 00 · uodo.gov.pl