Privacy Policy

Last updated: December 11, 2025

This Privacy Policy (hereinafter the "Policy") governs the terms and conditions under which Holofin.ai, a company specializing in transforming financial data into actionable intelligence (hereinafter the "Company"), processes personal data in connection with the activities and services related to the operation of the website holofin.ai operated by the Company (hereinafter the "Site").

We take the protection of your personal data very seriously and want you to feel safe and comfortable when browsing our Site. We therefore respect the privacy of your personal data and always act in accordance with data protection legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter the "GDPR"), and follow this Policy.

In light of the above, the Company uses this Policy to inform you about how, for what purposes and to what extent the Company uses your personal data and what information about you as a Site user the Company may process.

1. Definitions

Personal data

any information relating to an identified or identifiable natural person.

Data controller

the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data subject

any identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processor

the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Processing

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2. Our Role: Data Controller and Data Processor

Depending on the context, our Company acts in different capacities under the GDPR:

As Data Controller

Our Company acts as the data controller when we determine the purposes and means of processing personal data. This includes:

• Processing personal data of visitors to our Site (browsing data, cookies, analytics);
• Processing personal data submitted through contact forms or demo requests;
• Processing personal data of our clients' representatives for account management and billing purposes;
• Marketing and communication activities.

In these cases, the remainder of this Policy applies in full, and you may exercise all rights described herein directly with us.

As Data Processor

Our Company acts as a data processor when our clients (the data controllers) use our Platform to process documents that may contain personal data. This includes:

• Financial documents uploaded by clients to the Platform (invoices, bank statements, receipts, etc.);
• Any personal data contained within these documents (names, addresses, account numbers, etc.);
• Data extracted and processed through our document intelligence services.

When acting as a data processor:

• We process personal data solely on behalf of and under the instructions of our clients;
• Our clients remain responsible for ensuring they have a lawful basis to process such data;
• Our processing activities are governed by a Data Processing Agreement (DPA) concluded with each client;
• Data subjects whose personal data is contained in client documents should exercise their rights directly with our client (the data controller).

3. Principles of Personal Data Processing by the Company

We always process your personal data lawfully, fairly, transparently and for specific, explicit and legitimate purposes. We process personal data only to the minimum extent necessary and store them in a form which permits your identification for no longer than is necessary for the purposes for which they are processed.

We process your personal data in a manner that ensures sufficient integrity and confidentiality, i.e., by appropriate technical or organisational measures and adequate protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. We ensure that personal data which are inaccurate, having regard to the purposes for which we process them, are erased or rectified without delay.

We respect the principle of limitation of personal data processing and the principle of data minimisation. We therefore only retain your personal data if this is necessary to achieve the purpose of the processing or for various retention periods specified by law. Relevant data is deleted in accordance with the law if the relevant purpose ceases to exist following the withdrawal of your consent and/or the expiry of the legal retention period.

For the above reasons, we use IT security measures such as a firewall and data encryption to operate our Site. We have implemented adequate physical, electronic and procedural safeguards and use reliable IT service providers. However, given the nature of the Internet, we draw your attention to the fact that certain security gaps may exist in the transmission of personal data via the Internet (e.g., in email communications) and that complete protection of personal data preventing access by third parties is impossible.

4. Legal Basis, Purposes and Scope of Processing Your Personal Data

Our Company may process your personal data for the following legal basis and purposes:

• Provision, improvement and support of our Site: Our Company processes various information about your online activity, such as the time of access to our Site, time spent on our site, conversions (i.e., activity completed on our Site), etc., for the purposes of technical support and improvement of our Site as well as monitoring its functionality (for more details on the extent of data processed, see Article 4 (c) - (d) of this Policy). For this purpose of personal data processing, our Company processes your personal data on the legal basis of legitimate interest (operation of the Site, statistical purposes and data security).
• Cookies: Our Company uses various cookie files, which may contain your personal data (e.g., your IP address or your browser and computer configuration). Our Company uses cookies based on your consent which you express through the cookie settings displayed in a banner during your first visit to our Site. This consent can be modified/withdrawn subsequently via your web browser settings (to the extent permitted by the respective browser).
• Contact form: If you use the contact form on our Site for your questions regarding our Company's services, we process the personal data you provide to the following extent: your name, email address, IP address, as well as any other personal data that the requester indicates in the body of the contact form. For these purposes of personal data processing, our Company processes your personal data on the legal basis of negotiation and performance of a contract (negotiation and performance of an agreement between our Company and yourself, including customer support) and legitimate interest (general, commercial and technical communication between our Company and yourself).

