Privacy Policy

1. Overview

This Privacy Policy explains how Finday collects, uses, stores, shares, protects, and deletes Personal Data when you use Finday's website, application, APIs, services, AI features, support channels, and integrations.

Finday is a multi-tenant finance operations platform for businesses in Indonesia, covering accounting, purchasing, sales, cash and bank workflows, tax, payroll, HR, inventory, reporting, and AI-assisted document processing.

Finday processes Personal Data to provide business services to customers, secure the platform, support finance and operational workflows, operate AI features such as DocVision and Copilot, comply with legal obligations, and improve the product.

2. Finday's roles as controller and processor

In many cases, Finday's customer acts as the Personal Data Controller for business data submitted to Finday, such as employee data, customer data, supplier data, transaction documents, payroll records, and financial records. In those cases, Finday acts as a Personal Data Processor that processes the data on the customer's instructions.

Finday may act as the Personal Data Controller for user account data, website data, security data, billing data, support data, communications data, and Finday operational data where Finday determines the purposes and means of processing.

If you are an employee, customer, vendor, supplier, or other third party of a Finday customer and wish to exercise rights over Personal Data submitted by that customer to Finday, you should contact that customer first. Finday will assist the customer in accordance with Finday's obligations as a Personal Data Processor.

3. Key definitions

• "Finday", "we", "us", or "our" means PT Macro Solusi Nusantara.
• "Customer" means the company, organization, or business party that creates or manages a tenant or company workspace in Finday.
• "User" means any person who uses Finday, including owners, admins, finance users, HR users, approvers, accountants, employees, advisors, and invited users.
• "Company Admin" means a User authorized by a Customer to manage access, roles, permissions, data, integrations, and tenant or company settings.
• "Tenant" or "Company" means a company data workspace in Finday that is separated by company context.
• "Personal Data" means any data about an identified or identifiable individual, whether directly or indirectly.
• "Specific Personal Data" means more sensitive personal data under applicable law, including personal financial data, health data, biometric data, children's data, criminal records, and other data classified as specific personal data by applicable regulations.
• "Customer Data" means data entered, uploaded, imported, created, stored, processed, or synchronized by or on behalf of a Customer in Finday.
• "Subprocessor" means a third-party service provider that assists Finday in processing Personal Data.

4. Scope of this policy

This Privacy Policy applies to Personal Data processing through the Finday website, Finday web application, APIs, integrations, webhooks, authentication, account management, product modules, AI features, customer support, onboarding, training, security, audit, logging, monitoring, debugging, billing, and compliance activities.

This policy does not replace any service agreement, terms and conditions, Finday Data Processing Addendum, order form, statement of work, or other written agreement between Finday and a Customer.

• Accounting, purchasing, sales, cash and bank, tax, payroll, HR, inventory, reporting, and AI-assisted document ingestion modules.
• DocVision, Copilot, Finny, realtime assistant, and other AI features provided by Finday.
• Customer support, onboarding, training, operational communications, integrations, and workflow automation.

5. Legal basis and processing principles

Finday processes Personal Data in accordance with applicable law, including Indonesian Law No. 27 of 2022 on Personal Data Protection and its implementing regulations.

We aim to process Personal Data fairly, lawfully, transparently, securely, responsibly, proportionately, and only for appropriate purposes.

• Valid consent from the Personal Data Subject.
• Performance of a contract or steps taken before entering into a contract.
• Compliance with legal obligations.
• Protection of vital interests.
• Performance of a public-interest task or authority based on law, where applicable.
• Balanced legitimate interests, including security, fraud prevention, service improvement, customer support, and business operations.
• Customer instructions where Finday acts as a Personal Data Processor.

6. Account, identity, and contact data

We may process names, email addresses, phone numbers, job titles or roles, company names, business addresses, profile photos if provided, language, time zone, account preferences, invitation details, memberships, roles, permissions, and active company context.

7. Authentication and security data

We may process user IDs, session tokens, login information, authentication status, access logs, IP addresses, device data, browser data, operating system data, technical metadata, security events, suspicious activity, and audit trails related to data changes, approvals, postings, exports, integrations, and admin access.

