Privacy Policy – Finalyzer AI

Last updated: March 13, 2026

1. Introduction

This Privacy Policy explains how personal data are collected, used, and processed when users access or use Finalyzer AI.

Finalyzer AI is an online platform designed to extract and analyze financial information from business documents (currently focused on Italian bilancio documents).

The platform allows users to upload financial documents, extract structured financial information, and perform automated analysis.

This policy describes how personal data are processed in accordance with the General Data Protection Regulation (GDPR).

2. Data Controller

The Data Controller responsible for processing personal data is:

Andrea Di Carlo

Italy

Email: andrea@finalyzerai.com

Finalyzer AI is operated by Andrea Di Carlo.

3. Categories of Personal Data Processed

Finalyzer AI may process the following categories of data.

3.1 Account and Authentication Data

When users sign in using Google OAuth (through Supabase Auth), the platform processes:

  • name (if provided by the identity provider)
  • email address
  • account identifiers necessary for authentication
  • authentication/session metadata (such as tokens and related technical information)

These data are used exclusively to authenticate users and manage accounts.

3.2 Project and Workspace Data

When users create and manage projects or workspaces, the platform may store:

  • project metadata (for example project name and country)
  • document metadata (for example file name, processing status, timestamps)
  • structured financial rows extracted from documents
  • analysis outputs generated by the system

Financial data extracted from uploaded business documents typically refers to corporate financial information and may not constitute personal data unless the document contains identifiable information relating to natural persons.

3.3 Uploaded Document Data

Users may upload financial documents to perform extraction and analysis.

When a document is uploaded:

  • the system processes the document to extract relevant financial information
  • the source document may be temporarily processed during extraction

Uploaded source files are not intended to be permanently stored as original files in the application database.

However, data derived from extraction (such as structured financial rows or analysis outputs) may be stored in order to provide the platform functionality.

3.4 Extraction Debug Data (Admin Only)

For administrative users only, the platform may store technical debugging payloads associated with document extraction runs.

These payloads may include internal extraction traces or diagnostic information used to troubleshoot the extraction pipeline.

For non-admin users, these data are not stored as analysis payloads and are not returned in API responses.

3.5 AI Processing Data

To perform document extraction and classification, selected portions of text derived from uploaded documents may be transmitted to external artificial intelligence processing providers acting as data processors.

Currently, this includes:

  • OpenAI (via the OpenAI API).

Only the minimum text necessary to perform the requested analysis is transmitted.

According to OpenAI’s API policy, data submitted via the API is not used to train OpenAI models.

3.6 Technical and Usage Data

For operational, security, and maintenance purposes, the platform may process certain technical information automatically generated during use of the service.

This may include:

  • IP address
  • request timestamps
  • endpoint request metadata
  • browser or device technical information
  • system logs and error diagnostics

These data are used solely to maintain service reliability, security, and infrastructure stability.

4. Data Minimization

Finalyzer AI is designed following the principle of data minimization.

Uploaded documents are processed in order to extract relevant financial information. The platform is designed not to permanently store the original uploaded documents in the application database.

Only the minimum information necessary to provide the requested functionality is retained.

5. Purposes and Legal Bases (GDPR)

Personal data may be processed for the following purposes and legal bases:

  1. Account authentication and session management

    Legal basis: Art. 6(1)(b) GDPR — performance of a contract

  2. Workspace, document extraction, review, and financial analysis features

    Legal basis: Art. 6(1)(b) GDPR

  3. Platform security, abuse prevention, fraud detection, and incident management

    Legal basis: Art. 6(1)(f) GDPR — legitimate interest

  4. Compliance with legal obligations or lawful authority requests

    Legal basis: Art. 6(1)(c) GDPR

  5. Technical debugging, maintenance, and internal service improvement

    Legal basis: Art. 6(1)(f) GDPR

6. Nature of Data Provision

Providing the data required for authentication and service functionality is necessary to use Finalyzer AI.

If required data are not provided, some or all features of the platform may not be available.

7. Recipients and Processors

Finalyzer AI relies on trusted infrastructure providers to operate the platform.

These providers may process limited personal data necessary to provide their services.

Such providers may include:

Google

Authentication provider for Google OAuth login.

Supabase

Authentication infrastructure and database services.

OpenAI

Artificial intelligence processing for document extraction and classification.

Render

Hosting infrastructure for backend services.

Vercel

Hosting infrastructure for the frontend application.

Each provider processes data according to its own contractual and technical safeguards.

8. International Data Transfers

Some service providers may process data outside the European Economic Area (EEA).

Where such transfers occur, appropriate safeguards may be used, including Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms provided by the infrastructure provider.

9. Data Retention

Finalyzer AI applies the following retention principles:

Account data

Retained while the account is active and deleted or anonymized after account deletion, unless retention is required by law.

Project and extracted financial data

Retained for as long as necessary to provide the service and until the user deletes the relevant workspace or account.

Uploaded original files

Processed during extraction and not intended for permanent storage in the application database.

Technical logs

Retained only for the time necessary to ensure platform security, troubleshooting, and service continuity.

Where required by law, certain data may be retained for longer periods.

10. Automated Processing

Finalyzer AI uses automated processing to extract and classify financial rows from uploaded documents.

This processing is intended to assist users in analyzing financial documents and does not produce legal or similarly significant effects on individuals within the meaning of Article 22 GDPR.

Users can review and manually modify extracted results within the application interface.

11. Cookies and Tracking

Finalyzer AI does not use advertising cookies, tracking cookies, or third-party analytics tools.

Only strictly necessary technical mechanisms related to authentication and security may be used to operate the platform.

12. Data Security

The Data Controller implements reasonable technical and organizational measures designed to protect personal data from unauthorized access, disclosure, alteration, or destruction.

Security measures may include authentication controls, role-based access management, infrastructure isolation, and system monitoring tools.

However, no internet-based service can guarantee absolute security.

13. Data Subject Rights (GDPR)

Users located in the European Union may exercise the following rights under GDPR:

  • right of access
  • right to rectification
  • right to erasure
  • right to restriction of processing
  • right to object (where processing is based on legitimate interest)
  • right to data portability
  • right to lodge a complaint with a supervisory authority

Requests may be sent to:

support@finalyzerai.com

To protect user data, identity verification may be required when handling requests.

14. Supervisory Authority (Italy)

Users in Italy may lodge a complaint with:

Garante per la protezione dei dati personali

https://www.garanteprivacy.it/

15. Responsibility for Uploaded Content

Users are responsible for ensuring that they have the legal right to upload and process documents submitted through the platform.

Users should avoid uploading unnecessary personal data and should only upload information they are authorized to process.

16. Children's Data

Finalyzer AI is not intended for persons under 18 years of age.

If personal data of minors are processed unintentionally, users may contact the Data Controller to request prompt deletion where applicable.

17. Changes to This Policy

This Privacy Policy may be updated periodically.

Material changes may be communicated through the website or the application interface.

The "Last updated" date at the beginning of this document indicates the most recent revision.

18. Contact

For privacy requests or questions regarding this Privacy Policy:

support@finalyzerai.com