Firmyx

Privacy Policy

Last updated: May 2026

Firmyx provides AI-powered financial analytics and business intelligence tools. Firmyx does not provide financial, investment, accounting, tax, or legal advice. All insights, scores, forecasts, and recommendations are for informational purposes only and should not be relied upon as professional advice.

1. Data Controller

The Data Controller responsible for your personal data is:

  • Legal entity name: [LEGAL_ENTITY_NAME]
  • Registration number / EIK: [COMPANY_REGISTRATION_NUMBER / EIK]
  • Registered address: [REGISTERED_ADDRESS]
  • Contact email: [CONTACT_EMAIL]

2. What Data We Collect

We collect:

  • Your name and email address (provided during account registration)
  • Financial data you voluntarily upload (income statements, balance sheets, cash flow data)
  • Technical data (IP address, browser type) for security and platform stability

We use only strictly necessary session cookies. We do not use analytics, marketing, or third-party tracking cookies.

3. Legal Basis

We process data based on:

  • Contract performance — to deliver the analytics service you signed up for (Art. 6(1)(b) GDPR)
  • Legitimate interest — improving the platform and maintaining security (Art. 6(1)(f) GDPR)
  • Legal obligation — where required by applicable EU or Bulgarian law (Art. 6(1)(c) GDPR)

4. How We Use Your Data

Your data is used solely for:

  • Financial analysis and automated report generation
  • Improving our analytical models (in anonymized/aggregated form only)
  • Account management and platform communication
  • Legal and regulatory compliance

We do not sell or share data for marketing purposes.

5. Third-Party Processors

Some data may be processed by trusted third-party infrastructure and AI service providers under applicable Data Processing Agreements and, where required, Standard Contractual Clauses.

Current processors include:

  • Google Gemini API— AI analysis processing. Your financial data is sent to Google's API solely for generating analytical outputs. Your data is not used to train Google AI models and is not retained beyond the processing window. Google acts as a data processor under an applicable DPA.
  • Hosting provider (Render / Vercel) — Cloud infrastructure for running the platform. Data is stored in encrypted form in EU-based or equivalent data centers.
  • Payment provider (Stripe) — Payment processing for paid plan subscriptions. Stripe handles payment card data independently under its own PCI-DSS compliance. Firmyx does not store payment card details.

Where processors are located outside the European Economic Area, appropriate safeguards (Standard Contractual Clauses or adequacy decisions) are in place.

6. Security

We use:

  • AES-256 encryption at rest
  • TLS 1.2+ in transit
  • Strict access controls and authentication
  • Secure cloud architecture with regular security reviews

7. Data Retention

We retain your data as follows:

  • Account and profile data: retained while your account is active
  • Uploaded financial data: retained while your account is active; deleted within 30 days of account closure
  • Backups: purged on the same schedule as primary data
  • Technical/security logs: retained for up to 90 days for security purposes

You may request deletion of your account and all associated data at any time. See Section 8 for how to submit a deletion request.

8. Your Rights (GDPR) & Data Deletion

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your account and uploaded financial data (“right to be forgotten”)
  • Data portability (receive your data in a machine-readable format)
  • Object to or restrict processing
  • Withdraw consent where processing is based on consent

To request data deletion: Email us at atanas.k.kanev@gmail.com with the subject line “Data Deletion Request” and your registered email address. We will process your request within 30 days.

You may also close your account directly from your account settings, which will initiate the data deletion process.

9. Right to Complain — Bulgarian CPDP / КЗЛД

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP / КЗЛД):

  • Website: www.cpdp.bg
  • Address: 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
  • Email: kzld@cpdp.bg

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Firmyx will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR. Where the breach is likely to result in a high risk to affected individuals, we will also notify you directly without undue delay, in accordance with Art. 34 GDPR.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via a notice on the platform. Continued use of the service after changes constitutes acceptance.

12. Contact

For any privacy questions or to exercise your rights: atanas.k.kanev@gmail.com