We do not ask you to provide passwords, credentials, secret keys, OTPs, private keys, or sensitive tokens through notes, descriptions, attachments, AI prompts, or support tickets that are not designed to receive such information.

8. Tenant and company data

We may process company names, business or tax identification numbers, company addresses, branch information, divisions, departments, locations, projects, tenant settings, subscriptions, plans, enabled modules, workflow configurations, roles, approval matrices, permissions, company memberships, and invited user access.

9. Finance, accounting, and tax data

If accounting modules are used, we may process charts of accounts, general journals, journal entries, journal lines, account balances, accounting periods, postings, reversals, adjustments, period closing data, financial reports, audit trails, approvals, memos, transaction descriptions, attachments, and supporting documents.

We may also process customer and vendor data, invoices, bills, quotations, purchase orders, sales orders, deliveries, receipts, payments, allocations, payment schedules, terms, aging data, payment statuses, bank account numbers, payment instructions, transaction references, tax IDs, billing and shipping addresses, customer or vendor contact persons, attachments, transfer evidence, and transaction files.

For tax workflows, we may process company tax profiles, NPWP, NIK, VAT data, withholding tax data, e-faktur, e-bupot, Coretax exports, tax documents, transaction data relevant to tax obligations, counterparty data, withholding certificates, tax invoices, and tax archives.

10. Cash, bank, and reconciliation data

We may process cash and bank accounts, bank transactions, bank statements, account numbers, account holder names, payment references, reconciliation results, import and export data, matching rules, and reconciliation history.

Personal financial data may qualify as Specific Personal Data under applicable law.

11. Payroll and HR data

If payroll or HR modules are used, we may process employee data, identity numbers, dates of birth, marital status, dependents, family information where required for payroll, addresses, phone numbers, email addresses, emergency contacts, employee bank accounts, salaries, allowances, deductions, bonuses, THR, reimbursements, benefits, payslips, BPJS data, insurance data, employee tax data, other deductions, attendance, leave, permits, overtime, shifts, timesheets, HR documents, employment contracts, attachments, administrative notes, and performance or HR approval data if the relevant features are used.

Some payroll and HR data may qualify as Specific Personal Data. Customers are responsible for ensuring they have a valid legal basis to submit and process that data in Finday.

12. Inventory and operational data

We may process items, SKUs, categories, units of measure, warehouses, locations, batches, serial numbers, stock movements, stock adjustments, deliveries, receipts, costing data, vendor or customer contacts related to inventory, approver data, creator and updater data, audit trails, attachments, and supporting documents.

13. Documents, attachments, and file uploads

We may process files you upload, including invoices, receipts, bills, contracts, tax documents, bank statements, payroll or HR documents, images, PDFs, spreadsheets, and other documents, together with file metadata such as filename, size, file type, upload time, uploader, and storage location.

Document contents may include Personal Data or Specific Personal Data. Do not upload files that are irrelevant, unlawful, infected with malware, or contain data that you are not authorized to process.

14. DocVision and AI extraction data

For DocVision or other AI-assisted document processing features, we may process uploaded files, converted images or PDFs, OCR text, extracted fields, confidence scores, draft transactions, raw AI responses, manual user corrections, processing job metadata, error logs, and troubleshooting data.

AI extraction results are preliminary assistance and must be reviewed by Users before they are used for posting, approval, payment, reporting, or legal compliance.

15. Copilot, Finny, and AI conversation data

If AI assistant features are used, we may process User prompts and messages, AI responses, relevant company context, thread summaries, session metadata, tool calls or actions requested by Users, audio transcripts if voice features are used, files or content attached to conversations, and User feedback on AI responses.

Do not submit credentials, passwords, tokens, private keys, irrelevant trade secrets, or excessive personal data into AI prompts.

16. Third-party integration data

If a Customer connects Finday to a third-party service, we may process OAuth tokens or integration tokens, refresh tokens, external account IDs, account mappings, customer mappings, vendor mappings, item mappings, tax mappings, transactions, sync logs, error logs, data retrieved from or sent to the third-party service, connection metadata, and disconnect metadata.

Examples of integrations may include Jurnal, other accounting systems, Google services, email, storage, bank feeds, payment gateways, or other third-party services enabled by the Customer.

