Last update: 18.11.2025
This privacy policy describes how NoCFO Oy processes personal data when acting as a data controller in connection with its own business, customer relationships, and service maintenance. It also describes how we process personal data stored by customers in the service when we act as a data processor on the customer's behalf.
When NoCFO processes personal data in connection with its own business, customer communications, service maintenance, or marketing, NoCFO acts as the data controller for that data. Data processed in this capacity relates to NoCFO's customers, service users, prospective customers, and visitors to NoCFO's websites and applications. This data is separate from personal data that customers store in the service for their own accounting or other purposes — data stored in the service is handled separately in accordance with Section 3 and the Data Processing Annex.
As a data controller, NoCFO collects and processes basic information about customers and users, including name and contact details, organisation information, billing and payment details, customer relationship communications, and contractual documentation. We also process technical data related to service usage, such as IP addresses, log data, session identifiers, device information, error messages, and other technical event data generated during use of the service. We additionally use cookies on our websites and applications, which are described in more detail in our separate Cookie Policy.
Processing personal data as a controller is necessary for providing services, managing customer communications, maintaining customer relationships, developing the service and our business, and for marketing purposes. The legal bases for processing are the contractual relationship between the customer and NoCFO, NoCFO's legitimate interest in developing the service and maintaining customer relationships, and legal obligations such as the retention requirements under the Accounting Act. In some situations, processing is based on the data subject's consent, which may be withdrawn at any time.
Personal data is retained as a controller for as long as necessary for the purposes of processing. Data related to the customer relationship is deleted no later than three (3) months after the relationship ends, unless retention is required by law or NoCFO's legitimate interest. Consent-based data is deleted when consent is withdrawn. NoCFO's own accounting records are retained for the period required by law.
NoCFO processes personal data in a technically and organisationally secure manner, and only to the extent necessary for the delivery, maintenance, and development of the service. This section does not apply to personal data stored in the service by customers — that data is handled under separate principles in accordance with Section 3 and the Data Processing Annex.
When a customer uses the NoCFO service to store personal data arising from their financial administration, accounting, customer register, or other activities, the customer acts as the data controller and NoCFO acts as the data processor. The processing of such data is governed by the contractual relationship between the customer and NoCFO, and by the Data Processing Annex included therein, which applies to all processing carried out on the customer's behalf. NoCFO processes this data in accordance with the customer's documented instructions and only to the extent required for the delivery, maintenance, and security of the service.
Personal data stored in the service may include receipts, invoices, sales and purchase records, bank statements and transactions, and data originating from the customer's own customer register. Ownership of this data remains with the customer, and NoCFO does not use it for its own separate purposes without a contractual basis.
As part of service development and automation improvement, NoCFO may also process data stored in the service for the purpose of analysing and improving the service. This processing may include activities such as classification, modelling, machine learning training, or other development work applied to receipts, documents, and transaction data. Such processing is guided by NoCFO's legitimate interest in developing, maintaining, and improving the quality, automation, and reliability of the service. It always takes place in accordance with the contract and the Data Processing Annex, and NoCFO will never use data in a manner that conflicts with the customer's role as data controller or with obligations imposed by law.
Processing carried out for service development purposes does not limit the customer's rights to their own data, nor does it alter the allocation of roles between controller and processor. NoCFO carries out such processing in a technically and organisationally secure manner, ensuring a high standard of data protection and information security.
NoCFO stores personal data primarily within the European Economic Area (EEA). If personal data is transferred outside the EU or EEA through service providers, all such transfers are carried out in compliance with the level of data protection required by applicable law. For transfers outside the EEA, we use mechanisms such as Standard Contractual Clauses approved by the European Commission, and we utilise the EU–US Data Privacy Framework in cases where the recipient has joined the framework.
NoCFO uses trusted and authorised service providers for the production and maintenance of the service. These may include cloud services, customer support systems, payment services, and technical infrastructure providers. Service providers may process personal data only to the extent necessary for the performance of their services, and appropriate data protection obligations have been agreed with them.
Personal data may also be disclosed to authorities where such disclosure is required by mandatory legislation or an official order. In connection with business transactions or similar arrangements, data may be transferred to the relevant parties as necessary, always subject to confidentiality obligations. Personal data may also be disclosed to third parties on the basis of the data subject's explicit consent.
Data subjects have the right to obtain information about what personal data NoCFO processes about them, and to request the correction, deletion, or restriction of processing of that data. In certain situations, data subjects may object to the processing of their personal data, particularly where it relates to direct marketing. Data subjects also have the right to receive their data in a portable, structured format, and the right to withdraw their consent at any time.
Requests should be submitted to the data controller and must include sufficient information to verify the data subject's identity. We may decline requests that are unreasonably repetitive, excessive, or clearly unfounded.
NoCFO may send customers announcements about its services and other marketing communications. Data subjects have the right to prohibit direct marketing by contacting NoCFO or by using the unsubscribe option provided in marketing messages.
NoCFO ensures the secure processing of personal data through technical, organisational, and administrative safeguards. The aim is to ensure the confidentiality, integrity, and availability of data. Personal data is accessed only by those persons who are authorised to do so on the basis of their job responsibilities.
Data subjects have the right to lodge a complaint with a supervisory authority if they consider that personal data is being processed in violation of applicable data protection legislation. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (tietosuoja.fi).