5. Sources of Collection of Your Personal Data

We collect your personal data from several sources:

• Data collected from you as the data subject: We primarily collect personal data about you that you voluntarily provide yourself (e.g., in consent to personal data processing) or data that we acquire in connection with your requests, comments, queries, etc.
• Cookies: Your personal data also comes from cookies, which are small text files created by the web server and saved to your computer via your browser. We use cookies in connection with your activity on our Site and with other online activities. Cookies help our Company make our online services more user-friendly, effective and secure, and can also be used to implement certain user features. Our Company uses the following types of cookie files: Persistent, Third-party.
• Web analytics tools: Our Site also uses online web analytics services and social plugins for the purposes of continuous optimization of the user interface and to maximize its user-friendliness. This automatically collected data is not linked to data from other sources. However, we reserve the right to check this data retrospectively if we are informed of a specific risk of abuse.
• Log files: Our Company and the providers hosting our Site use their databases to record data on each access to the server where our Site's online presentation is located. Thus, whenever you visit our Site, your web browser automatically sends certain information to the Site's server to enable communication between your browser and the server. This information is then recorded in log files. Log files mainly contain information about: the type, version and preferred languages of the browser you use; the type and version of your operating system; the website from which you arrived at our Site; the website you leave our Site from; your computer's IP address; the date, time and success of searching for our Site; the time you accessed the Site and how long you stayed there; the volume of data transmitted between the server and your computer; the number of visits and average time spent on our website. For security reasons, log file data is only retained for as long as necessary for the purpose of processing. If the given purpose for retaining log files no longer exists, the log files are deleted immediately. Data whose further retention is necessary for evidence reasons will not be deleted until the relevant case is closed.
• Umami Analytics: Our Company uses Umami Analytics, a privacy-focused, GDPR-compliant website analytics solution. Umami Analytics collects anonymized data about your use of our Site to help us improve the user experience. Unlike other analytics tools, Umami does not track individual visitors across sites and does not use cookies for tracking. All data collected is anonymous and aggregated, meaning no personally identifiable information is stored. Umami does not share or sell your data to third parties. For more information on how Umami protects your privacy, you can visit their website at https://umami.is/privacy.
• Posthog: We use Posthog on our website to understand user behavior and improve our service. Posthog helps us analyze website interactions, such as mouse movements, clicks, and scrolling, by installing cookies to collect anonymized data about user activity and device information (e.g., screen resolution and browser type). The information collected by Posthog is anonymized and does not identify individual users. We use this data to analyze usage patterns and improve the overall user experience.

If you are interested in the specific source of processing of your personal data, you can use the contact details provided below to submit your request to us.

6. Recipients of Your Personal Data

Subject to applicable legislation, our Company transmits your personal data to third parties (recipients) for the purposes of further processing, who process the personal data under a data processing agreement.

In particular, the aforementioned recipients of personal data include the following categories of recipients:

• entities of the corporate group to which our Company belongs;
• administrators of our Site;
• IT service providers and relay server operators;
• payment service providers;
• external legal advisors and debt collection agencies;
• social network operators;
• marketing software providers;
• law enforcement authorities, courts, administrative authorities when our Company is required to do so by legislation;
• selected partners who align with our business objectives and standards to provide you with enhanced services, personalized offers, or opportunities that may be of interest to you.

7. Duration of Personal Data Retention

We only process personal data for the period necessary to achieve the purpose of their processing. As soon as the purpose of the processing is achieved and there is no other purpose for which we would be authorized to process the personal data, we delete the personal data.

If you withdraw your consent to the processing of personal data or if the purpose of the processing ceases to exist, we will delete your personal data, unless there is another legal basis for their processing (e.g., legal retention obligations).

8. Data Hosting and Transfer

Data Hosting Location

All personal data and client documents processed through our Platform are hosted exclusively within the European Union. Our primary infrastructure is located in data centers within the EU, ensuring compliance with GDPR requirements for data localization.

Specifically:

• Client documents and extracted data are stored on servers located in the European Union;
• Our databases containing personal data are hosted within EU member states;
• Backups and redundant copies remain within the European Economic Area (EEA).

Transfer of Data to Third Countries

As a general principle, we do not transfer personal data outside the EEA. However, limited transfers may occur in the following exceptional circumstances:

• Use of certain third-party service providers for website analytics or communication tools that may process data outside the EEA;
• Technical support services that may require temporary access to data;
• At the explicit request of a client for specific business purposes.

When any transfer to third countries is necessary, we ensure that appropriate safeguards are in place to protect your personal data in accordance with the GDPR. These safeguards include:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Adequacy decisions where the European Commission has determined that a third country provides an adequate level of data protection;
• Other appropriate safeguards as required by applicable data protection laws.

For B2B clients requiring strict EU-only data processing, we can provide contractual guarantees confirming that their data will not be transferred outside the EEA under any circumstances. Please contact us to discuss your specific requirements.

9. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and where that is the case, access to the personal data.
• Right to rectification: You have the right to obtain rectification of inaccurate personal data concerning you.
• Right to erasure ('right to be forgotten'): You have the right to obtain the erasure of personal data concerning you under certain circumstances.
• Right to restriction of processing: You have the right to obtain restriction of processing under certain circumstances.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used and machine-readable format.
• Right to object: You have the right to object to processing of personal data concerning you.
• Right to withdraw consent: Where processing is based on consent, you have the right to withdraw consent at any time.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority.

10. Exercising Your Rights and Obtaining More Information

If you wish to exercise any of your rights or obtain more information about the processing of your personal data, please contact us at:

We will respond to your request within one month of receipt. If necessary, this period may be extended by two further months, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

If you are not satisfied with our response or believe that we are processing your personal data unlawfully, you have the right to lodge a complaint with the competent supervisory authority.