17. Usage, communications, and billing data

We may process pages or features used, clicks, events, errors, performance metrics, crash logs, access times, IP addresses, browsers, devices, operating systems, approximate location based on IP address, product preferences, export activity, import activity, approval activity, posting activity, integration activity, and aggregated data to understand product usage.

We may process emails, chats, tickets, support messages, onboarding and training notes, feedback, feature requests, complaints, communications metadata, and call or meeting recordings only where notified or consented to in accordance with applicable law.

We may process billing contact names, billing addresses, plans, modules, subscription invoices, payment statuses, tax or business identification numbers, payment methods, transaction references, and communications related to invoicing and collections.

18. Sources of Personal Data

We may receive Personal Data directly from you, from Company Admins or other Users in your tenant, from Customers that submit data about employees, customers, vendors, or other third parties, from uploads, imports, APIs, integrations, devices, browsers, cookies, server logs, telemetry, third-party services connected to Finday, and lawful public or third-party sources where relevant to the services.

19. How we use Personal Data

We use data to create and manage accounts, manage tenants and companies, grant access based on roles and permissions, operate Finday modules, store and display data, run approval, posting, reconciliation, payroll, reporting, document ingestion, export, import, automation, and integration workflows requested by Users.

We use data for authentication, authorization, unauthorized-access detection, fraud prevention, malware prevention, abuse prevention, scraping prevention, misuse investigations, security event response, logging, audit trails, monitoring, tenant isolation, and data integrity.

We use data to answer questions, troubleshoot issues, fix bugs, provide usage guidance, support onboarding and training, and handle complaints or support requests.

We may use data to improve features, analyze performance, measure reliability, develop new products, improve user experience, create aggregated or anonymized data, and conduct internal research.

20. AI processing, DocVision, and Copilot

Finday provides AI features to help users work more efficiently, including document extraction, transaction drafts, analysis, recommendations, summaries, and conversational assistance.

Customer content, uploaded documents, prompts, transcripts, metadata, and related context may be processed by AI service providers where necessary to provide AI-enabled features.

We aim to limit the data sent to AI providers to what is necessary for the feature. Provider data-use policies depend on the provider and service configuration. Finday will seek to use providers and configurations that restrict the use of Customer Data for general model training without appropriate permission.

AI features do not replace human professional judgment. Users are responsible for reviewing and approving AI results before using them.

• Document files or images.
• OCR text.
• User prompts or instructions.
• Relevant transaction or company context.
• Limited metadata required to operate the service.
• Corrections or feedback, where used to improve service quality.

21. Cookies and similar technologies

Finday may use cookies, local storage, session storage, pixels, SDKs, server logs, and similar technologies to maintain login sessions, remember preferences, operate security controls, prevent fraud, understand website and application performance, analyze feature usage, and support communications or marketing where used.

You can manage cookies through your browser settings or a preference center where available. Disabling certain cookies may affect service functionality.

• Strictly necessary cookies are required for the website and application to function.
• Functional cookies store preferences and settings.
• Analytics cookies help us understand usage and performance.
• Marketing cookies are used for promotions or campaign measurement, where enabled.

22. When we share Personal Data

We do not sell Personal Data. We may share Personal Data with Customers and Company Admins, Subprocessors and service providers, Customer-enabled integration providers, regulators, authorities, professional advisors, business successors in corporate transactions, or other parties where you or the Customer provide valid consent or instructions.

If you use Finday as a User within a Customer tenant, Company Admins may view and manage data related to your account, role, activity, approvals, documents, transactions, payroll, HR, or usage according to applicable permissions.

If a Customer connects Finday to a third-party service, Finday may share data with that service according to the Customer's actions, configuration, and instructions. Those providers may have their own terms and privacy policies.

23. Subprocessors

Finday uses Subprocessors to support the services. This list should be updated if production providers change. Finday may update the Subprocessor list from time to time. If a Subprocessor change materially affects Personal Data processing, Finday will provide reasonable notice in accordance with applicable agreements or law.

