Privacy Policy

1. Scope & roles

Scope. This policy applies to our website, apps (including NativePHP mobile apps), APIs, and related services.

Roles.

• Controller. We are Controller for account creation, billing and collections, security monitoring, abuse prevention, service communications, and our marketing.
• Processor. For the content you upload or connect to your workspace (e.g., invoices, expenses, files, mailbox imports, accounting and banking data), we process as your Processor under Art. 28 GDPR. A summary DPA is in §16, and a signed DPA is available on request.

Your responsibilities as Controller. When you process personal data about your clients, suppliers, payers, and employees in Hola Finance, you (not Hola Finance) determine the purposes and means for that dataset. You are responsible for: providing notices to those data subjects, choosing a lawful basis, and responding to their rights requests; we will assist where proportionate.

2. What we collect

We only collect what is necessary to deliver and secure the service; some data is optional or collected only when you enable an integration.

2.1 Identity & account

• First name, last name, email (minimum set we may retain post‑deletion for compliance logs and suppression lists)
• Phone (optional), company name, role/title, country
• Password (hashed), MFA/2FA secrets, session identifiers, API tokens
• Billing profile, subscription plan, invoices/statements, payment status

2.2 Workspace/business content (you provide or connect)

• Invoices & expenses (line items, amounts, taxes, currencies, dates) and attachments (images/PDFs)
• Shared folders you connect and the files within those specific paths
• Mailbox access you enable (designated folders/filters) to fetch invoices/receipts
• Local folder connector/desktop agent (if enabled): we access only the specific folder you choose
• Accounting: Xero, QuickBooks, FreeAgent connections and data you authorize
• Open banking: transactions/balances via Plaid, as authorized by you
• Payments: access tokens for Stripe, PayPal, GoCardless (we do not see card/PIN details)
• Exchange rates: lookups via OpenExchange

2.3 Communications & support

• Emails (headers/body), inbound/outbound processing logs (Postmark)
• Live chat transcripts and metadata (Crisp), support tickets, call notes
• WhatsApp/SMS messages you send us (through WhatsApp/Vonage/Nexmo), timestamps and metadata

2.4 Device, technical & usage

• IP address, country/city approximations from IP, device & browser attributes, language, app version
• Authentication and security events (success/failure, risk signals)
• Error and performance telemetry, API usage metrics

2.5 Free tools on our website

• For the free invoice tool: IP address, name, email, invoice amount (for delivery and anti‑abuse)

2.6 Avoid special categories

We do not intentionally collect special category data (e.g., health, beliefs). Please avoid uploading it unless it is strictly contained in business records (e.g., a receipt) and necessary for your processing.

3. Purposes & legal bases

We map each purpose to a lawful basis under the GDPR (Art. 6). Where multiple bases may apply, we rely on the most appropriate one for the context.

We do not carry out automated decision‑making with legal or similarly significant effects (§16).

4. Sources of data

• You: data you enter or upload; folders/mailboxes you explicitly connect.
• Your systems & providers: accounting/banking/payment services you authorize.
• Your users & counterparties: your clients/suppliers/payers who appear on invoices or who contact support.
• Automatically: logs/telemetry created by your use of the service.

5. Special cases (accountants & tax authorities)

At your request, we will share or submit data to:

• Your accountant (or a firm you link in the dashboard). Your accountant acts as an independent Controller under their agreement with you. If an accountant requests data via our dashboard, they must attest they have authority; they are responsible for the truthfulness of that attestation.
• Tax authorities/platforms (e.g., systems like Veri*factu, depending on your country). We transmit only the data you instruct us to submit.

6. Subprocessors (register)

We do not sell personal data. We use vetted providers under Art. 28 agreements. Processing locations are in the EEA unless noted, with SCCs and safeguards for extra‑EEA processing.

Changes. We may update subprocessors. For material changes/additions, we will provide at least 30 days' notice in‑app and/or by email, so you can object or disable the affected integration. Where an objection cannot be resolved, your remedy is to disable the integration or terminate the affected service.

7. Where we process data & international transfers

We store data in the EEA (preference: Germany). Some providers may process data outside the EEA. When that happens, we use SCCs (and additional measures if needed). You may request copies of relevant SCCs (redacted for confidentiality).

8. Security measures

We maintain administrative, technical, and organizational measures appropriate to risk, including:

• Transport security: TLS, HSTS; modern ciphers; certificate management.
• Encryption at rest: passwords, API keys, OAuth tokens, and other secrets. Business records (e.g., invoice PDFs) may not be encrypted at rest but are protected by access controls.
• Access controls: role‑based access, least privilege, periodic access reviews, mandatory staff MFA/SSO.
• Network security: segmentation, firewalls, WAF/CDN, DDoS protections.
• Vulnerability & patch management: regular patching, dependency monitoring, third‑party vulnerability intel.
• Backups: encrypted backups; restore testing; geographically separate storage.
• Secure development: code review, secret scanning, CI checks; synthetic/masked data in lower environments.
• Monitoring & logging: security event logging and anomaly detection; tamper‑resistant logs.
• Incident response: runbooks, on‑call rotation, breach notification procedures (see §18).

