Privacy Policy

FinVerify

Last updated: 16 January 2026

This Privacy Policy explains how PivotalPoint OÜ (“we”, “us”, “our”) collects, uses, and protects personal data when you use FinVerify (the “Service”).

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

Legal entity: PivotalPoint OÜ
Country of incorporation: Estonia
Contact email: finverify@pivotalpoint.io

PivotalPoint OÜ acts as the data controller for personal data processed through the Service, except where we act as a processor on behalf of business customers using the API.

2. Categories of Data We Process

2.1 Account & Usage Data

  • Email address (if provided)
  • Authentication identifiers (e.g. Firebase user ID)
  • Usage metadata (timestamps, job identifiers, feature usage)
  • IP address or derived identifiers (e.g. hashed IPs for abuse prevention)

2.2 Uploaded Documents & Derived Data

  • Bank statement documents uploaded by users
  • Extracted and reconstructed financial data
  • Reconciliation results and verification metadata

The content of uploaded documents may include personal or financial information, depending on what the user submits.

2.3 Technical & Log Data

  • Processing logs
  • Error traces
  • Performance metrics
  • Audit metadata related to verification outcomes

3. Purpose of Processing

We process personal data strictly for the following purposes:

  • Providing and operating the Service
  • Processing uploaded documents and generating verification results
  • Maintaining auditability and integrity of verification outcomes
  • Preventing abuse, fraud, and misuse of the Service
  • Improving reliability, security, and performance
  • Providing customer support and responding to inquiries

We do not use uploaded documents or extracted data to train machine learning models.

4. Legal Basis for Processing

We process personal data based on one or more of the following legal grounds:

  • Performance of a contract (providing the Service)
  • Legitimate interests (security, abuse prevention, auditability)
  • Legal obligations (where applicable)
  • Consent, where explicitly obtained

5. Data Retention

5.1 Uploaded Documents & Extracted Data

Uploaded documents and derived data are retained only for as long as reasonably necessary to:

  • complete processing,
  • make results available to users,
  • support verification auditability,
  • ensure service integrity and abuse prevention.

Retention periods may vary depending on usage context (e.g. interactive use, API use, or support requests).

5.2 Audit & Processing Records

We retain processing metadata, reconciliation summaries, and audit logs on an append-only basis for operational integrity, dispute resolution, and compliance purposes.

These records may be retained independently of uploaded document files.

5.3 Deletion Requests

Users may request deletion of uploaded documents and associated data by contacting us, subject to legal, contractual, and operational requirements.

6. Data Sharing & Subprocessors

We do not sell personal data.

We may share data with trusted subprocessors solely to operate the Service, including:

  • Cloud infrastructure providers
  • Authentication and security services
  • Monitoring and logging providers

All subprocessors are bound by contractual obligations consistent with this Privacy Policy and applicable data protection laws.

A list of subprocessors is available upon request.

7. International Data Transfers

Data may be processed in countries where our service providers operate, including within the European Union and other jurisdictions with adequate data protection safeguards.

Where required, we rely on appropriate transfer mechanisms (e.g. Standard Contractual Clauses).

8. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • Access controls and least-privilege principles
  • Secure cloud infrastructure
  • Encryption in transit where applicable
  • Monitoring and abuse detection mechanisms

No system can be guaranteed to be 100% secure, but we take data protection seriously.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal data
  • Request correction or deletion
  • Restrict or object to processing
  • Request data portability
  • Withdraw consent where applicable
  • Lodge a complaint with a supervisory authority

Requests can be made by contacting us at the email address below.

10. Business & API Customers

If you use FinVerify as a business or API customer, you may act as the data controller for documents you submit, with PivotalPoint OÜ acting as a data processor.

In such cases, additional contractual terms (e.g. a Data Processing Agreement) may apply.

11. Changes to This Policy

We may update this Privacy Policy from time to time.

Material changes will be communicated via the Service or by email. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or requests, contact:

Email: finverify@pivotalpoint.io
Data Controller: PivotalPoint OÜ