• Supabase for database, authentication, storage, and edge or service infrastructure.
• Hosting and infrastructure providers used by Finday for application and backend hosting.
• Google Gemini or Google Cloud AI, where used, for OCR, extraction, and AI reasoning.
• OpenAI, where used, for Copilot, chat, reasoning, and realtime assistant capabilities.
• Transactional email and notification providers used by Finday.
• Monitoring, logging, observability, and security monitoring providers used by Finday.
• Payment or billing providers used by Finday, if any.
• Support, ticketing, analytics, and product telemetry providers used by Finday, if any.
• Jurnal or other accounting integrations where enabled by the Customer for data synchronization on the Customer's instructions.

24. International data transfers

Finday and our Subprocessors may process or store Personal Data outside Indonesia, including in countries where cloud, AI, hosting, support, or integration providers operate.

Where Personal Data is transferred outside Indonesia, we will apply safeguards designed to comply with applicable law. These safeguards may include an assessment of the destination country's data protection level, contractual commitments with Subprocessors, standard contractual clauses or equivalent data protection terms where relevant, purpose limitations, access and security controls, provider due diligence, and notices or consent where required by law.

25. Data retention

We retain Personal Data for as long as necessary for the relevant processing purposes, including providing the services, performing agreements, maintaining security, complying with legal obligations, resolving disputes, and protecting legal rights.

Retention periods may differ by data type. After the applicable retention period ends, we will delete, anonymize, or archive data in accordance with law, agreements, and legitimate operational needs.

Deletion may be delayed or limited where retention is required or permitted for legal, tax, accounting, security, dispute, backup, or legitimate business purposes.

• User account data is retained while the account is active and for a reasonable period after deactivation.
• Tenant or company data is retained while the subscription is active and during any post-termination retention period under the applicable agreement.
• Accounting, tax, payroll, and HR data is retained for as long as required by the Customer and/or legal, tax, accounting, employment, or audit obligations.
• Documents and attachments are retained for as long as needed for the services, business records, audits, or legal obligations.
• DocVision extraction data is retained for as long as needed for drafts, audits, troubleshooting, and service improvement according to applicable retention settings.
• Copilot and AI conversation data is retained for as long as needed for the services, audits, support, security, or tenant settings.
• Security logs and audit trails are retained for as long as needed for security, investigations, compliance, and audit evidence.
• Support tickets, communications, and backups are retained according to support needs, service history, claim defense, and backup or disaster recovery cycles.

26. Deletion, export, and offboarding

If a Customer's subscription ends, the Customer is responsible for exporting data before access ends, unless Finday provides an additional access period or export process under the applicable agreement.

Unless an account is suspended or terminated due to a material breach, security risk, legal obligation, or misuse, Finday will use reasonable efforts to provide limited access or export assistance for 30 calendar days after the effective termination date so the Customer can retrieve Customer Data.

Finday may retain tenant data for 30 calendar days after termination for reactivation, export, billing resolution, audit, security investigation, or legal obligations.

Tenant deletion requests must be submitted by an authorized representative of the Customer. After receiving a valid request, Finday will use reasonable efforts to delete or anonymize Personal Data within 90 calendar days, unless the data must or may still be retained for legal, tax, accounting, payroll, security, dispute, backup, audit trail, or legitimate-interest purposes.

Data in backups may remain stored until the applicable backup and disaster recovery cycle ends, but it will not be used for active operations unless needed for recovery, security, compliance, or legal obligations.

27. Data subject rights

Depending on applicable law, you may have rights to receive information about Personal Data processing, access Personal Data, correct or update inaccurate Personal Data, stop processing in certain circumstances, delete or destroy Personal Data in certain circumstances, withdraw consent where processing is based on consent, object to or restrict processing in certain circumstances, receive a copy of Personal Data, object to automated decision-making with legal or significant effects where applicable, and submit complaints about Personal Data processing.

To exercise your rights, contact us at legal@helomacro.id. If your data was submitted to Finday by a Customer, we may direct your request to that Customer or process it according to the Customer's instructions because the Customer is the Personal Data Controller for that data.

We may request additional information to verify your identity and authority before fulfilling a request.

28. Automated decisions and profiling

Finday may use automation and AI to support workflows such as document extraction, transaction classification, account recommendations, anomaly detection, or data summaries.

Finday does not intend to make final decisions with legal or significant effects solely by automated means without human review, unless clearly disclosed and permitted by law.

Customers and Users are responsible for reviewing automation or AI results before taking important actions such as journal posting, payment, payroll, tax filing, approval, or employment decisions.

