Privacy Policy.

01Scope and Role

Fimi Data is usually a processor (we handle data on customer instructions) and sometimes a controller (when we collect data directly, like through our website). The legal obligations differ between these roles.

Fimi Data operates in different roles depending on the context:

Processor / Service Provider Role (Primary)

Fimi Data processes personal data on behalf of its customers in connection with vendor data offboarding workflows.

Controller / Business Role (Limited)

Fimi Data acts as a controller when it collects personal data directly (e.g., website visitors, prospective customers, account users).

02Information We Collect

Three categories: data we process for our customers, data we collect directly from you, and data automatically collected when you visit our site.

a. Information Processed on Behalf of Customers

We process personal data under customer instructions, which may include:

• Contact information (name, email, role)
• Vendor and contract-related data
• Data deletion directives and workflows
• Attestations, certifications, and supporting evidence
• Communications between customers and vendors

b. Information Collected Directly

• Name, email, company, job title
• Account credentials
• Communications and support inquiries
• Marketing preferences

c. Automatically Collected Information

• IP address
• Device and browser information
• Usage and interaction data

03How We Use Personal Data

When we’re a processor, we use data only as our customer instructs. When we’re a controller, we use it to run our business.

When Acting as a Processor

We process personal data solely:

• To provide and operate the platform
• To execute vendor data offboarding workflows
• To facilitate deletion, return, and certification processes
• To maintain tamper-evident audit records
• In accordance with customer instructions

When Acting as a Controller

We use personal data to:

• Provide and improve our Services
• Communicate with users
• Send service-related and marketing communications
• Ensure platform security and integrity
• Comply with legal obligations

We do not engage in automated decision-making that produces legal or similarly significant effects on individuals.

04Legal Bases for Processing (GDPR)

Under GDPR, every processing activity needs a legal basis. Here’s which one applies to which activity.

Where applicable under the General Data Protection Regulation, we rely on the following legal bases:

• Performance of a contract — to deliver the Services to customers and account users.
• Legitimate interests — for security, fraud prevention, product improvement, and direct B2B marketing to business contacts who have a relevant professional interest in our Services, subject to a balancing test and the right to object.
• Consent — for marketing communications where required by applicable law (including most EEA/UK marketing email), and for non-essential cookies.
• Legal obligations — to comply with applicable laws, regulations, and lawful requests.

05Email Communications and CAN-SPAM Compliance

Every commercial email we send identifies us as the sender, includes our address, and gives you a way to opt out.

Fimi Data complies with the CAN-SPAM Act. We clearly identify Fimi Data as the sender, include a valid physical mailing address in commercial emails, provide a clear opt-out mechanism in every commercial message, and honor unsubscribe requests promptly. You may opt out of marketing communications at any time by clicking the unsubscribe link in any of our emails or by contacting us at privacy@fimidata.com.

06How We Share Information

We don’t sell or share data for advertising. We do use a small set of vendors to operate the platform.

We do not sell personal data and we do not “share” personal data for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”).

We may share personal data with the following categories of recipients:

• Cloud infrastructure and hosting providers (e.g., Microsoft Azure) used to operate the Services.
• Communications and email delivery providers used to send transactional and commercial messages.
• Security, monitoring, and logging providers used to protect the Services and detect abuse.
• Analytics and product telemetry providers used to understand and improve the Services.
• Customer relationship and sales tooling providers used to manage prospect and customer communications.
• Professional advisors (legal, accounting, insurance) under duties of confidentiality.
• Customers and their designated vendors, where required to execute offboarding workflows initiated by the customer.
• Legal, regulatory, or government authorities where required by law, legal process, or to protect rights, property, or safety.
• Acquirers, successors, or assignees in the event of a merger, acquisition, financing, reorganization, sale of assets, or insolvency, subject to standard confidentiality protections.

A current list of subprocessors used to process customer personal data is maintained at fimidata.com/subprocessors. All subprocessors are bound by written agreements that impose data protection and confidentiality obligations consistent with this Privacy Policy and applicable law.

07International Data Transfers

If your data leaves your home jurisdiction, we use legally recognized safeguards to protect it in transit.

Where personal data is transferred internationally, including outside the European Economic Area (EEA), the United Kingdom, or Switzerland, we implement safeguards such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission, with the UK Addendum where applicable.
• Other legally recognized transfer mechanisms, such as adequacy decisions where they apply.

You may request a copy of the relevant transfer safeguards by contacting privacy@fimidata.com.

08Data Retention

Different data types have different retention periods, set to meet legal, contractual, audit, and operational needs.