9. Access by support & engineering (break‑glass)

Sometimes we must access limited data to reproduce, diagnose, or fix an issue you report, or to investigate security incidents. We apply:

• Just‑in‑time, least‑privilege access with time‑bound approvals.
• Ticket‑linked access: access requires a support ticket/incident reference specifying scope and purpose.
• Audit logging of privileged actions; periodic review.
• Confidentiality: staff and contractors are bound by confidentiality and complete security training.
• Data minimization: we prefer masked/synthetic data; if production samples are strictly necessary, they are minimized, separately stored, and promptly deleted after use.

10. Data retention & deletion

We keep data only as long as necessary for the purposes described above or as required by law. Typical schedules:

10.1 Operational

• Active customers: retained for the life of the account.
• Closed accounts: we start deletion/anonymization within 30 days unless legal retention requires longer.
• Backups: point‑in‑time backups are retained on rolling schedules (typically up to 90 days) and then overwritten.

10.2 Legal retention (Spain/EU)

• Accounting/business records: 6 years from the last entry (Spanish Commercial Code, Art. 30).
• Tax/VAT invoices & supporting docs: generally 4 years (General Tax Law statute of limitations).
• Anti‑money laundering (if applicable in the future): up to 10 years for AML records.

If two periods apply, we keep the longer one for that record type. Where possible, we anonymize data while retaining what is strictly required to demonstrate compliance.

10.3 Post‑deletion minimal identifiers

After account deletion, we retain the minimum necessary identifiers (first name, last name, email) in:

• Audit and payment records we are legally required to keep.
• Suppression lists to ensure we honor marketing opt‑outs.
• Security logs for fraud/abuse detection for a limited period (typically up to 12 months).

10.4 Destruction

When retention periods expire, we securely delete or anonymize data. Media‑level destruction follows provider practices; logical deletion removes records from active systems and, over time, from backups as they roll off.

11. Your rights (GDPR)

You can contact us at [email protected] to:

• Access or export your data.
• Correct inaccuracies. (We cannot change already‑issued invoices except via lawful adjustments/credit notes.)
• Delete data (subject to the retention above).
• Object to or restrict processing (e.g., marketing).
• Port data to another provider.

We will respond within one month (extendable by two further months for complex requests, with notice). We will verify your identity and may ask for additional details to locate the data.

12. Children

Our services are designed for businesses and professional users. While anyone can technically sign up, we do not knowingly collect data from children under 16 without appropriate consent. If we learn that such data was provided without proper consent, we will delete it.

13. Cookies & tracking

• Strictly necessary: session/authentication, CSRF, load‑balancing.
• Support/communications: live‑chat cookies if you open the widget.
• Analytics: aggregated, privacy‑preserving metrics; no cross‑site advertising cookies.

You can control cookies in your browser; essential cookies are required for core functionality.

14. Mobile & local connectors

• Camera: optional, to scan/attach receipts.
• Local folder connector: scope is limited to the path you specify; you can revoke it at any time.

15. Integrations & API

You choose which integrations to connect (Plaid, Xero, QuickBooks, FreeAgent, Stripe, PayPal, GoCardless, OpenExchange, etc.).

Our API requires your own token and does not expose your personal data to third parties unless you authorize them.

When you instruct us to send data to an accountant or tax authority, we act as your Processor for that operation. The recipient (e.g., your accountant) is a separate Controller under their own terms with you.

16. Automated decision‑making

We do not perform automated decision‑making that produces legal or similarly significant effects about you. Some features (e.g., assistive extraction/classification of receipts) involve automated processing to help classify data, but final decisions remain with you.

17. Business transfers

If we undergo a merger, acquisition, reorganization, or asset sale, personal data may be transferred to the acquiring entity subject to contractual guarantees and continuity of this policy (or a policy that offers materially similar protections). You will be notified of material changes and given options consistent with the law.

18. Complaints & contact

Contact us: [email protected]; postal address in the header.

Supervisory authority: You can lodge a complaint with the Agencia Española de Protección de Datos (AEPD) or with your local EU authority. We prefer you contact us first so we can try to resolve your concern quickly.

Breach notifications. If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the AEPD within 72 hours where required and inform affected users without undue delay, including steps you can take to mitigate harm.

19. Changes to this policy

We may update this policy to reflect changes in our practices or the law. We will update the "Last updated" date and, for material changes (e.g., new subprocessors or purposes), provide advance notice in‑app and/or by email.

20. Key definitions

• Controller: the person or entity that determines the purposes and means of processing.
• Processor: the person or entity that processes personal data on behalf of the Controller.
• Personal data: any information relating to an identified or identifiable natural person.
• SCCs: Standard Contractual Clauses approved by the European Commission for data transfers outside the EEA.