29. Security of Personal Data

We apply technical and organizational measures designed to protect Personal Data, including user authentication, role-based and tenant-based access controls, internal access limitations, company or tenant data separation, row-level security and/or tenant filters at the application and database levels where relevant, tenant-based file storage structures, logging and audit trails, encryption in transit using secure protocols, controls over secrets and credentials, backup and disaster recovery, security monitoring, admin and support access reviews, and incident response procedures.

No system is completely risk-free. Customers and Users are also responsible for securing their accounts, devices, networks, credentials, and internal access controls.

Contact us promptly if you suspect unauthorized access, credential compromise, device loss, or account misuse.

30. Finday support and admin access

Finday personnel may access Customer Data only where needed for legitimate purposes, such as customer support, troubleshooting, bug investigation, security, data migration or recovery, compliance with legal obligations, or actions requested or approved by the Customer.

Internal access is limited based on job need and may be logged or audited under Finday's security policies.

Finday will not use support access to view Customer Data without a legitimate operational reason.

31. Personal Data incidents

If an incident meets the criteria for a Personal Data protection failure under applicable law, Finday will take reasonable steps to identify and contain the incident, assess the type of data and impact, mitigate risks, notify relevant parties in accordance with legal obligations, document the incident and remediation actions, and assist Customers where Finday acts as a Personal Data Processor.

Where Finday acts as the Personal Data Controller and notification is required, Finday will provide written notice to Personal Data Subjects and/or competent authorities within the legally required timeframe.

Where Finday acts as a Personal Data Processor, Finday will notify the Customer without undue delay after confirming the relevant incident. Where reasonably possible, initial notice will be provided within 2 x 24 hours after confirmation of the relevant incident so the Customer can assess its obligations as the Personal Data Controller.

32. Customer responsibilities

Customers are responsible for ensuring they have a valid legal basis to submit and process Personal Data in Finday, providing appropriate privacy notices to employees, customers, vendors, suppliers, and other relevant third parties, obtaining consent where required, managing User roles, permissions, and access, removing access for Users who are no longer authorized, ensuring submitted data is accurate, relevant, and not excessive, avoiding unnecessary or prohibited uploads, reviewing AI results before use, and ensuring their use of Finday complies with tax, employment, accounting, and other laws applicable to the Customer.

33. Children's data

Finday is a business service and is not intended to be used directly by children.

However, Customers may submit children's data or employee dependent data where relevant for payroll, benefits, tax, or HR administration. Customers are responsible for ensuring that such processing has a valid legal basis and satisfies applicable requirements for children's data protection.

34. Aggregated, anonymized, and third-party data

We may create aggregated, anonymized, or statistical data from service usage for performance analysis, internal benchmarking, product improvement, security, research, and business reporting. Aggregated or anonymized data is not intended to identify any specific individual.

Finday may contain links, integrations, or connections to third-party services. Use of third-party services is subject to each provider's own terms and privacy policy. Finday is not responsible for privacy practices of third-party services that we do not control.

35. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in services, law, technology, or operational practices.

If changes are material, we will provide reasonable notice, such as by email, in-app notification, or website announcement.

The Last Updated date at the top of this document indicates the latest version of this Privacy Policy.

36. How to contact us

If you have questions, requests, or complaints about this Privacy Policy or Finday's processing of Personal Data, contact PT Macro Solusi Nusantara at Jl. Permata Regency, Jl. H. Kelik No. D/37, RT.1/RW.6, Srengseng, Kec. Kembangan, Kota Jakarta Barat, Daerah Khusus Ibukota Jakarta 11630.

Privacy and legal email: legal@helomacro.id. Website: https://finday.ai.

If you use Finday through your company or organization, you may also contact your Company Admin or the privacy contact person in that organization.

37. Legal references

This policy has been prepared with reference to Indonesia's personal data protection and electronic system operation framework.

• Indonesian Law No. 27 of 2022 on Personal Data Protection.
• Government Regulation No. 71 of 2019 on Electronic Systems and Transactions.
• Minister of Communication and Informatics Regulation No. 5 of 2020 on Private-Scope Electronic System Operators, as amended by Minister of Communication and Informatics Regulation No. 10 of 2021.