Last update: 27.05.2026
This Privacy Policy describes how NoCFO Oy processes personal data when acting as a data controller in connection with its own business operations, customer relationships, and maintenance of the Service. This Policy also describes how we process personal data stored by customers in the Service when we act as a data processor on behalf of the customer.
NoCFO Oy
Business ID: 3149769-7
Address: c/o A Grid, PO Box 13300 FI-00076 AALTO, Finland
Phone: +358 44 573 3333
Email: info@nocfo.io
Websites: nocfo.io / nocfo.fi
Person responsible for the customer register: Teemu Karuluoto
When NoCFO processes personal data in connection with its own business operations, customer communications, service maintenance, or marketing, NoCFO acts as the data controller for such data.
The personal data processed in the role of data controller concerns NoCFO's customers, users of the Service, prospective customers, and visitors to the Service's websites and applications. This data is separate from the personal data that customers store in the Service for accounting or other purposes. Personal data stored in the Service is processed separately in accordance with Section 3 and the Data Processing Agreement appendix.
As a data controller, NoCFO collects and processes basic customer and user information, such as names and contact details, organization details, payment and billing information, customer communications, and contractual documentation. Technical data such as IP addresses, log data, session identifiers, and device information is processed on the basis of NoCFO's legitimate interest in ensuring the security, functionality, and development of the Service. In addition, we use cookies on our websites and applications, which are described in more detail in our separate Cookie Policy.
The processing of personal data as a data controller is necessary for providing the Services, handling customer communications, maintaining customer relationships, developing the Service and business operations, and for marketing purposes. The legal bases for processing are the contractual relationship between the customer and NoCFO, NoCFO's legitimate interest in developing the Service and maintaining customer relationships, and legal obligations such as statutory accounting retention obligations. In some situations, processing is based on the data subject's consent, which may be withdrawn at any time.
Customer relationship data will be deleted upon termination of the customer relationship. The customer relationship is deemed terminated when the Customer deletes its company account and users from the Service. Data may be retained longer only where necessary based on legal obligations or NoCFO's legitimate interests. Data processed based on consent will be deleted when consent is withdrawn. NoCFO's own accounting materials are retained for the period required by law.
As a data controller, NoCFO implements technical and organizational measures to ensure secure processing of personal data and processes data only to the extent necessary for the delivery, maintenance, and development of the Service. This section does not apply to personal data stored in the Service by customers, which is processed separately in accordance with Section 3 and the Data Processing Agreement appendix.
The Service includes an AI-powered assistant ("Luca"), which NoCFO may use in customer support or other internal operations. In such cases, Luca may process personal data stored in NoCFO's customer register. Data is stored within the EU/EEA. Data processing may occur outside the EU/EEA in compliance with applicable data protection legislation.
When a customer uses the NoCFO Service to store personal data generated in connection with financial administration, accounting, customer registers, or other operations, the customer acts as the data controller and NoCFO acts as the data processor.
Such data may include receipts, vouchers, invoices, bank statements, and customer register data. Processing is based on the agreement between the customer and NoCFO. More detailed terms regarding the processing of data, the parties' rights and obligations, and data retention and deletion are described in the Data Processing Agreement (DPA) appendix to the Terms of Service.
NoCFO stores personal data primarily within the European Economic Area. If personal data is transferred outside the EU/EEA through service providers, such transfers will only take place where necessary for providing the Service and in compliance with applicable data protection legislation.
NoCFO uses trusted and authorized service providers for producing and maintaining the Service. Such providers may include cloud service providers, customer support systems, payment services, AI services, and technical infrastructure providers.
Service providers may process personal data only to the extent necessary for providing their services, and appropriate data protection obligations have been agreed with them.
Personal data may also be disclosed to authorities where required by mandatory legislation or official orders. In connection with business acquisitions or similar arrangements, data may be transferred to relevant parties while maintaining confidentiality. In addition, personal data may be disclosed to third parties based on the explicit consent of the data subject.
Data subjects have the right to obtain information about the personal data processed by NoCFO concerning them and to request rectification, deletion, or restriction of processing of such data. In certain situations, the data subject may object to the processing of personal data, particularly where processing relates to direct marketing.
In addition, the data subject has the right to receive their data in a structured and commonly used format and the right to withdraw consent at any time. Requests must be submitted to the data controller and include sufficient information for identity verification.
NoCFO may send service-related notices and marketing communications to its customers. Data subjects have the right to prohibit direct marketing by contacting NoCFO or by using the unsubscribe functionality included in marketing communications.
NoCFO ensures secure processing of personal data through technical, organizational, and administrative safeguards. The objective is to ensure the confidentiality, integrity, and availability of data. Personal data is processed only by persons who are authorized to do so based on their job responsibilities.
Data subjects have the right to lodge a complaint with a supervisory authority if they believe that personal data has been processed in violation of applicable data protection legislation. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (https://tietosuoja.fi).