We retain personal data only as long as necessary for the purposes for which it was collected, taking into account legal, contractual, audit, and operational requirements. Specifically:

• Customer-instructed data (processor role): retained for the duration of the customer agreement and deleted or returned in accordance with the customer’s instructions and the data processing agreement, typically within 30 days of termination unless a longer period is required by law.
• Account user data: retained for the duration of the account and for up to 90 days after account closure, after which it is deleted or anonymized, except where retention is required for legal, audit, or dispute-resolution purposes.
• Marketing leads and prospect data (controller role): retained for up to 24 months from the most recent meaningful engagement, after which the contact is deleted or anonymized unless the individual has actively re-engaged.
• Audit logs and tamper-evident offboarding records: retained for up to 7 years to support customer compliance obligations and to provide audit evidence on request, unless a customer agreement specifies a different period.
• Website logs and analytics data: retained for up to 13 months in identifiable form, then aggregated or deleted.

Where a longer retention period is required by applicable law (for example, tax, accounting, or regulatory recordkeeping), we retain data for the period required and then delete or anonymize it.

09Data Security

We use industry-standard technical and organizational safeguards. No system is bulletproof, and we’ll notify you if a breach affects you.

We implement appropriate technical and organizational safeguards, including:

• Encryption in transit and at rest
• Access controls and role-based permissions
• Monitoring, logging, and audit trails
• Secure cloud infrastructure

No system can be guaranteed to be fully secure. If we become aware of a personal data breach affecting your information, we will notify you and applicable regulators as required by law.

10Your Privacy Rights

You have rights over your personal data. Here’s what they are and exactly how to exercise them.

Depending on your jurisdiction, you may have the following rights regarding personal data we hold about you as a controller:

• Access — request a copy of the personal data we hold about you.
• Correction — request that we correct inaccurate or incomplete data.
• Deletion — request that we delete personal data, subject to legal exceptions.
• Restriction or objection — request that we restrict or stop processing in certain circumstances, including objecting to direct marketing or to processing based on legitimate interests.
• Portability — receive certain personal data in a structured, commonly used, machine-readable format.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Lodge a complaint with a supervisory authority (EEA/UK residents) or your state attorney general (US residents).

How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@fimidata.com with the subject line “Privacy Request” and a description of your request. We will verify your identity before responding and will respond within the timeframes required by applicable law (generally 30 days under GDPR and 45 days under CCPA, with extensions where permitted). There is no fee for most requests, and we will not discriminate against you for exercising your rights.

If your data is processed by Fimi Data on behalf of a customer (processor role), please direct your request to that organization. We will assist our customer in responding to your request as required under our data processing agreement.

California Residents (CCPA/CPRA)

California residents have the rights described above and, in addition:

• The right to know what categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of recipients.
• The right to opt out of the “sale” or “sharing” of personal information. As stated above, we do not sell or share personal information as those terms are defined under CCPA/CPRA.
• The right to limit the use and disclosure of sensitive personal information. We do not use sensitive personal information for purposes that would trigger this right.
• The right to non-discrimination for exercising any CCPA/CPRA right.

California residents may exercise these rights by emailing privacy@fimidata.com or by submitting a request through any other method we make available. An authorized agent may submit a request on your behalf with proof of authorization.

EEA, UK, and Swiss Residents

Residents of the EEA, UK, and Switzerland have the rights described above under GDPR, UK GDPR, and the Swiss Federal Act on Data Protection respectively. You may also lodge a complaint with your local supervisory authority.

11Cookies and Tracking Technologies

We use cookies to operate the site and understand how it’s used. You control non-essential cookies.

We use cookies and similar technologies to operate and secure our Services, analyze usage and performance, and improve user experience. Where required by law, we obtain consent before setting non-essential cookies. You may manage cookies through your browser settings or, where available, through a cookie preference control on our website.

12Third-Party Links

Our Services may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to review their privacy policies.

13Children’s Privacy

Our Services are not intended for individuals under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will delete it.

14Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will update the “Last Updated” date above and provide additional notice (such as by email or in-product notification) of material changes as required by law. Your continued use of the Services after the effective date of an updated Privacy Policy constitutes your acceptance of the updated terms, where permitted by applicable law.

15Contact Us

Privacy questions, requests, and complaints can be directed to:

Privacy matters at Fimi Data are overseen by our CEO, who serves as our internal privacy lead. We have not appointed a formal Data Protection Officer; based on the scale and nature of our processing, designation of a DPO is not required under GDPR Article 37. We will reassess this position as our processing activities evolve.