GDPR Data Processing Policy

1. Data Controller

SoftImply OÜ (registry code 16776329), a company registered in Estonia, is the data controller responsible for the processing of personal data within potik as described in this policy.

Legal name

SoftImply OÜ

Registry code

16776329

Address

Sepapaja tn 6, 15551 Tallinn, Estonia

Jurisdiction

Estonia, EU (GDPR applies)

Email

privacy@softimply.tech

2. What Personal Data We Process

potik processes the following categories of data:

• 2.1 Account & identity data — name, email, hashed password, role, and language preference.
• 2.2 Authentication secrets — encrypted TOTP two-factor secrets and recovery codes.
• 2.3 Financial transactions — transactions, amounts, currencies, counterparties, categories, and rules.
• 2.4 Wise bank-sync data — accounts, balances, and transactions synchronized from Wise, plus encrypted connection credentials.
• 2.5 Invoices & tenant data — invoices, budgets, recurring transactions, projects, reports, and tenant settings.
• 2.6 Technical data — IP address, timestamps, audit logs, and sync logs.

potik is not designed to process special categories of personal data, and such data should not be entered into the system.

3. Legal Basis for Processing

• 3.1 Contract / employment (Art. 6(1)(b)) — providing the internal tool used by staff to perform work.
• 3.2 Legal obligation (Art. 6(1)(c)) — retaining financial, invoicing, and tax records under applicable law.
• 3.3 Legitimate interest (Art. 6(1)(f)) — securing the platform, maintaining audit trails, and operating SoftImply's finances.

4. Data Storage and Security

Data is stored on Microsoft Azure infrastructure within the European Union and in a managed Supabase PostgreSQL database. Security measures include:

• All data transmitted over HTTPS with TLS 1.2 or higher.
• Two-factor secrets and Wise credentials encrypted at rest.
• Mandatory two-factor authentication for all accounts.
• Role-based access control and tenant isolation.
• Audit and sync logging of sensitive operations.

5. Data Retention

Financial, invoicing, and tax records are retained for the periods required by applicable accounting and tax law (generally up to 7 years). Account data is retained while the account is active. After the applicable retention period, data is securely deleted.

6. Data Sharing and Transfers

We do not sell personal data. We may share data with the following processors:

• Microsoft Azure — cloud infrastructure (EU region), acting as a data processor under a GDPR-compliant DPA.
• Supabase — managed PostgreSQL database hosting, acting as a data processor.
• Wise — banking provider for the accounts you connect for synchronization.
• AI categorization provider — when enabled, transaction descriptions may be processed to suggest categories; this can be disabled per tenant.

Where data is transferred outside the European Economic Area, such transfers rely on adequacy decisions, the EU-US Data Privacy Framework, or Standard Contractual Clauses as applicable.

7. Your Rights Under GDPR

• Right of access (Art. 15) — request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) — request deletion, subject to legal retention obligations for financial records.
• Right to restrict processing (Art. 18) — request that we limit how we use your data.
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@softimply.tech. We will respond within 30 days.

8. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. As SoftImply OÜ is registered in Estonia, the relevant authority is:

Authority

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

Website

www.aki.ee

Email

info@aki.ee

9. Changes to This Policy

We may update this GDPR policy to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated date.