Last updated: May 2026
Privacy Policy
This policy explains how Finlai processes personal data to provide its services.
1. Data controller
The data controller is German Parada Royo, with Spanish tax ID 46092822V, acting under the trade name Finlai.
- Address: Avenida Comandante Franco 27, 3B Izquierda, 28016 Madrid, Spain
- Privacy email: gparada@finlai.es
Finlai will process data in accordance with the GDPR, the LOPDGDD, and other applicable regulations.
2. Processing summary
Finlai processes data to create and maintain accounts, provide financial management, invoicing, and tax advisory services, process documents, handle support, manage payments, comply with legal obligations, protect service security, and send communications when a legal basis exists.
The Client must provide accurate data and have sufficient authorization or legal basis when adding third-party data, such as clients, suppliers, advisors, or invoice recipients.
3. Data processed
Depending on Finlai usage, we may process identification, contact, account, authentication, billing, payment, economic activity, fiscal address, document, invoice, income, expense, tax, withholding, client, supplier, advisor, product, service, fiscal movement, communication, support, technical log, browsing, OCR/AI result data, and data included in files uploaded by the Client.
4. Purposes, legal bases, and retention
| Purpose | Legal basis | Retention |
|---|---|---|
| Manage registration, account, authentication, and workspace. | Contract performance and pre-contractual measures. | While the account remains active. After closure, data may be blocked for 6 years if needed for contractual or legal liabilities. |
| Provide financial, document, tax, invoicing, and contracted human advisory features. | Contract performance, legal obligation compliance, and, for third-party data added by the Client, data processing on behalf of the Client. | During the service term. After cancellation, deletion, anonymization, or blocking for 6 years when data forms part of contractual, tax, accounting, or claims-defense documentation. |
| Process documents, OCR, AI, classifications, suggestions, alerts, and review candidates. | Contract performance and legitimate interest in improving service security, quality, and reliability, with safeguards. | During the service term. Results linked to documents or transactions will be kept according to the period applicable to that data. |
| Issue invoices and manage collections, payments, taxes, subscriptions, and unpaid amounts. | Contract performance and compliance with accounting, tax, and commercial obligations. | 6 years for commercial and invoicing documentation, unless longer legal periods or pending liabilities apply. |
| Handle support, incidents, queries, demos, or commercial requests. | Consent, pre-contractual measures, contract performance, or legitimate interest. | Once the request is resolved, blocked for 1 year unless it leads to a contract or claim. |
| Send operational, legal, technical, security, and billing communications. | Contract performance, legal compliance, and legitimate interest. | During the contractual relationship and for the period needed to evidence relevant communications. |
| Send newsletters, updates, and commercial communications. | Consent or legitimate interest for similar services to existing clients, with opt-out. | Until unsubscribe, objection, or withdrawal of consent. A minimal suppression list will be kept to avoid further sends. |
| Security, fraud prevention, technical logs, abuse detection, and incident investigation. | Legitimate interest and legal compliance where applicable. | Generally up to 12 months, unless investigation, legal obligation, or claim requires more. |
| Manage applications if Finlai receives CVs or job offers. | Consent and pre-contractual measures. | During the process and, after closure, 1 year unless objection or erasure is requested. |
5. Third-party data provided by the Client
The Client may upload data about clients, suppliers, advisors, contacts, invoice recipients, or other people. The Client must have sufficient legal basis to add them to Finlai and inform data subjects where applicable.
When Finlai processes that data on behalf of the Client, it acts as processor and uses it only to provide the service, following the Client’s instructions and applicable obligations.
Finlai may use providers acting as subprocessors when needed to provide the service, always under appropriate confidentiality, security, and data protection commitments.
6. Recipients and providers
Finlai will only share personal data with third parties when necessary to provide the service, handle a Client request, respond to a query, or comply with a legal obligation.
Data may also be shared with third-party collaborators when a legitimate interest exists in relation to the services offered and the disclosure may provide benefit or added value to the Client.
Companies providing services needed for Finlai’s ordinary, technical, and administrative activity may also access personal data, acting as processors or subprocessors where applicable. These services may include:
- Payment, collection, and payment processing services.
- Technology services, cloud hosting, database, storage, analytics, OCR, AI, authentication, support, and integrations.
- Tax, legal, accounting, financial advisors, and other professional collaborators needed to provide the contracted service.
- Authorities, courts, the Tax Agency, regulators, or public administrations when necessary to comply with legal obligations or valid requests.
Data may also be disclosed to the Client’s current advisor or other third parties when the Client expressly requests or authorizes it.
7. International transfers
Finlai will prioritize processing within the European Economic Area. If an international transfer is needed, it will be made with appropriate GDPR safeguards, such as an adequacy decision, standard contractual clauses, or another valid mechanism.
8. Automated decisions and AI
Finlai may use automated systems to read documents, categorize transactions, suggest tax treatment, generate alerts, or prepare drafts. Unless expressly stated otherwise, Finlai does not make decisions with legal or similarly significant effects based solely on automated processing without human intervention.
9. Rights
You may exercise access, rectification, erasure, objection, restriction, portability, and automated decision rights where applicable. To do so, write to gparada@finlai.es indicating your identity, the right exercised, and the affected data.
Finlai will respond within a maximum of 1 month, extendable by 2 months in complex cases. You may also file a complaint with the Spanish Data Protection Agency at www.aepd.es.
10. Security
Finlai will apply reasonable technical and organizational measures to protect data against loss, unauthorized access, alteration, or disclosure. These measures may include access controls, encryption in transit, backups, incident logs, confidentiality for authorized personnel, and provider review.
11. Changes
This policy may be updated due to legal, technical, organizational, or functional changes.
12. Change of controller to Finlai S.L.
If the activity starts being provided by a company incorporated to continue Finlai, data subjects will be informed of the new controller, contact details, and, where applicable, continuity or assignment of the contractual relationship and associated processing.